SlideShare ist ein Scribd-Unternehmen logo

SSH Tunneling Recipes

OSOCO
OSOCO
Technologie
1 von 56
Downloaden Sie, um offline zu lesen
SSH Tunneling Recipes Developer Toolbox Series Rafael Luque, OSOCO
Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
Protocol tunneling One network protocol —the delivery protocol— encapsulates a different payload protocol. — Wikipedia
SSH tunneling A secure shell (SSH) tunnel consists of an encrypted tunnel created through a SSH protocol connection. — Wikipedia
Common uses To securely connect to a remote host and have your network traffic encrypted
Common uses To securely connect to a remote host and have your network traffic encrypted • You are on a public, non secure, non trusted or unencrypted network. • You use an insecure protocol like POP3, IMAP, SMTP, FTP, telnet, etc.
Common uses To bypass local network restrictions and monitoring services
Common uses Internet censorship circumvention
Map of cyber-censorship
Common uses Open backdoors to allow outbound connections to hosts behind a firewall
Common uses X11 forwarding
Common uses Access services bound to the loopback interface
Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
Local port forwarding Local port forwarding (aka outgoing tunneling) forwards traffic coming to a local port to a specified remote port
Local port forwarding Recipe #1: Access a remote service behind a firewall ssh -fN -L <localport>:localhost:<remoteport> user@external The service is available on the loopback interface only.
Local port forwarding Recipe #1: Access a remote service behind a firewall ssh -fN -L <localport>:localhost:<remoteport> user@external The service is available on the loopback interface only.
Local port forwarding Recipe #1: Access a remote service behind a firewall ssh -fN -L <localport>:localhost:<remoteport> user@external The service is available on the loopback interface only.
Local port forwarding Recipe #2: Access a remote service from any host behind the firewall ssh -fN -L 0.0.0.0:<localport>:localhost:<remoteport> user@external or ssh -fN -g -L <localport>:localhost:<remoteport> user@external
Local port forwarding Recipe #2: Access a remote service from any host behind the firewall ssh -fN -L 0.0.0.0:<localport>:localhost:<remoteport> user@external or ssh -fN -g -L <localport>:localhost:<remoteport> user@external
Local port forwarding Recipe #3: Access a remote service visible from the ssh server ssh -fN -L <localport>:external2:<remoteport> user@external The service is available on the loopback interface only.
Local port forwarding Recipe #3: Access a remote service visible from the ssh server ssh -fN -L <localport>:external2:<remoteport> user@external The service is available on the loopback interface only.
Local port forwarding Recipe #3: Access a remote service visible from the ssh server ssh -fN -L <localport>:external2:<remoteport> user@external The service is available on the loopback interface only.
Local port forwarding Recipe #4: Access a remote service visible from the ssh server for any host behind the firewall ssh -fN -L 0.0.0.0:<localport>:external2:<remoteport> user@external or ssh -fN -g -L <localport>:external2:<remoteport> user@external
Local port forwarding Recipe #4: Access a remote service visible from the ssh server for any host behind the firewall ssh -fN -L 0.0.0.0:<localport>:external2:<remoteport> user@external or ssh -fN -g -L <localport>:external2:<remoteport> user@external
Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
Remote port forwarding Remote port forwarding (aka incoming tunneling) forwards traffic coming to a remote port to a specified local port
Remote port forwarding Recipe #5: Access a service behind a firewall from the ssh server ssh -fN -R <remoteport>:localhost:<localport> user@external The service is available on the loopback interface only.
Remote port forwarding Recipe #5: Access a service behind a firewall from the ssh server ssh -fN -R <remoteport>:localhost:<localport> user@external The service is available on the loopback interface only.
Remote port forwarding Recipe #5: Access a service behind a firewall from the ssh server ssh -fN -R <remoteport>:localhost:<localport> user@external The service is available on the loopback interface only.
Remote port forwarding Recipe #6: Access a service behind a firewall from any external host with access to the ssh server ssh -fN -R 0.0.0.0:<remoteport>:localhost:<localport> user@external Edit /etc/ssh/sshd_config at ssh server to allow the client to select the address to which the forwarding is bound: GatewayPorts clientspecified
Remote port forwarding Recipe #6: Access a service behind a firewall from any external host with access to the ssh server ssh -fN -R 0.0.0.0:<remoteport>:localhost:<localport> user@external Edit /etc/ssh/sshd_config at ssh server to allow the client to select the address to which the forwarding is bound: GatewayPorts clientspecified
Remote port forwarding Recipe #7: Access a service in a host accesible by the ssh client from the ssh server ssh -fN -R <remoteport>:internal2:<localport> user@external The service is available on the loopback interface only.
Remote port forwarding Recipe #7: Access a service in a host accesible by the ssh client from the ssh server ssh -fN -R <remoteport>:internal2:<localport> user@external The service is available on the loopback interface only.
Remote port forwarding Recipe #7: Access a service in a host accesible by the ssh client from the ssh server ssh -fN -R <remoteport>:internal2:<localport> user@external The service is available on the loopback interface only.
Remote port forwarding Recipe #8: Access a service in a host accesible by the ssh client from any host with access to the ssh server ssh -fN -R 0.0.0.0:<remoteport>:internal2:<localport> user@external Edit /etc/ssh/sshd_config at server to allow the client to select the address to which the forwarding is bound: GatewayPorts clientspecified
Remote port forwarding Recipe #8: Access a service in a host accesible by the ssh client from any host with access to the ssh server ssh -fN -R 0.0.0.0:<remoteport>:internal2:<localport> user@external Edit /etc/ssh/sshd_config at server to allow the client to select the address to which the forwarding is bound: GatewayPorts clientspecified
Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
SOCKS SOCKS is an Internet protocol that routes network packets between a client and server through a proxy server — Wikipedia
SSH dynamic port forwarding • SSH dynamic port forwarding allows the user to create a local SOCKS proxy. • Free the user from the limitations of connecting only to a predefined remote port and server. • Circumvention tool allowing to bypass Internet filtering to access content otherwise blocked by governments, workplaces and schools.
Dynamic port forwarding with SOCKS Recipe #9: Setup a SOCKS proxy ssh -fN -D <proxyport> user@sshserver To allow any internal host to use the proxy: ssh -fN -D 0.0.0.0:<proxyport> user@sshserver
Dynamic port forwarding with SOCKS Recipe #9: Setup a SOCKS proxy ssh -fN -D <proxyport> user@sshserver To allow any internal host to use the proxy: ssh -fN -D 0.0.0.0:<proxyport> user@sshserver
Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
X forwarding • Using X, you can run remote X applications that open their windows on your local display. • The X protocol is insecure and wide open to snoopers. • SSH X forwarding makes the communication secure by tunneling the X protocol: ssh -X user@server xclock
Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
autossh autossh is a program to start a copy of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. autossh -M <port>[:echo_port] [-f] [SSH OPTIONS]
sslh sslh makes it possible to connect to an SSH server or an OpenVPN on port 443 while still serving HTTPS on that port.
Port knocking port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). — Wikipedia
Port knocking (A) client cannot connect to application listening on port n (B) client cannot establish connection to any port
Port knocking (1,2,3,4) client connects to a well-defined set of ports in a sequence that contains an encrypted message by sending SYN packets; client has a priori knowledge of the port knocking daemon and its configuration, but receives no acknowledgement during this phase because firewall rules preclude any response
Port knocking (A) server process (a port knocking daemon) intercepts connection attempts and interprets (decrypts and decodes) them as comprising an authentic "port knock"; server carries out specific task based on content of port knock, such as opening port n to client
Port knocking (A) client connects to port n and authenticates using applications regular mechanism
knockd knockd is a port-knock server. It listens to all traffic on an ethernet interface, looking for special "knock" sequences of port-hits.
References • SSH: The Secure Shell: http://docstore.mik.ua/orelly/networking_2ndEd/ssh/index.htm • autossh: http://www.harding.motd.ca/autossh/ • sslh: http://www.rutschle.net/tech/sslh.shtml • Port knocking: http://www.portknocking.org/ • knockd: http://www.zeroflux.org/projects/knock
Picture credits • Cover photo by twicepix: http://www.flickr.com/photos/twicepix/2825051329/ • The map of the cyber-censorship by Reporters Without Borders: http://march12.rsf.org/en/
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
SSH Tunneling Recipes Developer Toolbox Series OSOCO Rafael Luque

Empfohlen

Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnelAmandeep Singh
 
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configFLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configdmp1304
 
Ssh
SshSsh
Sshgh02
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricksAssem CHELLI
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesRafael Luque Leiva
 

Empfohlen

Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 
Ssh tunnel
Ssh tunnelSsh tunnel
Ssh tunnelAmandeep Singh
 
FLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configFLOSS UK DEVOPS Spring 2015 Enhancing ssh config
FLOSS UK DEVOPS Spring 2015 Enhancing ssh configdmp1304
 
Ssh
SshSsh
Sshgh02
 
OpenSSH tricks
OpenSSH tricksOpenSSH tricks
OpenSSH tricksAssem CHELLI
 
An introduction to SSH
An introduction to SSHAn introduction to SSH
An introduction to SSHnussbauml
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure ShellPeter R. Egli
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesRafael Luque Leiva
 
Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with MonitOSOCO
 
SSH
SSHSSH
SSHZach Dennis
 
Telnet & SSH Configuration
Telnet & SSH ConfigurationTelnet & SSH Configuration
Telnet & SSH ConfigurationVinod Gour
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocolBaspally Sai Anirudh
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
Ssh
SshSsh
SshRaghu nath
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with RaccoonGloria Stoilova
 
Secure shell
Secure shellSecure shell
Secure shellArjun Aj
 
TELNET and SSH by MUSTAFA SAKHAI
TELNET and SSH by MUSTAFA SAKHAITELNET and SSH by MUSTAFA SAKHAI
TELNET and SSH by MUSTAFA SAKHAIMUSTAFA SAKHAI
 
Meeting 5.2 : ssh
Meeting 5.2 : sshMeeting 5.2 : ssh
Meeting 5.2 : sshSyaiful Ahdan
 
Secure SHell
Secure SHellSecure SHell
Secure SHellÇağrı Çakır
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGPSarang Ananda Rao
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSHJP Bourget
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And RloginSourav Roy
 
Share File easily between computers using sftp
Share File easily between computers using sftpShare File easily between computers using sftp
Share File easily between computers using sftpTushar B Kute
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!Giovanni Bechis
 
Understanding Java Dynamic Proxies
Understanding Java Dynamic ProxiesUnderstanding Java Dynamic Proxies
Understanding Java Dynamic ProxiesOSOCO
 
AWS CloudFormation en 5 Minutos
AWS CloudFormation en 5 MinutosAWS CloudFormation en 5 Minutos
AWS CloudFormation en 5 MinutosOSOCO
 

Weitere ähnliche Inhalte

Was ist angesagt?

Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with MonitOSOCO
 
Telnet & SSH Configuration
Telnet & SSH ConfigurationTelnet & SSH Configuration
Telnet & SSH ConfigurationVinod Gour
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell pptsravya raju
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with RaccoonGloria Stoilova
 
Secure shell
Secure shellSecure shell
Secure shellArjun Aj
 
TELNET and SSH by MUSTAFA SAKHAI
TELNET and SSH by MUSTAFA SAKHAITELNET and SSH by MUSTAFA SAKHAI
TELNET and SSH by MUSTAFA SAKHAIMUSTAFA SAKHAI
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeGiovanni Bechis
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanningleminhvuong
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And RloginSourav Roy
 
Share File easily between computers using sftp
Share File easily between computers using sftpShare File easily between computers using sftp
Share File easily between computers using sftpTushar B Kute
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!Giovanni Bechis
 

Was ist angesagt? (20)

Proactive monitoring with Monit
Proactive monitoring with MonitProactive monitoring with Monit
Proactive monitoring with Monit
 
SSH
SSHSSH
SSH
 
Telnet & SSH Configuration
Telnet & SSH ConfigurationTelnet & SSH Configuration
Telnet & SSH Configuration
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
 
Ssh
SshSsh
Ssh
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
 
Securing the tunnel with Raccoon
Securing the tunnel with RaccoonSecuring the tunnel with Raccoon
Securing the tunnel with Raccoon
 
Secure shell
Secure shellSecure shell
Secure shell
 
TELNET and SSH by MUSTAFA SAKHAI
TELNET and SSH by MUSTAFA SAKHAITELNET and SSH by MUSTAFA SAKHAI
TELNET and SSH by MUSTAFA SAKHAI
 
Meeting 5.2 : ssh
Meeting 5.2 : sshMeeting 5.2 : ssh
Meeting 5.2 : ssh
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
 
Introduction to SSH & PGP
Introduction to SSH & PGPIntroduction to SSH & PGP
Introduction to SSH & PGP
 
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform EnviornmentNagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
Nagios Conference 2013 - Leland Lammert - Nagios in a Multi-Platform Enviornment
 
OpenSSH: keep your secrets safe
OpenSSH: keep your secrets safeOpenSSH: keep your secrets safe
OpenSSH: keep your secrets safe
 
Module 3 Scanning
Module 3 ScanningModule 3 Scanning
Module 3 Scanning
 
Intro to SSH
Intro to SSHIntro to SSH
Intro to SSH
 
Ssh And Rlogin
Ssh And RloginSsh And Rlogin
Ssh And Rlogin
 
Share File easily between computers using sftp
Share File easily between computers using sftpShare File easily between computers using sftp
Share File easily between computers using sftp
 
OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!OpenSMTPD: we deliver !!
OpenSMTPD: we deliver !!
 

Andere mochten auch

Understanding Java Dynamic Proxies
Understanding Java Dynamic ProxiesUnderstanding Java Dynamic Proxies
Understanding Java Dynamic ProxiesOSOCO
 
AWS CloudFormation en 5 Minutos
AWS CloudFormation en 5 MinutosAWS CloudFormation en 5 Minutos
AWS CloudFormation en 5 MinutosOSOCO
 
Spring Annotations: Proxy
Spring Annotations: ProxySpring Annotations: Proxy
Spring Annotations: ProxyOSOCO
 
Study of tunnel engineering
Study of tunnel engineeringStudy of tunnel engineering
Study of tunnel engineeringAdil Shaikh
 
The tunnel powerpoint
The tunnel powerpointThe tunnel powerpoint
The tunnel powerpointishict
 
SLAs the heart of Outsourcing
SLAs the heart of OutsourcingSLAs the heart of Outsourcing
SLAs the heart of OutsourcingDr Bharat Vagadia
 
Challenges during Design and Construction of an Underground Chip Factory (Waf...
Challenges during Design and Construction of an Underground Chip Factory (Waf...Challenges during Design and Construction of an Underground Chip Factory (Waf...
Challenges during Design and Construction of an Underground Chip Factory (Waf...Helmut Wannenmacher
 
Integrated Geophysical Approach for Rapid & Cost Effective Site Investigation...
Integrated Geophysical Approach for Rapid & Cost Effective Site Investigation...Integrated Geophysical Approach for Rapid & Cost Effective Site Investigation...
Integrated Geophysical Approach for Rapid & Cost Effective Site Investigation...IEI GSC
 
The Use of GIS and GPS in Pipeline Permitting and Regulatory Compliance
The Use of GIS and GPS in Pipeline Permitting and Regulatory ComplianceThe Use of GIS and GPS in Pipeline Permitting and Regulatory Compliance
The Use of GIS and GPS in Pipeline Permitting and Regulatory Compliancewlgardnerjr
 
MADBike – Destapando la seguridad de BiciMAD (T3chFest 2017)
MADBike – Destapando la seguridad de BiciMAD (T3chFest 2017)MADBike – Destapando la seguridad de BiciMAD (T3chFest 2017)
MADBike – Destapando la seguridad de BiciMAD (T3chFest 2017)Alex Rupérez
 
NSCoder Keynote - Multipeer Connectivity Framework
NSCoder Keynote - Multipeer Connectivity FrameworkNSCoder Keynote - Multipeer Connectivity Framework
NSCoder Keynote - Multipeer Connectivity FrameworkAlex Rupérez
 
Gigigo Keynote - Geofences & iBeacons
Gigigo Keynote - Geofences & iBeaconsGigigo Keynote - Geofences & iBeacons
Gigigo Keynote - Geofences & iBeaconsAlex Rupérez
 
Gigigo Workshop - Create an iOS Framework, document it and not die trying
Gigigo Workshop - Create an iOS Framework, document it and not die tryingGigigo Workshop - Create an iOS Framework, document it and not die trying
Gigigo Workshop - Create an iOS Framework, document it and not die tryingAlex Rupérez
 
Gigigo Workshop - iOS Extensions
Gigigo Workshop - iOS ExtensionsGigigo Workshop - iOS Extensions
Gigigo Workshop - iOS ExtensionsAlex Rupérez
 
Tunneling Construction - NATM
Tunneling Construction - NATMTunneling Construction - NATM
Tunneling Construction - NATMluisaam
 

Andere mochten auch (20)

Understanding Java Dynamic Proxies
Understanding Java Dynamic ProxiesUnderstanding Java Dynamic Proxies
Understanding Java Dynamic Proxies
 
AWS CloudFormation en 5 Minutos
AWS CloudFormation en 5 MinutosAWS CloudFormation en 5 Minutos
AWS CloudFormation en 5 Minutos
 
Polyglot Grails
Polyglot GrailsPolyglot Grails
Polyglot Grails
 
Spring Annotations: Proxy
Spring Annotations: ProxySpring Annotations: Proxy
Spring Annotations: Proxy
 
Polyglot JVM
Polyglot JVMPolyglot JVM
Polyglot JVM
 
Study of tunnel engineering
Study of tunnel engineeringStudy of tunnel engineering
Study of tunnel engineering
 
The tunnel powerpoint
The tunnel powerpointThe tunnel powerpoint
The tunnel powerpoint
 
Tunnelling
TunnellingTunnelling
Tunnelling
 
SLAs the heart of Outsourcing
SLAs the heart of OutsourcingSLAs the heart of Outsourcing
SLAs the heart of Outsourcing
 
Challenges during Design and Construction of an Underground Chip Factory (Waf...
Challenges during Design and Construction of an Underground Chip Factory (Waf...Challenges during Design and Construction of an Underground Chip Factory (Waf...
Challenges during Design and Construction of an Underground Chip Factory (Waf...
 
Golfgis English
Golfgis EnglishGolfgis English
Golfgis English
 
Integrated Geophysical Approach for Rapid & Cost Effective Site Investigation...
Integrated Geophysical Approach for Rapid & Cost Effective Site Investigation...Integrated Geophysical Approach for Rapid & Cost Effective Site Investigation...
Integrated Geophysical Approach for Rapid & Cost Effective Site Investigation...
 
The Use of GIS and GPS in Pipeline Permitting and Regulatory Compliance
The Use of GIS and GPS in Pipeline Permitting and Regulatory ComplianceThe Use of GIS and GPS in Pipeline Permitting and Regulatory Compliance
The Use of GIS and GPS in Pipeline Permitting and Regulatory Compliance
 
MADBike – Destapando la seguridad de BiciMAD (T3chFest 2017)
MADBike – Destapando la seguridad de BiciMAD (T3chFest 2017)MADBike – Destapando la seguridad de BiciMAD (T3chFest 2017)
MADBike – Destapando la seguridad de BiciMAD (T3chFest 2017)
 
NSCoder Keynote - Multipeer Connectivity Framework
NSCoder Keynote - Multipeer Connectivity FrameworkNSCoder Keynote - Multipeer Connectivity Framework
NSCoder Keynote - Multipeer Connectivity Framework
 
Gigigo Keynote - Geofences & iBeacons
Gigigo Keynote - Geofences & iBeaconsGigigo Keynote - Geofences & iBeacons
Gigigo Keynote - Geofences & iBeacons
 
Gigigo Workshop - Create an iOS Framework, document it and not die trying
Gigigo Workshop - Create an iOS Framework, document it and not die tryingGigigo Workshop - Create an iOS Framework, document it and not die trying
Gigigo Workshop - Create an iOS Framework, document it and not die trying
 
Gigigo Workshop - iOS Extensions
Gigigo Workshop - iOS ExtensionsGigigo Workshop - iOS Extensions
Gigigo Workshop - iOS Extensions
 
tunneling & its effects
tunneling & its effectstunneling & its effects
tunneling & its effects
 
Tunneling Construction - NATM
Tunneling Construction - NATMTunneling Construction - NATM
Tunneling Construction - NATM
 

Ähnlich wie SSH Tunneling Recipes

Up and Running SSH Service - Part 2
Up and Running SSH Service - Part 2Up and Running SSH Service - Part 2
Up and Running SSH Service - Part 2GLC Networks
 
Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowNovell
 
SSH Tunneling
SSH TunnelingSSH Tunneling
SSH TunnelingThanh Tai
 
SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]Vincent Batts
 
Building Security Acсess to Remote Devices
Building Security Acсess to Remote DevicesBuilding Security Acсess to Remote Devices
Building Security Acсess to Remote DevicesGlobalLogic Ukraine
 
Unit 13 network client
Unit 13 network clientUnit 13 network client
Unit 13 network clientroot_fibo
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminskyDan Kaminsky
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
 
FreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverFreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverTomaz Muraus
 
OpenShift v3 Internal networking details
OpenShift v3 Internal networking detailsOpenShift v3 Internal networking details
OpenShift v3 Internal networking detailsEtsuji Nakai
 
HAProxy scale out using open source
HAProxy scale out using open sourceHAProxy scale out using open source
HAProxy scale out using open sourceIngo Walz
 
How to install Setup & Configure SSH Jump Server on a Linux box
How to install Setup & Configure SSH Jump Server on a Linux boxHow to install Setup & Configure SSH Jump Server on a Linux box
How to install Setup & Configure SSH Jump Server on a Linux boxEzee Login
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0maaz khan
 

Ähnlich wie SSH Tunneling Recipes (20)

Up and Running SSH Service - Part 2
Up and Running SSH Service - Part 2Up and Running SSH Service - Part 2
Up and Running SSH Service - Part 2
 
Advanced open ssh
Advanced open sshAdvanced open ssh
Advanced open ssh
 
Using Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should KnowUsing Secure Shell on Linux: What Everyone Should Know
Using Secure Shell on Linux: What Everyone Should Know
 
SSH Tunneling
SSH TunnelingSSH Tunneling
SSH Tunneling
 
SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]SSH Tunnel-Fu [NoVaH 2011]
SSH Tunnel-Fu [NoVaH 2011]
 
tutorial-ssh.pdf
tutorial-ssh.pdftutorial-ssh.pdf
tutorial-ssh.pdf
 
Building Security Acсess to Remote Devices
Building Security Acсess to Remote DevicesBuilding Security Acсess to Remote Devices
Building Security Acсess to Remote Devices
 
Unit 13 network client
Unit 13 network clientUnit 13 network client
Unit 13 network client
 
Bh usa-01-kaminsky
Bh usa-01-kaminskyBh usa-01-kaminsky
Bh usa-01-kaminsky
 
Remote1
Remote1Remote1
Remote1
 
Ssh cookbook v2
Ssh cookbook v2Ssh cookbook v2
Ssh cookbook v2
 
Ssh cookbook
Ssh cookbookSsh cookbook
Ssh cookbook
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0
 
FreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 serverFreeBSD, ipfw and OpenVPN 2.1 server
FreeBSD, ipfw and OpenVPN 2.1 server
 
Windowshadoop
WindowshadoopWindowshadoop
Windowshadoop
 
OpenShift v3 Internal networking details
OpenShift v3 Internal networking detailsOpenShift v3 Internal networking details
OpenShift v3 Internal networking details
 
HAProxy scale out using open source
HAProxy scale out using open sourceHAProxy scale out using open source
HAProxy scale out using open source
 
Port forwarding
Port forwardingPort forwarding
Port forwarding
 
How to install Setup & Configure SSH Jump Server on a Linux box
How to install Setup & Configure SSH Jump Server on a Linux boxHow to install Setup & Configure SSH Jump Server on a Linux box
How to install Setup & Configure SSH Jump Server on a Linux box
 
Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0Introducing bastion hosts for oracle cloud infrastructure v1.0
Introducing bastion hosts for oracle cloud infrastructure v1.0
 

Kürzlich hochgeladen

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

SSH Tunneling Recipes

  • 1. SSH Tunneling Recipes Developer Toolbox Series Rafael Luque, OSOCO
  • 2. Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
  • 3. Protocol tunneling One network protocol —the delivery protocol— encapsulates a different payload protocol. — Wikipedia
  • 4. SSH tunneling A secure shell (SSH) tunnel consists of an encrypted tunnel created through a SSH protocol connection. — Wikipedia
  • 5. Common uses To securely connect to a remote host and have your network traffic encrypted
  • 6. Common uses To securely connect to a remote host and have your network traffic encrypted • You are on a public, non secure, non trusted or unencrypted network. • You use an insecure protocol like POP3, IMAP, SMTP, FTP, telnet, etc.
  • 7. Common uses To bypass local network restrictions and monitoring services
  • 8. Common uses Internet censorship circumvention
  • 10. Common uses Open backdoors to allow outbound connections to hosts behind a firewall
  • 11. Common uses X11 forwarding
  • 12. Common uses Access services bound to the loopback interface
  • 13. Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
  • 14. Local port forwarding Local port forwarding (aka outgoing tunneling) forwards traffic coming to a local port to a specified remote port
  • 15. Local port forwarding Recipe #1: Access a remote service behind a firewall ssh -fN -L <localport>:localhost:<remoteport> user@external The service is available on the loopback interface only.
  • 16. Local port forwarding Recipe #1: Access a remote service behind a firewall ssh -fN -L <localport>:localhost:<remoteport> user@external The service is available on the loopback interface only.
  • 17. Local port forwarding Recipe #1: Access a remote service behind a firewall ssh -fN -L <localport>:localhost:<remoteport> user@external The service is available on the loopback interface only.
  • 18. Local port forwarding Recipe #2: Access a remote service from any host behind the firewall ssh -fN -L 0.0.0.0:<localport>:localhost:<remoteport> user@external or ssh -fN -g -L <localport>:localhost:<remoteport> user@external
  • 19. Local port forwarding Recipe #2: Access a remote service from any host behind the firewall ssh -fN -L 0.0.0.0:<localport>:localhost:<remoteport> user@external or ssh -fN -g -L <localport>:localhost:<remoteport> user@external
  • 20. Local port forwarding Recipe #3: Access a remote service visible from the ssh server ssh -fN -L <localport>:external2:<remoteport> user@external The service is available on the loopback interface only.
  • 21. Local port forwarding Recipe #3: Access a remote service visible from the ssh server ssh -fN -L <localport>:external2:<remoteport> user@external The service is available on the loopback interface only.
  • 22. Local port forwarding Recipe #3: Access a remote service visible from the ssh server ssh -fN -L <localport>:external2:<remoteport> user@external The service is available on the loopback interface only.
  • 23. Local port forwarding Recipe #4: Access a remote service visible from the ssh server for any host behind the firewall ssh -fN -L 0.0.0.0:<localport>:external2:<remoteport> user@external or ssh -fN -g -L <localport>:external2:<remoteport> user@external
  • 24. Local port forwarding Recipe #4: Access a remote service visible from the ssh server for any host behind the firewall ssh -fN -L 0.0.0.0:<localport>:external2:<remoteport> user@external or ssh -fN -g -L <localport>:external2:<remoteport> user@external
  • 25. Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
  • 26. Remote port forwarding Remote port forwarding (aka incoming tunneling) forwards traffic coming to a remote port to a specified local port
  • 27. Remote port forwarding Recipe #5: Access a service behind a firewall from the ssh server ssh -fN -R <remoteport>:localhost:<localport> user@external The service is available on the loopback interface only.
  • 28. Remote port forwarding Recipe #5: Access a service behind a firewall from the ssh server ssh -fN -R <remoteport>:localhost:<localport> user@external The service is available on the loopback interface only.
  • 29. Remote port forwarding Recipe #5: Access a service behind a firewall from the ssh server ssh -fN -R <remoteport>:localhost:<localport> user@external The service is available on the loopback interface only.
  • 30. Remote port forwarding Recipe #6: Access a service behind a firewall from any external host with access to the ssh server ssh -fN -R 0.0.0.0:<remoteport>:localhost:<localport> user@external Edit /etc/ssh/sshd_config at ssh server to allow the client to select the address to which the forwarding is bound: GatewayPorts clientspecified
  • 31. Remote port forwarding Recipe #6: Access a service behind a firewall from any external host with access to the ssh server ssh -fN -R 0.0.0.0:<remoteport>:localhost:<localport> user@external Edit /etc/ssh/sshd_config at ssh server to allow the client to select the address to which the forwarding is bound: GatewayPorts clientspecified
  • 32. Remote port forwarding Recipe #7: Access a service in a host accesible by the ssh client from the ssh server ssh -fN -R <remoteport>:internal2:<localport> user@external The service is available on the loopback interface only.
  • 33. Remote port forwarding Recipe #7: Access a service in a host accesible by the ssh client from the ssh server ssh -fN -R <remoteport>:internal2:<localport> user@external The service is available on the loopback interface only.
  • 34. Remote port forwarding Recipe #7: Access a service in a host accesible by the ssh client from the ssh server ssh -fN -R <remoteport>:internal2:<localport> user@external The service is available on the loopback interface only.
  • 35. Remote port forwarding Recipe #8: Access a service in a host accesible by the ssh client from any host with access to the ssh server ssh -fN -R 0.0.0.0:<remoteport>:internal2:<localport> user@external Edit /etc/ssh/sshd_config at server to allow the client to select the address to which the forwarding is bound: GatewayPorts clientspecified
  • 36. Remote port forwarding Recipe #8: Access a service in a host accesible by the ssh client from any host with access to the ssh server ssh -fN -R 0.0.0.0:<remoteport>:internal2:<localport> user@external Edit /etc/ssh/sshd_config at server to allow the client to select the address to which the forwarding is bound: GatewayPorts clientspecified
  • 37. Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
  • 38. SOCKS SOCKS is an Internet protocol that routes network packets between a client and server through a proxy server — Wikipedia
  • 39. SSH dynamic port forwarding • SSH dynamic port forwarding allows the user to create a local SOCKS proxy. • Free the user from the limitations of connecting only to a predefined remote port and server. • Circumvention tool allowing to bypass Internet filtering to access content otherwise blocked by governments, workplaces and schools.
  • 40. Dynamic port forwarding with SOCKS Recipe #9: Setup a SOCKS proxy ssh -fN -D <proxyport> user@sshserver To allow any internal host to use the proxy: ssh -fN -D 0.0.0.0:<proxyport> user@sshserver
  • 41. Dynamic port forwarding with SOCKS Recipe #9: Setup a SOCKS proxy ssh -fN -D <proxyport> user@sshserver To allow any internal host to use the proxy: ssh -fN -D 0.0.0.0:<proxyport> user@sshserver
  • 42. Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
  • 43. X forwarding • Using X, you can run remote X applications that open their windows on your local display. • The X protocol is insecure and wide open to snoopers. • SSH X forwarding makes the communication secure by tunneling the X protocol: ssh -X user@server xclock
  • 44. Contents 1 SSH tunneling & common uses 2 Local port forwarding 3 Remote port forwarding 4 Dynamic port forwarding 5 X forwarding 6 Some useful tools
  • 45. autossh autossh is a program to start a copy of ssh and monitor it, restarting it as necessary should it die or stop passing traffic. autossh -M <port>[:echo_port] [-f] [SSH OPTIONS]
  • 46. sslh sslh makes it possible to connect to an SSH server or an OpenVPN on port 443 while still serving HTTPS on that port.
  • 47. Port knocking port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). — Wikipedia
  • 48. Port knocking (A) client cannot connect to application listening on port n (B) client cannot establish connection to any port
  • 49. Port knocking (1,2,3,4) client connects to a well-defined set of ports in a sequence that contains an encrypted message by sending SYN packets; client has a priori knowledge of the port knocking daemon and its configuration, but receives no acknowledgement during this phase because firewall rules preclude any response
  • 50. Port knocking (A) server process (a port knocking daemon) intercepts connection attempts and interprets (decrypts and decodes) them as comprising an authentic "port knock"; server carries out specific task based on content of port knock, such as opening port n to client
  • 51. Port knocking (A) client connects to port n and authenticates using applications regular mechanism
  • 52. knockd knockd is a port-knock server. It listens to all traffic on an ethernet interface, looking for special "knock" sequences of port-hits.
  • 53. References • SSH: The Secure Shell: http://docstore.mik.ua/orelly/networking_2ndEd/ssh/index.htm • autossh: http://www.harding.motd.ca/autossh/ • sslh: http://www.rutschle.net/tech/sslh.shtml • Port knocking: http://www.portknocking.org/ • knockd: http://www.zeroflux.org/projects/knock
  • 54. Picture credits • Cover photo by twicepix: http://www.flickr.com/photos/twicepix/2825051329/ • The map of the cyber-censorship by Reporters Without Borders: http://march12.rsf.org/en/
  • 55. This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.
  • 56. SSH Tunneling Recipes Developer Toolbox Series OSOCO Rafael Luque