LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 01-25-2011, 11:39 PM   #1
jamesbon
Member
 
Registered: Jun 2010
Posts: 130

Rep: Reputation: 9
I need a reverse proxy solution for SSH


Hi here is a situation I have a server in a corporate data center for a project. I have an SSH access to this machine at port 22.There are some virtual machines running on this server and then at the back of every thing many other Operating systems are working. Now Since I am behind the data centers firewall my supervisor asked me if I can do some thing by which I can give many people on Internet access to these virtual machines directly. I know if I were allowed to get traffic on port other than 22 then I can do a port forwarding. But since I am not allowed this so what can be a solution in this case. The people who would like to connect might be complete idiots.Who may be happy just by opening putty at their machines or may be even filezilla.I have configured an Apache Reverse Proxy for redirecting the Internet traffic to the virtual machines on these hosts.But I am not clear as for SSH what can I do.So is there some thing equivalent to an Apache Reverse Proxy which can do similar work for SSH in this situation.

I do not have firewall in my hands or any port other than 22 open and in fact even if I request they wont allow to open.2 times SSH is not some thing that my supervisor wants.
 
Old 01-26-2011, 04:03 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
Well in terms of terminology, it's not a reverse proxy you want here, you just want to do some SSH tunnelling, which you can configure as a puTTY profile to distribute if you wish. Have a look on line for some tunnelling walk throughs for puTTY, but the ssh command line equivalent would be:

ssh user@linuxserver.example.com -L 2201:192.168.100.1:22 -L 2202:192.168.100.2:22

so once logged in, if the user opens a second ssh session to port 2201 on their loopback address, they will go via the current ssh tunnel and hit port 22 on 192.168.100.1. Obviously these ports are totally arbitrary and you can do RDP, HTTP or any other TCP protocol through it.
 
Old 01-26-2011, 05:15 AM   #3
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Hi,

I have something similar set up at the company where I work. I needed a way to connect at any time from home to the servers on their network but the VPN is only for their own employees. So with the 'go-ahead' of my supervisor I installed autossh on one of the servers I administer and run it as a service to connect constantly to my public IP at home as reverse SSH. This is my config in /etc/init.d/autosshd_eric
Code:
# chkconfig: 2345 90 10
# description: autosshd
/usr/local/bin/autossh -f -M 20000 -N \
-R 6262:localhost:22 \
eric@mypublicIP -p 22
At home when I need to connect to work using that tunnel I just type:
Code:
ssh usernameatwork@localhost -p 6262
and voila.

I have it set up with key authentication over password, so it's more secure.

The advantage of autossh over regular ssh is that SSH tunnels close after some time and you'll need someone on the inside to restart it. Autossh does that automatically for you. I can go days without using the tunnel and when I need it, it's still there.

Some things to take into account:
If your IP at home is dynamic it might change. You can use something like DynDNS to overcome that.
If your computer at home gets an IP from the router through DHCP that might change too so you'll have to change your router's config to point to the correct IP or set up fixed on your home computer.

Another advantage is that you can 'create' a startup script for every user with their IP and never have to look at it again if set up correctly.

Kind regards,

Eric
 
Old 01-27-2011, 01:57 AM   #4
camh
Member
 
Registered: Feb 2005
Distribution: Slack/Debian
Posts: 163
Blog Entries: 2

Rep: Reputation: 33
Quote:
Originally Posted by EricTRA View Post
I have it set up with key authentication over password, so it's more secure.
Just felt I should point out that using a key instead of a password isn't any more secure. If you wanted to be more secure, you'd use a key and a password.
 
Old 01-27-2011, 11:21 AM   #5
EricTRA
Guru
 
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
Blog Entries: 1

Rep: Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291Reputation: 1291
Quote:
Originally Posted by camh View Post
Just felt I should point out that using a key instead of a password isn't any more secure. If you wanted to be more secure, you'd use a key and a password.
Hello,

Of course, the more 'options' you use to authenticate the more secure it will be. You could also include a certificate on a USB key in combination with some udev rules. But in my opinion that'll only complicate every day usage. In my opinion a key of 2048 bits is a lot more security then a password. Of course it all depends on the level of security you want/need.

Kind regards,

Eric
 
Old 01-28-2011, 01:33 PM   #6
jamesbon
Member
 
Registered: Jun 2010
Posts: 130

Original Poster
Rep: Reputation: 9
Quote:
Originally Posted by EricTRA View Post
Hi,

I have something similar set up at the company where I work. I needed a way to connect at any time from home to the servers on their network but the VPN is only for their own employees. So with the 'go-ahead' of my supervisor I installed autossh on one of the servers I administer and run it as a service to connect constantly to my public IP at home as reverse SSH. This is my config in /etc/init.d/autosshd_eric
Code:
# chkconfig: 2345 90 10
# description: autosshd
/usr/local/bin/autossh -f -M 20000 -N \
-R 6262:localhost:22 \
eric@mypublicIP -p 22
Eric thanks for this tip it is a Good one and in my case it will not work as I can handle this but the users whom I might have to give access to this will be not willing to do so but any how your tip goes to my bookmarks.

Hi acid_kewpie thanks for this solution but I could not understand it fully.

Quote:
Originally Posted by acid_kewpie View Post
ssh user@linuxserver.example.com -L 2201:192.168.100.1:22 -L 2202:192.168.100.2:22
You used two IP addresses with -L I am not clear with why 2 and how it will work.
If I do the above then which IP will I be logged in first.Is it 192.168.100.1 or 192.168.100.2 and what will happen?

Quote:
Originally Posted by acid_kewpie View Post
so once logged in, if the user opens a second ssh session to port 2201 on their loopback address, they will go via the current ssh tunnel and hit port 22 on 192.168.100.1. Obviously these ports are totally arbitrary and you can do RDP, HTTP or any other TCP protocol through it.
What is the purpose of -L 2202:192.168.100.2:22 above

I have read man page of ssh also

Quote:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting.However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all
interfaces.
What I do not understand is
Quote:
[bind_address:]port:host:hostport
What format is this?
What is bind_address here?
Also do I need to make SSH listen to some other port as you logged in above on 2201 so should SSH on server listen to 2201

Also I want to share one more link which came across me
http://serverfault.com/questions/226.../227268#227268
so that some LQ member may help me understanding what the person on above link is saying to use squid with Apache and SSH tunnel.

Last edited by jamesbon; 01-28-2011 at 01:50 PM.
 
Old 01-28-2011, 02:17 PM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
the bind_address is used to specify a specific IP on the local machine to bind to. Personally I never tend to use it.

which 2 IP addresses? You as many -L's as you like, and it's just simple case that the leading port number on the local machine connects you to the ip and port after it. Really easy concept.

Last edited by acid_kewpie; 01-28-2011 at 02:25 PM.
 
Old 01-29-2011, 01:34 AM   #8
jamesbon
Member
 
Registered: Jun 2010
Posts: 130

Original Poster
Rep: Reputation: 9
Hi acid_kewpie I am still not able to understand it.It might be easy for you but I am not getting it.
 
Old 01-29-2011, 03:41 AM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,414

Rep: Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967Reputation: 1967
well there are plenty of docs out there describing the concept. It's a weird idea sure, but very simple in reality. http://wiki.metawerx.net/wiki/SSHTunnel
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Reverse Tunneling / Reverse port forwarding in SSH dynamics Linux - Networking 3 11-23-2009 11:31 AM
Reverse Proxy??? jantman Linux - Server 2 12-07-2007 07:01 PM
Squid as Reverse Proxy and LAN proxy? zivota Linux - Security 2 02-26-2007 06:00 PM
reverse proxy? bwall Linux - Newbie 1 11-22-2005 08:42 PM
still trying to reverse proxy wildbob Linux - Networking 6 10-28-2003 10:12 AM


All times are GMT -5. The time now is 01:11 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration