Download - SSH Tunneling Recipes
![Page 1: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/1.jpg)
SSH Tunneling Recipes
Developer Toolbox Series
Rafael Luque, OSOCO
![Page 2: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/2.jpg)
Contents
1 SSH tunneling & common uses
2 Local port forwarding
3 Remote port forwarding
4 Dynamic port forwarding
5 X forwarding
6 Some useful tools
![Page 3: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/3.jpg)
Protocol tunneling
One network protocol —the deliveryprotocol— encapsulates a differentpayload protocol.
— Wikipedia
![Page 4: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/4.jpg)
SSH tunneling
A secure shell (SSH) tunnel consists ofan encrypted tunnel created through aSSH protocol connection.
— Wikipedia
![Page 5: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/5.jpg)
Common uses
To securely connect to a remote host andhave your network traffic encrypted
• You are on a public, non secure, non trusted or unencryptednetwork.
• You use an insecure protocol like POP3, IMAP, SMTP, FTP,telnet, etc.
![Page 6: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/6.jpg)
Common uses
To securely connect to a remote host andhave your network traffic encrypted
• You are on a public, non secure, non trusted or unencryptednetwork.
• You use an insecure protocol like POP3, IMAP, SMTP, FTP,telnet, etc.
![Page 7: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/7.jpg)
Common uses
To bypass local network restrictions andmonitoring services
![Page 8: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/8.jpg)
Common uses
Internet censorship circumvention
![Page 9: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/9.jpg)
Map of cyber-censorship
![Page 10: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/10.jpg)
Common uses
Open backdoors to allow outboundconnections to hosts behind a firewall
![Page 11: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/11.jpg)
Common uses
X11 forwarding
![Page 12: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/12.jpg)
Common uses
Access services bound to the loopbackinterface
![Page 13: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/13.jpg)
Contents
1 SSH tunneling & common uses
2 Local port forwarding
3 Remote port forwarding
4 Dynamic port forwarding
5 X forwarding
6 Some useful tools
![Page 14: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/14.jpg)
Local port forwarding
Local port forwarding (aka outgoingtunneling) forwards traffic coming to a local
port to a specified remote port
![Page 15: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/15.jpg)
Local port forwarding
Recipe #1: Access a remote service behind a firewall
ssh -fN -L <localport>:localhost:<remoteport> user@external
The service is available on the loopback interface only.
![Page 16: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/16.jpg)
Local port forwarding
Recipe #1: Access a remote service behind a firewall
ssh -fN -L <localport>:localhost:<remoteport> user@external
The service is available on the loopback interface only.
![Page 17: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/17.jpg)
Local port forwarding
Recipe #1: Access a remote service behind a firewall
ssh -fN -L <localport>:localhost:<remoteport> user@external
The service is available on the loopback interface only.
![Page 18: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/18.jpg)
Local port forwarding
Recipe #2: Access a remote service from any host behind thefirewall
ssh -fN -L 0.0.0.0:<localport>:localhost:<remoteport> user@external
or
ssh -fN -g -L <localport>:localhost:<remoteport> user@external
![Page 19: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/19.jpg)
Local port forwarding
Recipe #2: Access a remote service from any host behind thefirewall
ssh -fN -L 0.0.0.0:<localport>:localhost:<remoteport> user@external
or
ssh -fN -g -L <localport>:localhost:<remoteport> user@external
![Page 20: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/20.jpg)
Local port forwarding
Recipe #3: Access a remote service visible from the sshserver
ssh -fN -L <localport>:external2:<remoteport> user@external
The service is available on the loopback interface only.
![Page 21: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/21.jpg)
Local port forwarding
Recipe #3: Access a remote service visible from the sshserver
ssh -fN -L <localport>:external2:<remoteport> user@external
The service is available on the loopback interface only.
![Page 22: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/22.jpg)
Local port forwarding
Recipe #3: Access a remote service visible from the sshserver
ssh -fN -L <localport>:external2:<remoteport> user@external
The service is available on the loopback interface only.
![Page 23: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/23.jpg)
Local port forwarding
Recipe #4: Access a remote service visible from the sshserver for any host behind the firewall
ssh -fN -L 0.0.0.0:<localport>:external2:<remoteport> user@external
or
ssh -fN -g -L <localport>:external2:<remoteport> user@external
![Page 24: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/24.jpg)
Local port forwarding
Recipe #4: Access a remote service visible from the sshserver for any host behind the firewall
ssh -fN -L 0.0.0.0:<localport>:external2:<remoteport> user@external
or
ssh -fN -g -L <localport>:external2:<remoteport> user@external
![Page 25: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/25.jpg)
Contents
1 SSH tunneling & common uses
2 Local port forwarding
3 Remote port forwarding
4 Dynamic port forwarding
5 X forwarding
6 Some useful tools
![Page 26: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/26.jpg)
Remote port forwarding
Remote port forwarding (aka incomingtunneling) forwards traffic coming to aremote port to a specified local port
![Page 27: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/27.jpg)
Remote port forwarding
Recipe #5: Access a service behind a firewall from the sshserver
ssh -fN -R <remoteport>:localhost:<localport> user@external
The service is available on the loopback interface only.
![Page 28: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/28.jpg)
Remote port forwarding
Recipe #5: Access a service behind a firewall from the sshserver
ssh -fN -R <remoteport>:localhost:<localport> user@external
The service is available on the loopback interface only.
![Page 29: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/29.jpg)
Remote port forwarding
Recipe #5: Access a service behind a firewall from the sshserver
ssh -fN -R <remoteport>:localhost:<localport> user@external
The service is available on the loopback interface only.
![Page 30: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/30.jpg)
Remote port forwarding
Recipe #6: Access a service behind a firewall from anyexternal host with access to the ssh server
ssh -fN -R 0.0.0.0:<remoteport>:localhost:<localport> user@external
Edit /etc/ssh/sshd_config at ssh server to allow the client to select the address to whichthe forwarding is bound:
GatewayPorts clientspecified
![Page 31: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/31.jpg)
Remote port forwarding
Recipe #6: Access a service behind a firewall from anyexternal host with access to the ssh server
ssh -fN -R 0.0.0.0:<remoteport>:localhost:<localport> user@external
Edit /etc/ssh/sshd_config at ssh server to allow the client to select the address to whichthe forwarding is bound:
GatewayPorts clientspecified
![Page 32: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/32.jpg)
Remote port forwarding
Recipe #7: Access a service in a host accesible by the sshclient from the ssh server
ssh -fN -R <remoteport>:internal2:<localport> user@external
The service is available on the loopback interface only.
![Page 33: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/33.jpg)
Remote port forwarding
Recipe #7: Access a service in a host accesible by the sshclient from the ssh server
ssh -fN -R <remoteport>:internal2:<localport> user@external
The service is available on the loopback interface only.
![Page 34: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/34.jpg)
Remote port forwarding
Recipe #7: Access a service in a host accesible by the sshclient from the ssh server
ssh -fN -R <remoteport>:internal2:<localport> user@external
The service is available on the loopback interface only.
![Page 35: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/35.jpg)
Remote port forwarding
Recipe #8: Access a service in a host accesible by the sshclient from any host with access to the ssh server
ssh -fN -R 0.0.0.0:<remoteport>:internal2:<localport> user@external
Edit /etc/ssh/sshd_config at server to allow the client to select the address to which theforwarding is bound:
GatewayPorts clientspecified
![Page 36: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/36.jpg)
Remote port forwarding
Recipe #8: Access a service in a host accesible by the sshclient from any host with access to the ssh server
ssh -fN -R 0.0.0.0:<remoteport>:internal2:<localport> user@external
Edit /etc/ssh/sshd_config at server to allow the client to select the address to which theforwarding is bound:
GatewayPorts clientspecified
![Page 37: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/37.jpg)
Contents
1 SSH tunneling & common uses
2 Local port forwarding
3 Remote port forwarding
4 Dynamic port forwarding
5 X forwarding
6 Some useful tools
![Page 38: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/38.jpg)
SOCKS
SOCKS is an Internet protocol thatroutes network packets between aclient and server through a proxyserver
— Wikipedia
![Page 39: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/39.jpg)
SSH dynamic port forwarding
• SSH dynamic port forwarding allows the user tocreate a local SOCKS proxy.
• Free the user from the limitations of connectingonly to a predefined remote port and server.
• Circumvention tool allowing to bypass Internetfiltering to access content otherwise blocked bygovernments, workplaces and schools.
![Page 40: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/40.jpg)
Dynamic port forwarding with SOCKS
Recipe #9: Setup a SOCKS proxy
ssh -fN -D <proxyport> user@sshserver
To allow any internal host to use the proxy:
ssh -fN -D 0.0.0.0:<proxyport> user@sshserver
![Page 41: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/41.jpg)
Dynamic port forwarding with SOCKS
Recipe #9: Setup a SOCKS proxy
ssh -fN -D <proxyport> user@sshserver
To allow any internal host to use the proxy:
ssh -fN -D 0.0.0.0:<proxyport> user@sshserver
![Page 42: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/42.jpg)
Contents
1 SSH tunneling & common uses
2 Local port forwarding
3 Remote port forwarding
4 Dynamic port forwarding
5 X forwarding
6 Some useful tools
![Page 43: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/43.jpg)
X forwarding• Using X, you can run remote X applications that open their
windows on your local display.• The X protocol is insecure and wide open to snoopers.• SSH X forwarding makes the communication secure by tunneling
the X protocol:
ssh -X user@server xclock
![Page 44: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/44.jpg)
Contents
1 SSH tunneling & common uses
2 Local port forwarding
3 Remote port forwarding
4 Dynamic port forwarding
5 X forwarding
6 Some useful tools
![Page 45: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/45.jpg)
autossh
autossh is a program to start a copy of ssh andmonitor it, restarting it as necessary should it die orstop passing traffic.
autossh -M <port>[:echo_port] [-f] [SSH OPTIONS]
![Page 46: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/46.jpg)
sslh
sslh makes it possible to connect to an SSH server oran OpenVPN on port 443 while still serving HTTPSon that port.
![Page 47: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/47.jpg)
Port knocking
port knocking is a method of externally opening ports ona firewall by generating a connection attempt on a set ofprespecified closed ports. Once a correct sequence ofconnection attempts is received, the firewall rules aredynamically modified to allow the host which sent theconnection attempts to connect over specific port(s).
— Wikipedia
![Page 48: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/48.jpg)
Port knocking
(A) client cannot connect toapplication listening on port n
(B) client cannot establish connection
to any port
![Page 49: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/49.jpg)
Port knocking
(1,2,3,4) client connects to a
well-defined set of ports in a sequence
that contains an encrypted message
by sending SYN packets; client has a
priori knowledge of the port knocking
daemon and its configuration, but
receives no acknowledgement during
this phase because firewall rules
preclude any response
![Page 50: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/50.jpg)
Port knocking
(A) server process (a port knocking
daemon) intercepts connection
attempts and interprets (decrypts and
decodes) them as comprising an
authentic "port knock"; server carries
out specific task based on content of
port knock, such as opening port n to
client
![Page 51: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/51.jpg)
Port knocking
(A) client connects to port n and
authenticates using applications
regular mechanism
![Page 52: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/52.jpg)
knockd
knockd is a port-knock server. It listens to all traffic onan ethernet interface, looking for special "knock"sequences of port-hits.
![Page 53: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/53.jpg)
References
• SSH: The Secure Shell:http://docstore.mik.ua/orelly/networking_2ndEd/ssh/index.htm
• autossh:http://www.harding.motd.ca/autossh/
• sslh:http://www.rutschle.net/tech/sslh.shtml
• Port knocking:http://www.portknocking.org/
• knockd:http://www.zeroflux.org/projects/knock
![Page 54: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/54.jpg)
Picture credits
• Cover photo by twicepix:http://www.flickr.com/photos/twicepix/2825051329/
• The map of the cyber-censorship by Reporters Without Borders:http://march12.rsf.org/en/
![Page 55: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/55.jpg)
This work is licensed under a Creative CommonsAttribution-NonCommercial-ShareAlike 3.0 Unported License.
![Page 56: SSH Tunneling Recipes](https://reader033.vdocuments.net/reader033/viewer/2022051210/549c2ba7b47959a5318b46a9/html5/thumbnails/56.jpg)
SSH Tunneling RecipesDeveloper Toolbox Series
OSOCORafael Luque