LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 11-29-2006, 11:07 AM   #1
Xeratul
Senior Member
 
Registered: Jun 2006
Location: Debian Land
Posts: 1,337

Rep: Reputation: 83
[putty&ssh] Who is really good & expert in ssh https tunnelling and firewalling ?


and of great kindness for helping to understand tunneling and make it work...

Ok, so the target is to reach a ssh server listening via port 8080 from a distant pc through a firewall allowing internet surfing.

Situation:
WINDOWS_PC1(IP1) & LINUX_PC2(IP2) wanna communicate

Status WINDOWS_PC1
cmd
ping www.google.be (works)
iexplore www.google.com (works)
(I guess there is no proxy)
(port 22 closed and I guess all of them except 8080)
ping IP2 gives host not found
ssh IP2 gives nothing

Schematic:
WINDOWS_PC1 port 8080 (open)====> NAT1_firewalling====> NAT2_firewalling ..... ===> encryption ===> and finally the World Wide Web INTERNET (whaoo) ====> LINUX_PC2 (open ports)


===============

How to configure PUTTY in details, because I understand anythg?

I put in tunnelling IP2:8080
tried too IP1:8080 too
I put in tunnelling IP2:22
tried too IP1:22 too
I put in tunnelling IP2:2222
tried too IP1:2222 too
and nothing worked

the log of putty said that IP1 is blocked at 80, 22, 8080 to reach IP2 (it blocked in nat1 or nat2 ...)

So, the idea is to pass by 8080 and to configure sshd to listen on one port. sshd is listening via ssh.config but should somehting else be installed.

Is it obliged that linuxboxIP2_pc2 listen on 80 or 8080 ? that is not secure to make it listen ssh on 8080 or to open the port for this one ?


You can Private message me, if you want too for going further in this interesting topic.


Please if you know, please, could you reply quite low level, noob targeted to make sure we can understand howto...


Thank you very much for sharing your experience !
 
Old 11-29-2006, 11:23 AM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 22,978
Blog Entries: 11

Rep: Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879Reputation: 879
I don't understand your objective. If you want to access port 8080 as ssh
on the remote Linux box you'll have to use 8080 to listen on on that target
machine. And what makes you think that using ssh encryption only kicks in
once you're past firewall 2?


Cheers,
Tink
 
Old 11-29-2006, 11:26 AM   #3
Xeratul
Senior Member
 
Registered: Jun 2006
Location: Debian Land
Posts: 1,337

Original Poster
Rep: Reputation: 83
Quote:
Originally Posted by Tinkster
I don't understand your objective. If you want to access port 8080 as ssh
on the remote Linux box you'll have to use 8080 to listen on on that target
machine. And what makes you think that using ssh encryption only kicks in
once you're past firewall 2?


Cheers,
Tink
actually log ssh putty tunneling blocked on one ip i guess from nat

so so, it shoudl be hence:

IP1 port 8080 <---------> IP2 port 8080 possible, and this
IP1 port 8080 <---------> IP2 port 22 is not possible, right ?

thank you for your great help replying !!
 
Old 11-29-2006, 12:59 PM   #4
exvor
Senior Member
 
Registered: Jul 2004
Location: Phoenix, Arizona
Distribution: LFS-Version SVN-20091202, Arch 2009.08
Posts: 1,485

Rep: Reputation: 66
Im equally confused? Your linux box has to be set to listen on port 8080 for SSH before it would work.
 
Old 11-29-2006, 01:29 PM   #5
Xeratul
Senior Member
 
Registered: Jun 2006
Location: Debian Land
Posts: 1,337

Original Poster
Rep: Reputation: 83
Quote:
Originally Posted by exvor
Im equally confused? Your linux box has to be set to listen on port 8080 for SSH before it would work.
Ahhhh; I thought it was possible to send the IP1 from port 8080 to port 22 directly via tunneling; So, first progress, 8080 to 8080 has to be the way;

so, the sshd should be configure so that sshd.conf listen on port 80. Thats done now. (Is it secured? It means that I have to open this port on my IP2 side routeur, damn that I dont like doing this to leave this open gate open) (is it right ?) (how about security on this side IP2 listening port 80 ?)


What should I do now from the putty software side (IP1)?

Thank you for replyingi for your great support !
 
Old 11-29-2006, 01:44 PM   #6
exvor
Senior Member
 
Registered: Jul 2004
Location: Phoenix, Arizona
Distribution: LFS-Version SVN-20091202, Arch 2009.08
Posts: 1,485

Rep: Reputation: 66
?
Of course you would need to open a port for something to work as a server. SSH would need to listen to port 8080 and then you set putty to use port 8080 to send data. the server will use another high level port to send data back. The ssh encryption is always on. I apologize if im confused I dont know much about tunneling.
 
Old 11-30-2006, 04:22 AM   #7
Xeratul
Senior Member
 
Registered: Jun 2006
Location: Debian Land
Posts: 1,337

Original Poster
Rep: Reputation: 83
Quote:
Originally Posted by exvor
?
Of course you would need to open a port for something to work as a server. SSH would need to listen to port 8080 and then you set putty to use port 8080 to send data. the server will use another high level port to send data back. The ssh encryption is always on. I apologize if im confused I dont know much about tunneling.
That's means I will have to open the port 80 on the IP2 router. I dont like that much. Not good for the se
I could read that maybe there is a way to do IP1_PC1 8080 to port ip2_pc2 port 22 ... I dont knonw... maybe...

How difficult it is ...
 
Old 11-30-2006, 05:03 AM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
The router that your remote Linux host uses should be set to forward port 8080 to the linux host.

Make sure that you read the sshd_config man page. Disable root logins ("PermitRootLogin No") and if you are the only person who logs in remotely to this host, then use the line: "AllowUsers <your user name>" in /etc/sshd_config. This will disallow logins from all other username attempts. Given that you are using a non-standard port for ssh, you will probably have fewer ssh brute force attacks from script kiddies. And if your username is unique, they may never even try it.

This is a much easier way of locking down ssh then having to explicitly disallow each system user.

I would also recommend installing Cygwin/X. It will give you all your favorite *nix utilities such as grep, sed, awk, and even tex and latex if you install it. It does wonders for me at work. I am able to produce pdf catalogs of dvd backups with a 3 line script. This will also give you ssh, and you can use "ssh -X username@remotehost" to log into to your linux machine and run gui programs like konqueror as well. You could even be logged in to two or more remote machines at a time. This is a handy way to compare two linux machines remotely using one as a model.

Last edited by jschiwal; 11-30-2006 at 05:07 AM.
 
Old 11-30-2006, 01:59 PM   #9
Xeratul
Senior Member
 
Registered: Jun 2006
Location: Debian Land
Posts: 1,337

Original Poster
Rep: Reputation: 83
Quote:
Originally Posted by jschiwal
The router that your remote Linux host uses should be set to forward port 8080 to the linux host.

Make sure that you read the sshd_config man page. Disable root logins ("PermitRootLogin No") and if you are the only person who logs in remotely to this host, then use the line: "AllowUsers <your user name>" in /etc/sshd_config. This will disallow logins from all other username attempts. Given that you are using a non-standard port for ssh, you will probably have fewer ssh brute force attacks from script kiddies. And if your username is unique, they may never even try it.

This is a much easier way of locking down ssh then having to explicitly disallow each system user.

I would also recommend installing Cygwin/X. It will give you all your favorite *nix utilities such as grep, sed, awk, and even tex and latex if you install it. It does wonders for me at work. I am able to produce pdf catalogs of dvd backups with a 3 line script. This will also give you ssh, and you can use "ssh -X username@remotehost" to log into to yo qui gère les étranger eur linux machine and run gui programs like konqueror as well. You could even be logged in to two or more remote machines at a time. This is a handy way to compare two linux machines remotely using one as a model.
I like you !! and your experience !
I have lot of questions.
 
Old 11-30-2006, 02:07 PM   #10
Xeratul
Senior Member
 
Registered: Jun 2006
Location: Debian Land
Posts: 1,337

Original Poster
Rep: Reputation: 83
Talking

Quote:
Originally Posted by jschiwal
The router that your remote Linux host uses should be set to forward port 8080 to the linux host.

Make sure that you read the sshd_config man page. Disable root logins ("PermitRootLogin No") and if you are the only person who logs in remotely to this host, then use the line: "AllowUsers <your user name>" in /etc/sshd_config. This will disallow logins from all other username attempts. Given that you are using a non-standard port for ssh, you will probably have fewer ssh brute force attacks from script kiddies. And if your username is unique, they may never even try it.

This is a much easier way of locking down ssh then having to explicitly disallow each system user.

I would also recommend installing Cygwin/X. It will give you all your favorite *nix utilities such as grep, sed, awk, and even tex and latex if you install it. It does wonders for me at work. I am able to produce pdf catalogs of dvd backups with a 3 line script. This will also give you ssh, and you can use "ssh -X username@remotehost" to log into to your linux machine and run gui programs like konqueror as well. You could even be logged in to two or more remote machines at a time. This is a handy way to compare two linux machines remotely using one as a model.

I used ssh -X sometimes it s really cool. btu for far, it s slow. I heard about NX something.

Concerning the stuffs sshd config, sounds fine for the security. but that s annoying to open this port 80 really. Isnt it possibel to target from my IP2_8080 to port IP1_22 directly (for instance)? I would rather open the 22 than the 80 because in case I wanna surf with this machine you nkow. it is better to have a stealth nflank or gmc detection you know.

thank you !

Beside concerning now the putty, how/what should I fill in into the part hotname & tunneling ?
I am not sure of the ports and IP ...

Last edited by Xeratul; 11-30-2006 at 02:15 PM.
 
Old 12-01-2006, 05:02 AM   #11
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
You keep changing from port 8080 to port 80. 8080 is http-alt. They are different ports. The port has to be 80 or 8080 because that is what will get through the firewall which you don't control. It may be possible for your remote router to convert 8080 to 22 as a part of the routers port forwarding process. But you will need 80 or 8080 open on the router. Does the local firewall allow both ports 8080 and port 80 through?
Since you don't control the local firewall, you are limited in your options. Otherwise you could pick whatever port you wanted to use.

I have rarely used putty, so the best I can offer is rtfm advice there. Except for a tickling technique that I read about to bring a port out of stealth mode temporarily if the attempt was from a known address, I don't know how you can be totally stealthed and still offer a service. If any port is open, then your IP address is known, however the number of script kiddy attacks which only look for port 22 will be avoided. This reduces the noise level.

Also, port 80 is the port that a web server uses. If you don't offer a web server to the internet, then you can use port 80. Again, your initial message used port 8080 instead. I believe that is the port that the https protocol uses.

When you browse, you are trying to reach someone elses port 80. The response comes back to a different port above port 1023. So web browsing from the remote machine doesn't need port 80.

Backing up a bit, I have assumed that the remote machine is behind a NAT router. This assumption may be wrong.

I don't know what nflank is. When I used google, the response was about rabbit peptides.

I think that you may be thinking about this from a client only perspective. But when you receive calls from the internet ( your work to home connection ) you are offering a service. When using the computer at home, you can shut down the ssh service and only bring it up and open the port when you expect to connect from work.

Your original assumption that because you can ping google that a proxy isn't used may also be wrong. Does the ip address in the from header match googles public ip address(es). Even then, a transparent proxy might spoof the ip from address. Corporate computers may even proxy web ssl traffic by setting up the hosts with a local certificate. This means that even secure traffic may be unencrypted inside the proxy. You can tell by examining the certificate that seems to come from the web site. If it is local, then never order something for yourself online from work where you need to enter your own credit card number. A dishonest IT person at the company may be able to extract your credit card information. There was a case in the new of a CEO who did just that. He had the employee's SSNs of course. He also stole their credit card numbers from when they ordered things online.

Lastly, there is a reason that your company controls the traffic to the internet. While the use of ssh tunneling might increase your own security, it is also a way to bypass the security that your company's firewall offers. This may be against company policy. The consequences of doing that may be more than you want to risk.

Last edited by jschiwal; 12-01-2006 at 09:36 AM.
 
Old 12-02-2006, 03:04 PM   #12
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Correction

Port 8080 is often used as a web proxy port, such as an ISP's web proxy service. If port 8080 is the only open port, you are probably browsing the web through a proxy.
 
Old 12-03-2006, 03:22 AM   #13
Xeratul
Senior Member
 
Registered: Jun 2006
Location: Debian Land
Posts: 1,337

Original Poster
Rep: Reputation: 83
Quote:
Originally Posted by jschiwal
....
Firstly, thank you for your help and information.
It took me some time to read it. The knowledge of knowing that it exists and how it works is quite formative.
I know now how to set up this linux box IP2 to listen to 8080 and, as you said and that I follow, it is better to avoid using different gates and to make use of tunneling.

Thank you Schiwal !

 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SSH] Issue logging in [SSH & Permissions] MD3 Linux - Networking 11 12-10-2006 09:25 AM
Tunnelling yahoo messenger through SSH pnellesen Linux - Networking 1 09-17-2005 06:37 PM
CVS & SSH & Public/private keys guideweb Linux - Software 15 09-09-2005 01:06 PM
tightvnc using ssh tunnelling curmudgeon42 Linux - Software 1 08-18-2004 09:40 PM
ssh tunnelling internet access bfkeats Linux - Networking 2 03-19-2004 03:13 PM


All times are GMT -5. The time now is 05:58 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration