[putty&ssh] Who is really good & expert in ssh https tunnelling and firewalling ?
and of great kindness for helping to understand tunneling and make it work...
Ok, so the target is to reach a ssh server listening via port 8080 from a distant pc through a firewall allowing internet surfing.
WINDOWS_PC1(IP1) & LINUX_PC2(IP2) wanna communicate
ping www.google.be (works)
iexplore www.google.com (works)
(I guess there is no proxy)
(port 22 closed and I guess all of them except 8080)
ping IP2 gives host not found
ssh IP2 gives nothing
WINDOWS_PC1 port 8080 (open)====> NAT1_firewalling====> NAT2_firewalling ..... ===> encryption ===> and finally the World Wide Web INTERNET (whaoo) ====> LINUX_PC2 (open ports)
How to configure PUTTY in details, because I understand anythg?
I put in tunnelling IP2:8080
tried too IP1:8080 too
I put in tunnelling IP2:22
tried too IP1:22 too
I put in tunnelling IP2:2222
tried too IP1:2222 too
and nothing worked
the log of putty said that IP1 is blocked at 80, 22, 8080 to reach IP2 (it blocked in nat1 or nat2 ...)
So, the idea is to pass by 8080 and to configure sshd to listen on one port. sshd is listening via ssh.config but should somehting else be installed.
Is it obliged that linuxboxIP2_pc2 listen on 80 or 8080 ? that is not secure to make it listen ssh on 8080 or to open the port for this one ?
You can Private message me, if you want too for going further in this interesting topic.
Please if you know, please, could you reply quite low level, noob targeted to make sure we can understand howto...
Thank you very much for sharing your experience !
I don't understand your objective. If you want to access port 8080 as ssh
on the remote Linux box you'll have to use 8080 to listen on on that target
machine. And what makes you think that using ssh encryption only kicks in
once you're past firewall 2?
so so, it shoudl be hence:
IP1 port 8080 <---------> IP2 port 8080 possible, and this
IP1 port 8080 <---------> IP2 port 22 is not possible, right ?
thank you for your great help replying !!
Im equally confused? Your linux box has to be set to listen on port 8080 for SSH before it would work.
so, the sshd should be configure so that sshd.conf listen on port 80. Thats done now. (Is it secured? It means that I have to open this port on my IP2 side routeur, damn that I dont like doing this to leave this open gate open) (is it right ?) (how about security on this side IP2 listening port 80 ?)
What should I do now from the putty software side (IP1)?
Thank you for replyingi for your great support !
Of course you would need to open a port for something to work as a server. SSH would need to listen to port 8080 and then you set putty to use port 8080 to send data. the server will use another high level port to send data back. The ssh encryption is always on. I apologize if im confused I dont know much about tunneling.
I could read that maybe there is a way to do IP1_PC1 8080 to port ip2_pc2 port 22 ... I dont knonw... maybe...
How difficult it is ...
The router that your remote Linux host uses should be set to forward port 8080 to the linux host.
Make sure that you read the sshd_config man page. Disable root logins ("PermitRootLogin No") and if you are the only person who logs in remotely to this host, then use the line: "AllowUsers <your user name>" in /etc/sshd_config. This will disallow logins from all other username attempts. Given that you are using a non-standard port for ssh, you will probably have fewer ssh brute force attacks from script kiddies. And if your username is unique, they may never even try it.
This is a much easier way of locking down ssh then having to explicitly disallow each system user.
I would also recommend installing Cygwin/X. It will give you all your favorite *nix utilities such as grep, sed, awk, and even tex and latex if you install it. It does wonders for me at work. I am able to produce pdf catalogs of dvd backups with a 3 line script. This will also give you ssh, and you can use "ssh -X username@remotehost" to log into to your linux machine and run gui programs like konqueror as well. You could even be logged in to two or more remote machines at a time. This is a handy way to compare two linux machines remotely using one as a model.
I have lot of questions.:Pengy:
I used ssh -X sometimes it s really cool. btu for far, it s slow. I heard about NX something.
Concerning the stuffs sshd config, sounds fine for the security. but that s annoying to open this port 80 really. Isnt it possibel to target from my IP2_8080 to port IP1_22 directly (for instance)? I would rather open the 22 than the 80 because in case I wanna surf with this machine you nkow. it is better to have a stealth nflank or gmc detection you know.
thank you !
Beside concerning now the putty, how/what should I fill in into the part hotname & tunneling ?
I am not sure of the ports and IP ...
You keep changing from port 8080 to port 80. 8080 is http-alt. They are different ports. The port has to be 80 or 8080 because that is what will get through the firewall which you don't control. It may be possible for your remote router to convert 8080 to 22 as a part of the routers port forwarding process. But you will need 80 or 8080 open on the router. Does the local firewall allow both ports 8080 and port 80 through?
Since you don't control the local firewall, you are limited in your options. Otherwise you could pick whatever port you wanted to use.
I have rarely used putty, so the best I can offer is rtfm advice there. Except for a tickling technique that I read about to bring a port out of stealth mode temporarily if the attempt was from a known address, I don't know how you can be totally stealthed and still offer a service. If any port is open, then your IP address is known, however the number of script kiddy attacks which only look for port 22 will be avoided. This reduces the noise level.
Also, port 80 is the port that a web server uses. If you don't offer a web server to the internet, then you can use port 80. Again, your initial message used port 8080 instead. I believe that is the port that the https protocol uses.
When you browse, you are trying to reach someone elses port 80. The response comes back to a different port above port 1023. So web browsing from the remote machine doesn't need port 80.
Backing up a bit, I have assumed that the remote machine is behind a NAT router. This assumption may be wrong.
I don't know what nflank is. When I used google, the response was about rabbit peptides.
I think that you may be thinking about this from a client only perspective. But when you receive calls from the internet ( your work to home connection ) you are offering a service. When using the computer at home, you can shut down the ssh service and only bring it up and open the port when you expect to connect from work.
Your original assumption that because you can ping google that a proxy isn't used may also be wrong. Does the ip address in the from header match googles public ip address(es). Even then, a transparent proxy might spoof the ip from address. Corporate computers may even proxy web ssl traffic by setting up the hosts with a local certificate. This means that even secure traffic may be unencrypted inside the proxy. You can tell by examining the certificate that seems to come from the web site. If it is local, then never order something for yourself online from work where you need to enter your own credit card number. A dishonest IT person at the company may be able to extract your credit card information. There was a case in the new of a CEO who did just that. He had the employee's SSNs of course. He also stole their credit card numbers from when they ordered things online.
Lastly, there is a reason that your company controls the traffic to the internet. While the use of ssh tunneling might increase your own security, it is also a way to bypass the security that your company's firewall offers. This may be against company policy. The consequences of doing that may be more than you want to risk.
Port 8080 is often used as a web proxy port, such as an ISP's web proxy service. If port 8080 is the only open port, you are probably browsing the web through a proxy.
It took me some time to read it. The knowledge of knowing that it exists and how it works is quite formative.
I know now how to set up this linux box IP2 to listen to 8080 and, as you said and that I follow, it is better to avoid using different gates and to make use of tunneling.
Thank you Schiwal:jawa: !
:Pengy: :Pengy: :Pengy:
|All times are GMT -5. The time now is 04:37 PM.|