[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sheflug] Firewall security and SSH
Okay, this strictly speaking isn't linux orientated, but with all the talk
of firewalls and security, I thought I'd share this with you after playing
lots with ssh.
Firewalls are good. SSH is also good. However, did you know you can use SSH
to open a hole through a firewall? Read on...
I'll assume you know what a firewall is, and also what ssh is and can do.
So I'll skip that and head straight into the detail.
ssh has the ability to do port forwarding, both local to remote and remote
to local, which allows a user to set up a secure tunnel for various
protocols, eg, pop3, ftp, telnet etc... a firewall can be breached with
both forms, but the one I'm going to concentrate on is remote port
forwarding.
The tunneling works by telling the ssh daemon on the remote host to listen
on a particular port and any incoming connection to that port is sent by
the ssh daemon up to the ssh client over the encrypted channel you've
opened.
So, for example, say you had a setup like this:
Private Remote internet
192.168.100.43 ---/firewall/--- 77.33.44.66
where hosts on the private side, behind the firewall, can connect (at
least) to port 22 on remote servers on the public internet.
It would be possible to issue the following command on the private box:
slogin -R 2000:localhost:22 -l username 77.33.44.66
which would connect you, with ssh, to the box on the public internet. It
would also set up a tunnel where by port 2000 on the remote internet box,
77.33.44.66 will be forwarded to localhost port 22 on the private side, or
in other words, after typing the command above and logging in, issuing:
slogin -p 2000 -l username localhost
on the remote box would connect you through the ssh tunnel, from
77.33.44.66 to the private box 192.168.100.43. Assuming a reasonably well
setup firewall, it would normally be very very improbable[1] to connect the
remote box to the private box...in other words this would fail:
slogin -l username 192.168.100.43
because first off its a private IP so won't be routed, and secondly there's
a firewall in the way blocking incoming TCP connections. SSH tunneling
works because you've already established a connection to the outside world
by logging into the remote box, and any ssh traffic, including all tunneled
traffic, will go up this connection.
SSH tunneling can be taken a few steps further.
Consider a machine on the private side that is blocked from accessing the
internet, such as a server. You're desktop machine can access the internet
however. In this scenario, it is possible for the firewall to be breached
so that the server can access the internet and the internet can access
(selected) ports on the server.
How? Two tunnels.
The first tunnel would be between your desktop box and the server, but you
make full use of port forwarding:
slogin -R 2000:77.33.44.66:22 -l username server.com
Now ... connecting to port 2000 on server.com with ssh will end up with
your desktop box opening a connection through the firewall to 77.33.44.66,
port 22. So now with this:
slogin -l <username> -p 2000 localhost
you can login to a box on the internet from a server *that is normally
blocked*. It works because the tunnel is between the desktop and server,
and its the desktop that makes the connection through the firewall, passing
data between server and remote host.
You can see what's coming next can't you? On the server, you type:
slogin -R 3000:localhost:22 -p 2000 -l username localhost
Again, you will connect through the ssh tunnel to 77.33.44.66 on the
internet, but you've set some port forwarding up, which basically means
that when you connect to port 3000 on 77.33.44.66, it will be forwarded
through the tunnel to localhost port 22...or in other words, after issuing
the command above, typing this on the public internet box:
slogin -p 3000 -l username localhost
will connect you the server, bypassing the firewall totally, using your
desktop box essentially as a crude router.
Port forwarding *does* have its uses as it means you can do things that
would normally be insecure over a public network, but you should be aware
of the power of ssh. It isn't purely an encrypted version of rlogin, but
can do a lot more.
One thing to bear in mind: (cr)/(h)ackers can't use this method unless they
can get someone behind the firewall to establish the inital SSH tunnel
through the firewall...but it does mean that if you set port forwarding up
so ports on public machines are forwarded to private machines through
tunnels, you could have a problem.
Hope this helps some people understand ssh a bit better, plus it adds
another twist to security :)
Chris...
--
\ Chris Johnson \ "If not for me then, do it for yourself. If not
\ cej [at] nccnet.co.uk \ for then do it for the world." -- Stevie Nicks
\ www.nccnet.co.uk/~cej/ ~-----------------------------------------+
\ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____
___________________________________________________________________
Sheffield Linux User's Group - http://www.sheflug.co.uk .
To unsubscribe from this list send mail to
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message.
GNU the choice of a complete generation.