Linux - Server This forum is for the discussion of Linux Software used in a server related context. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
 |
01-25-2011, 11:39 PM
|
#1
|
Member
Registered: Jun 2010
Posts: 147
Rep:
|
I need a reverse proxy solution for SSH
Hi here is a situation I have a server in a corporate data center for a project. I have an SSH access to this machine at port 22.There are some virtual machines running on this server and then at the back of every thing many other Operating systems are working. Now Since I am behind the data centers firewall my supervisor asked me if I can do some thing by which I can give many people on Internet access to these virtual machines directly. I know if I were allowed to get traffic on port other than 22 then I can do a port forwarding. But since I am not allowed this so what can be a solution in this case. The people who would like to connect might be complete idiots.Who may be happy just by opening putty at their machines or may be even filezilla.I have configured an Apache Reverse Proxy for redirecting the Internet traffic to the virtual machines on these hosts.But I am not clear as for SSH what can I do.So is there some thing equivalent to an Apache Reverse Proxy which can do similar work for SSH in this situation.
I do not have firewall in my hands or any port other than 22 open and in fact even if I request they wont allow to open.2 times SSH is not some thing that my supervisor wants.
|
|
|
01-26-2011, 04:03 AM
|
#2
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
Well in terms of terminology, it's not a reverse proxy you want here, you just want to do some SSH tunnelling, which you can configure as a puTTY profile to distribute if you wish. Have a look on line for some tunnelling walk throughs for puTTY, but the ssh command line equivalent would be:
ssh user@linuxserver.example.com -L 2201:192.168.100.1:22 -L 2202:192.168.100.2:22
so once logged in, if the user opens a second ssh session to port 2201 on their loopback address, they will go via the current ssh tunnel and hit port 22 on 192.168.100.1. Obviously these ports are totally arbitrary and you can do RDP, HTTP or any other TCP protocol through it.
|
|
|
01-26-2011, 05:15 AM
|
#3
|
LQ Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
|
Hi,
I have something similar set up at the company where I work. I needed a way to connect at any time from home to the servers on their network but the VPN is only for their own employees. So with the 'go-ahead' of my supervisor I installed autossh on one of the servers I administer and run it as a service to connect constantly to my public IP at home as reverse SSH. This is my config in /etc/init.d/autosshd_eric
Code:
# chkconfig: 2345 90 10
# description: autosshd
/usr/local/bin/autossh -f -M 20000 -N \
-R 6262:localhost:22 \
eric@mypublicIP -p 22
At home when I need to connect to work using that tunnel I just type:
Code:
ssh usernameatwork@localhost -p 6262
and voila.
I have it set up with key authentication over password, so it's more secure.
The advantage of autossh over regular ssh is that SSH tunnels close after some time and you'll need someone on the inside to restart it. Autossh does that automatically for you. I can go days without using the tunnel and when I need it, it's still there.
Some things to take into account:
If your IP at home is dynamic it might change. You can use something like DynDNS to overcome that.
If your computer at home gets an IP from the router through DHCP that might change too so you'll have to change your router's config to point to the correct IP or set up fixed on your home computer.
Another advantage is that you can 'create' a startup script for every user with their IP and never have to look at it again if set up correctly.
Kind regards,
Eric
|
|
|
01-27-2011, 01:57 AM
|
#4
|
Member
Registered: Feb 2005
Distribution: Slack/Debian
Posts: 163
Rep:
|
Quote:
Originally Posted by EricTRA
I have it set up with key authentication over password, so it's more secure.
|
Just felt I should point out that using a key instead of a password isn't any more secure. If you wanted to be more secure, you'd use a key and a password.
|
|
|
01-27-2011, 11:21 AM
|
#5
|
LQ Guru
Registered: May 2009
Location: Gibraltar, Gibraltar
Distribution: Fedora 20 with Awesome WM
Posts: 6,805
|
Quote:
Originally Posted by camh
Just felt I should point out that using a key instead of a password isn't any more secure. If you wanted to be more secure, you'd use a key and a password.
|
Hello,
Of course, the more 'options' you use to authenticate the more secure it will be. You could also include a certificate on a USB key in combination with some udev rules. But in my opinion that'll only complicate every day usage. In my opinion a key of 2048 bits is a lot more security then a password. Of course it all depends on the level of security you want/need.
Kind regards,
Eric
|
|
|
01-28-2011, 01:33 PM
|
#6
|
Member
Registered: Jun 2010
Posts: 147
Original Poster
Rep:
|
Quote:
Originally Posted by EricTRA
Hi,
I have something similar set up at the company where I work. I needed a way to connect at any time from home to the servers on their network but the VPN is only for their own employees. So with the 'go-ahead' of my supervisor I installed autossh on one of the servers I administer and run it as a service to connect constantly to my public IP at home as reverse SSH. This is my config in /etc/init.d/autosshd_eric
Code:
# chkconfig: 2345 90 10
# description: autosshd
/usr/local/bin/autossh -f -M 20000 -N \
-R 6262:localhost:22 \
eric@mypublicIP -p 22
|
Eric thanks for this tip it is a Good one and in my case it will not work as I can handle this but the users whom I might have to give access to this will be not willing to do so but any how your tip goes to my bookmarks.
Hi acid_kewpie thanks for this solution but I could not understand it fully.
Quote:
Originally Posted by acid_kewpie
|
You used two IP addresses with -L I am not clear with why 2 and how it will work.
If I do the above then which IP will I be logged in first.Is it 192.168.100.1 or 192.168.100.2 and what will happen?
Quote:
Originally Posted by acid_kewpie
so once logged in, if the user opens a second ssh session to port 2201 on their loopback address, they will go via the current ssh tunnel and hit port 22 on 192.168.100.1. Obviously these ports are totally arbitrary and you can do RDP, HTTP or any other TCP protocol through it.
|
What is the purpose of -L 2202:192.168.100.2:22 above
I have read man page of ssh also
Quote:
-L [bind_address:]port:host:hostport
Specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. This works by allocating a socket to listen to port on the local side, optionally bound to the specified bind_address. Whenever a connection is made to this port, the connection is forwarded over the secure channel, and a connection is made to host port hostport from the remote machine. Port forwardings can also be specified in the configuration file. IPv6 addresses can be specified with an alternative syntax: [bind_address/]port/host/hostport or by enclosing the address in square brackets. Only the superuser can forward privileged ports. By default, the local port is bound in accordance with the GatewayPorts setting.However, an explicit bind_address may be used to bind the connection to a specific address. The bind_address of “localhost” indicates that the listening port be bound for local use only, while an empty address or ‘*’ indicates that the port should be available from all
interfaces.
|
What I do not understand is
Quote:
[bind_address:]port:host:hostport
|
What format is this?
What is bind_address here?
Also do I need to make SSH listen to some other port as you logged in above on 2201 so should SSH on server listen to 2201
Also I want to share one more link which came across me
http://serverfault.com/questions/226.../227268#227268
so that some LQ member may help me understanding what the person on above link is saying to use squid with Apache and SSH tunnel.
Last edited by jamesbon; 01-28-2011 at 01:50 PM.
|
|
|
01-28-2011, 02:17 PM
|
#7
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
the bind_address is used to specify a specific IP on the local machine to bind to. Personally I never tend to use it.
which 2 IP addresses? You as many -L's as you like, and it's just simple case that the leading port number on the local machine connects you to the ip and port after it. Really easy concept.
Last edited by acid_kewpie; 01-28-2011 at 02:25 PM.
|
|
|
01-29-2011, 01:34 AM
|
#8
|
Member
Registered: Jun 2010
Posts: 147
Original Poster
Rep:
|
Hi acid_kewpie I am still not able to understand it.It might be easy for you but I am not getting it.
|
|
|
01-29-2011, 03:41 AM
|
#9
|
Moderator
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417
|
well there are plenty of docs out there describing the concept. It's a weird idea sure, but very simple in reality. http://wiki.metawerx.net/wiki/SSHTunnel
|
|
|
All times are GMT -5. The time now is 12:22 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|