[Sheflug] Firewall security and SSH

["Chris J/#6" <xxxxx [at] xxxxxxxxxxxx>]

Okay, this strictly speaking isn't linux orientated, but with all the talk 
of firewalls and security, I thought I'd share this with you after playing 
lots with ssh.

Firewalls are good. SSH is also good. However, did you know you can use SSH 
to open a hole through a firewall? Read on...

I'll assume you know what a firewall is, and also what ssh is and can do. 
So I'll skip that and head straight into the detail.

ssh has the ability to do port forwarding, both local to remote and remote 
to local, which allows a user to set up a secure tunnel for various 
protocols, eg, pop3, ftp, telnet etc... a firewall can be breached with 
both forms, but the one I'm going to concentrate on is remote port 
forwarding.

The tunneling works by telling the ssh daemon on the remote host to listen 
on a particular port and any incoming connection to that port is sent by 
the ssh daemon up to the ssh client over the encrypted channel you've 
opened.

So, for example, say you had a setup like this:

  Private                            Remote internet

 192.168.100.43   ---/firewall/---     77.33.44.66

where hosts on the private side, behind the firewall, can connect (at 
least) to port 22 on remote servers on the public internet.

It would be possible to issue the following command on the private box:

	slogin -R 2000:localhost:22 -l username 77.33.44.66

which would connect you, with ssh, to the box on the public internet. It 
would also set up a tunnel where by port 2000 on the remote internet box, 
77.33.44.66 will be forwarded to localhost port 22 on the private side, or 
in other words, after typing the command above and logging in, issuing:

	slogin -p 2000 -l username localhost

on the remote box would connect you through the ssh tunnel, from 
77.33.44.66 to the private box 192.168.100.43. Assuming a reasonably well 
setup firewall, it would normally be very very improbable[1] to connect the 
remote box to the private box...in other words this would fail:

	slogin -l username 192.168.100.43

because first off its a private IP so won't be routed, and secondly there's 
a firewall in the way blocking incoming TCP connections. SSH tunneling 
works because you've already established a connection to the outside world 
by logging into the remote box, and any ssh traffic, including all tunneled 
traffic, will go up this connection.

SSH tunneling can be taken a few steps further.

Consider a machine on the private side that is blocked from accessing the 
internet, such as a server. You're desktop machine can access the internet 
however. In this scenario, it is possible for the firewall to be breached 
so that the server can access the internet and the internet can access 
(selected) ports on the server.

How? Two tunnels.

The first tunnel would be between your desktop box and the server, but you 
make full use of port forwarding:

	slogin -R 2000:77.33.44.66:22 -l username server.com

Now ... connecting to port 2000 on server.com with ssh will end up with 
your desktop box opening a connection through the firewall to 77.33.44.66, 
port 22. So now with this:
	slogin -l <username> -p 2000 localhost

you can login to a box on the internet from a server *that is normally 
blocked*. It works because the tunnel is between the desktop and server, 
and its the desktop that makes the connection through the firewall, passing 
data between server and remote host.

You can see what's coming next can't you? On the server, you type:

	slogin -R 3000:localhost:22 -p 2000 -l username localhost

Again, you will connect through the ssh tunnel to 77.33.44.66 on the 
internet, but you've set some port forwarding up, which basically means 
that when you connect to port 3000 on 77.33.44.66, it will be forwarded 
through the tunnel to localhost port 22...or in other words, after issuing 
the command above, typing this on the public internet box:

	slogin -p 3000 -l username localhost

will connect you the server, bypassing the firewall totally, using your 
desktop box essentially as a crude router.

Port forwarding *does* have its uses as it means you can do things that 
would normally be insecure over a public network, but you should be aware 
of the power of ssh. It isn't purely an encrypted version of rlogin, but 
can do a lot more.

One thing to bear in mind: (cr)/(h)ackers can't use this method unless they 
can get someone behind the firewall to establish the inital SSH tunnel 
through the firewall...but it does mean that if you set port forwarding up 
so ports on public machines are forwarded to private machines through 
tunnels, you could have a problem.

Hope this helps some people understand ssh a bit better, plus it adds 
another twist to security :)

Chris...


-- 
\ Chris Johnson           \  "If not for me then, do it for yourself. If not
 \ cej [at] nccnet.co.uk        \  for then do it for the world." -- Stevie Nicks
  \ www.nccnet.co.uk/~cej/  ~-----------------------------------------+
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____


___________________________________________________________________

Sheffield Linux User's Group - http://www.sheflug.co.uk . 
To unsubscribe from this list send mail to 
shef-lug-request@list.sheflug.org.uk with the word
"unsubscribe" in the body of the message. 

  GNU the choice of a complete generation.