SSH to multiple computers behind firewall

hazmatt20 · 08-17-2006, 08:57 AM

I'm getting ready to add 2 computers to my network (will be a total of 4). I can ssh to the firewall and then to another computer (or any one of them first if I forward port 22 in iptables), but I was just curious if there was a way to forward the ssh connection to a specific computer by what username you use, for example firewall@myip.com connects you to the firewall, www@myip.com connects you to the webserver, and so on. What do you think?

soggycornflake · 08-17-2006, 10:07 AM

You could just write a script that would automatically ssh to whatever box after logging in, e.g.

Code:

#!/bin/sh
ssh firewall@myip.com ssh ${1/@*}

You'd then just run the script with something like

Code:

sshmyip www@myip.com

Thus, after ssh'ing to firewall@myip.com, it will then run the command 'ssh www'

gizza23 · 08-17-2006, 10:26 AM

That's an interesting request. I would do it by DNS server though. As long as the host names are externally accessible via the dns one could try

ssh %user%@host0.example.com
ssh %user%@host1.example.com
ssh %user%@host2.example.com

The DNS would play a key rold behind the nat pointing to the correct ssh server.

hazmatt20 · 08-17-2006, 10:52 AM

Would that be set up in the DNS for the domain name or the DNS for the network?

gizza23 · 08-17-2006, 10:59 AM

I'm referring to the DNS for that particular network. So not the one for the domain name.

hazmatt20 · 08-17-2006, 11:07 AM

So, I have all subdomains going to the firewall/dns server, set up the host names for all the machines (isn't that /etc/resolve.conf?), and then all connections to that subdomain should go to that computer? For example:

#/etc/resolve.conf
nameserver x.x.x.x
nameserver x.x.x.x
ftp 192.168.0.2
www 192.168.0.3

Then, ssh username@ftp.example.com should go to the computer on 192.168.0.2 and the same thing with www?

soggycornflake · 08-17-2006, 11:42 AM

I assumed the firewall was not forwarding port 22, so DNS would be of no use if you can't access the internal boxes (the OP said he could access each box if he forwarded port 22, so I assumed he wasn't forwarding it normally). If you can access the boxes externally, then what's the problem anyway? Just ssh to each box. I thought OP said he could already do that anyway...

gizza23 · 08-17-2006, 11:58 AM

Interesting, I've never seen /etc/resov.conf used like that. However, in the DNS addressing scheme in the your-domain.zone file you can appropriately make those entries. I'm thinking something like this:

Code:

localhost       A       127.0.0.1
mainserv        A       97.158.253.26
linbox1         A       192.168.0.101
linbox2         A       192.168.0.102
mail            CNAME   mainserv
www             CNAME   mainserv

This way you can query the DNS for the internal IP and then have the ssh transmission forwarded.

For example:

Code:

%user%@linbox1.example.com would be go through this translation:

97.158.253.26:22 to 192.168.0.101:22

hazmatt20 · 08-17-2006, 12:02 PM

I said I can forward 22 to any particular box, but normally it just goes to the firewall. I just wanted a way to ssh to a box inside without having to ssh first to the firewall. Too lazy to ssh twice. So sue me. Plus, it helps me learn more about DNS.

gizza23 · 08-17-2006, 12:07 PM

In terms of learning DNS I think that's great but from a security standpoint I think that it's a big no-no. Allowing access to all boxes on the network can comprimise it big time. I think that this is good for emperimentation but not for true implemntation.
Something that's more secure would be setting up a VPN and then doing an SSH connection to the computers. But as the saying goes, "There's more than one way to skin a cat."

hazmatt20 · 08-17-2006, 12:38 PM

I don't see why it would be such a bad idea. All boxes only have 1 user with ssh permission and new connections would only be allowed on port 22 and whatever service the box is hosting (mail, web, ftp, etc).

gizza23 · 08-17-2006, 01:01 PM

Allowing SSH in terms of the service to be hosted is fine yes, but that also exposes all of the machines in the DNS to SSH exploits. Be aware of DoS attacks and dictionary hacks. Also disable root SSH logins because anyone can guess that there's a root account but not a jdoe account on that particular server.

Your security is just as important as the service.

hazmatt20 · 08-17-2006, 01:14 PM

I'm very much aware of ssh attacks. My internet was cut off (campus) because of reports of brute force ssh attacks coming from my system. Found out I had used uname ftp password ftp for people to log into my ftp server, but since ftp is a system user by default, I had deleted the user and readded it which gave it a login shell. Now, only 1 user that I created can log in. No root or system users, and the password is a secure password (10 char with upper, lower, number, and symbol).

tgo · 08-17-2006, 01:32 PM

if you only have one machine you can easily add aliases for each machine and in your iptable rules use the -j DNAT feature.

Here is a good link: http://linux-ip.net/html/nat-dnat.html

Dnat will let you say "if someone hits port 7000 on my external machine then forward it to port 22 on machine A" and your aliases would have the -p flag for ssh already set.

this isnt very secure at all but it works and you dont need special dns for it