SSH Tunneling: Difference between revisions

Background

SSH port forwarding (often referred to as SSH tunneling) is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network.^[1]

including default SSH port (22), binding listening ports under 1024, by default, requires root privileges.

Using OpenSSH in Linux we can enable local, remote, or dynamic SSH port forwarding between client and server. more detailed guide can be found at phoenixnap and audviklabs.

#Local Port Forwarding with OpenSSH, 
#Expose a local service to the intranet via internal SSHD
ssh -L ACL_IP:local_port:destination_server_ip:destination_server_port user@ssh_server

#without ACL_IP(0.0.0.0) only locahost host 127.0.0.1 can be accessable. you can check netstat command
example : ssh -L 0.0.0.0:4321:10.211.55.21:22 user@10.211.55.21 -N 
Redirect all trafic on 4321 port to 10.211.55.21 port 22 for SSH connection, -N means do not execute this command on the shell

#Remote Port Forwarding with OpenSSH
#Expose a local service to the outside world via public accessable gateway.
ssh -R remote_port:localhost:local_port ssh_gateway_server

#Dynamic Port Forwarding with OpenSSH
ssh –D local_port ssh_server_hostname

Multiple Tunnels and Multiple Host Hopping
ssh -X -L 5432:<DB server IP>:5432 -R 873:<local RSYNC server>:873

• SSH tunnels to reach farther SSH servers

ssh -L 8022:<server2>:22 user@server1
ssh -L 8023:<server3>:22 -p 8022 user@server2
ssh -p 8023 user@server2

OpenSSH SSHD Options

/etc/ssh/sshd_config has many optional parameters for SSH tunneling^[2]

• AllowStreamLocalForwarding: Allows Unix domain sockets to be forwarded. The default, when omitted, is yes
• AllowTcpForwarding: Allows TCP port forwarding. The default, when omitted, is to allow. It enables single TCP port forwards and socks proxying
• DisableForwarding: Disables all kinds of forwarding. Override, if enabled, all other related configurations options
• GatewayPorts: Allows other hosts to use the ports forwarded to a client (reverse tunnels). By default, only the hosts running the SSH server can use reverse tunnels. Disabled by default
• PermitListen: Specifies the addresses and ports that can be bound to allow port-forwarding to clients. It provides more fine control if we enable GatewayPorts. The default is localhost (‘127.0.0.1’ and ‘::1’)
• PermitOpen: Specifies the address and ports a TCP forwarding may point to. By default, any destination is enabled
• PermitTunnel: Specifies whether tun device forwarding is allowed. Default is no
• X11Forwarding: Specifies whether X11 forwarding is allowed. Default is no
• X11UseLocalhost: Forces the X11 forwarding to be only allowed from the SSH server host loopback address. If disabled, other hosts on the SSH server network might use it. Default is true
  

SSH port forwarding is a powerful feature, so that it needs to be carefully administered since leaving port forwarding enabled can expose the organization to security risks and back-doors.

Disabling SSH AllowTcpForwarding is recommended to prevent potential issues

SSH tunnels are widely used in many enterprise environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.^[3]

Other configurations on the server

Other configurations on the host might affect the ssh‘s ability to forward and proxy. AppArmor and SELinux might inhibit some of these options^[4]. Also, some host firewall like Ubuntu ufw and iptables.

of course, the in-between firewalls must allow the SSH traffic port TCP/22(default).

Reference