SSH Tunneling: Difference between revisions
| Line 1: | Line 1: | ||
== Background == | == Background == | ||
SSH port forwarding is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network. | <u>SSH port forwarding</u> (often referred to as <u>SSH tunneling</u>) is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network. | ||
Using OpenSSH in [[Linux]] we can '''enable local, remote, or dynamic SSH port forwarding between client and server.''' | |||
* Local Port Forwarding with OpenSSH | |||
<code>ssh -L local_port:destination_server_ip:remote_port ssh_server_hostname</code> | |||
* Remote Port Forwarding with OpenSSH | |||
<code>ssh -R remote_port:localhost:local_port ssh_server_hostname</code> | |||
* Dynamic Port Forwarding with OpenSSH | |||
<code>ssh –D local_port ssh_server_hostname</code> | |||
== Enable or disable SSH port forwarding == | == Enable or disable SSH port forwarding == | ||
| Line 11: | Line 26: | ||
SSH port forwarding is a powerful feature, and it needs to be carefully administered since leaving port forwarding enabled can expose the organization to security risks and back-doors. | |||
'''<u> | '''<u>Disabling SSH AllowTcpForwarding is recommended to prevent potential issues</u>''' | ||
SSH tunnels are widely used in many enterprise environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native [[support]] for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.<ref>https://www.tenable.com/audits/items/CIS_Distribution_Independent_Linux_Workstation_L2_v2.0.0.audit:442b5a19a23bed7f8ac3fff5a9c41c01</ref> | SSH tunnels are widely used in many enterprise environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native [[support]] for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.<ref>https://www.tenable.com/audits/items/CIS_Distribution_Independent_Linux_Workstation_L2_v2.0.0.audit:442b5a19a23bed7f8ac3fff5a9c41c01</ref> | ||
Revision as of 09:16, 4 May 2023
Background
SSH port forwarding (often referred to as SSH tunneling) is a mechanism in SSH for tunneling application ports from the client to the server, or servers to clients. It can be used for adding encryption to legacy applications, going through firewalls, and some system administrators and IT professionals use it for opening backdoors into the internal network.
Using OpenSSH in Linux we can enable local, remote, or dynamic SSH port forwarding between client and server.
- Local Port Forwarding with OpenSSH
ssh -L local_port:destination_server_ip:remote_port ssh_server_hostname
- Remote Port Forwarding with OpenSSH
ssh -R remote_port:localhost:local_port ssh_server_hostname
- Dynamic Port Forwarding with OpenSSH
ssh –D local_port ssh_server_hostname
Enable or disable SSH port forwarding
/etc/ssh/sshd_config has parameter
AllowTcpForwarding no|yes
SSH port forwarding is a powerful feature, and it needs to be carefully administered since leaving port forwarding enabled can expose the organization to security risks and back-doors.
Disabling SSH AllowTcpForwarding is recommended to prevent potential issues
SSH tunnels are widely used in many enterprise environments that employ mainframe systems as their application backends. In those environments the applications themselves may have very limited native support for security. By utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS, and other standards can be achieved without having to modify the applications.[1]