SSH Tunnels – System administrator’s friend or foe?

Let us assume that our system administrator Jack is supporting for a server environment in which a small set of servers  are located in DMZ (Demilitarized zone ) network . In order to connect any DMZ server Jack has to ssh from his machine (windows PC/Unix workstation) to another server which acts as gateway between internal network and  DMZ network, and then he has to SSH to the DMZ server that he want to connect.

 Just to make his life easy to support these DMZ servers for his day-to-day system administration tasks, Jack wants to create a special encrypted tunnel from Jack’s host to the DMZ server.  He wants to achieve this goal by using the secured internal server (i.e. server1) as tunnel server between his PC/workstation and DMZ server.

 Jack’s Network Setup for SSH tunnel:

 

 

From the above setup, we notice three different servers in use

  1. System Admin Windows PC  / Unix Workstation (192.168.1.200) placed in the internal network.

 2. Target DMZ Server:  We will refer as Server2 for this entire post ( Unix with SSH server running – 10.10.1.200) in the DMZ network

3.  Secured Internal Server : We will refer as server1 for this entire post(Unix with SSH server running – 192,168.1.10) used as mediator between the System Admin PC and Target Server

 What are the tools required to configure the ssh tunnel?

 If jack is using a windows pc with putty client he can use a customized saved session to connect to the Server1 so that the connection will act as ssh tunnel between the windows pc and dmz server (i.e. server2).

 If jack is using an Unix workstation with ssh client, he can set up ssh session to the secured internal server by using additional port forwarding parameters, and then the session will  act as SSH tunnel between the unix workstation and DMZ server.

 Note:  Be aware of security policies of your organizations before you set up any such tunnels.  Establishing unapproved SSH tunnels to restricted servers may be  treated as an  violation of network policy. And it could lead for a disciplinary action.

 

Task: Configuring the Server1  as Tunnel Server.

Jack can set up his Secured-internal-server as tunnel server, by connecting to the server using a ssh session configured “ to forward a local port to a remote port of the DMZ machine” .  Once the SSH session is established, a background tunnel will be activated between the host (with ssh client) and the target DMZ servers.  

 

Jack can connect to the DMZ directly from his PC/workstation as long as the SSH session to the internal server is active. And at the same time he can configure multiple port forwarding with single SSH session so that he can directly reach multiple DMZ servers from his PC/Workstation.

 

The Sample diagram below shows SSH tunnel setup by forwarding a local port 2022 to a remote port 22 ( for ssh) of DMZ server. The Secured internal server, in middle, is just acting as tunnel server.

Procedure to configure Port forwarding with SSH session initiated from Unix workstation

Step A : Identify a unused local port

 Ports 1 to 1024 are called privileged ports and are used for well-known networking services.  For SSH tunneling purposes  we can pick any port above 1024 which is not yet in use.  If you are using a Unix workstation to connect to target servers, you can use following methods to find if the specific port is in use or not:

 a. By checking the /etc/services, to see the specific port configured for any service. by using below command

  # cat /etc/services | grep 2022

 b. netstat tells if the specific port already in use / listen state.

 # netstat -anp | grep 2022

 c. lsof maps open ports to services.

 # lsof -i | grep 2022

 Step B : Initiate SSH session with port forward options

Below command can be used to initiate a SSH session with port forwarding options

Syntax :    # ssh –L  <local-port>:target-DMZ-Server:<Remote-Port>  <Internal-Server>

Example : # ssh –L 2022:server2:22 Server1   ( it will ask for the password for server1)

Once SSH connection established we will have a tunnel ready between our workstation and Target DMZ server. And we can make direct SSH /SCP /SFTP session to the target-DMZ-server without making extra session to internal server (i.e. server1)

 Procedure to Configure port forwarding using the putty client SSH session

 Step A: Connect to the internal Secured Server using the putty client session which is configured with port forwarding, by using below steps

1: Enter the Internal Secured Server IP address/hostname

2: Name the session, so that you can use it for future purpose without repeating the entire configuration every time.

3: Expand the SSH menu

4: Open the “Tunnels” Tab

5: Add the local port that we want to use for port forwarding

6: Provide the target DMZ server and port information (for SSH it is 22 by default)

7: Click “add” button

8: Once added you will see the port forwarding in forwarded ports section. You can create multiple port forwarding to reach multiple remote DMZ servers from the same session by repeating the steps 5, 6 and 7.

 9: Save the Session again with the name given in the step 2.

 

Step B: Once we have established connection from the step A , we can reach the remote server directly from local host by connecting to the ports mentioned in the putty client.

 

Below Putty Configuration diagram helps you to understand the above setup

 

 


 

 



 

 

 

Back to the original question, what is your comment?

 

Is ssh tunneling a system administrator’s friend or foe?

What is your organizational policy concerning port tunneling?

For what purpose do you use tunnels in your organization?

 

 

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

12 Responses

  1. Lubomir Jacisko says:

    Great Article.

  2. Viktor says:

    what is the use of forwarding the tcp port 22, if he could jump off server1 to server2? Better show it with e.g. tcp 80 where an apache is running on server 2. That would make more sense. Otherwise, thanks for the article, can come handy if somebody don’t know about tunnelling.

    V.

    • Ramdev Ramdev says:

      You are right Victor, using different target port ( other than 22 ) would have made this example more appropriate. Thanks for dropping the comment.

  3. teja ambathi says:

    Hi,
    I’m Teja Ambathi,wants to join the gurkulindia.com……..i have subscribed for mail alerts and so………..however,I’m unable to read the data,I’m getting a new window to subscribe everytime i try to read any data…please let me know the way to access

    • Ramdev Ramdev says:

      Hi teja, You can browse the various section from the top menu ( I.e beginners , intermediate, advanced ). The images in the top are actually links to subscription page

  4. Jeff says:

    ssh tunnels are sys admin’s friend but network admin’s nightmare :)

  5. Ramdev Ramdev says:

    i agree :)

  6. dsanger says:

    Yes, yes a fine example of something that’s technically possible, but socially may lead to problems. In the US anyway, unauthorized tunnelling can get you fired! Check first with your security group or AUP for your organization.

  7. Ramdev Ramdev says:

    hi dsanger, yeah. this is only to use wherever legally allowed  to use:)

  8. Erlis says:

    Nice article. :)

  1. September 15, 2015

    […] SSH Tunnels – System administrator’s friend or foe? […]

  2. September 17, 2015

    […] SSH Tunnels – System administrator’s friend or foe? […]

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us