SSH Tunnels – System administrator’s friend or foe?
Let us assume that our system administrator Jack is supporting for a server environment in which a small set of servers are located in DMZ (Demilitarized zone ) network . In order to connect any DMZ server Jack has to ssh from his machine (windows PC/Unix workstation) to another server which acts as gateway between internal network and DMZ network, and then he has to SSH to the DMZ server that he want to connect.
Just to make his life easy to support these DMZ servers for his day-to-day system administration tasks, Jack wants to create a special encrypted tunnel from Jack’s host to the DMZ server. He wants to achieve this goal by using the secured internal server (i.e. server1) as tunnel server between his PC/workstation and DMZ server.
Jack’s Network Setup for SSH tunnel:
From the above setup, we notice three different servers in use
1. System Admin Windows PC / Unix Workstation (192.168.1.200) placed in the internal network.
2. Target DMZ Server: We will refer as Server2 for this entire post ( Unix with SSH server running – 10.10.1.200) in the DMZ network
3. Secured Internal Server : We will refer as server1 for this entire post(Unix with SSH server running – 192,168.1.10) used as mediator between the System Admin PC and Target Server
What are the tools required to configure the ssh tunnel?
If jack is using a windows pc with putty client he can use a customized saved session to connect to the Server1 so that the connection will act as ssh tunnel between the windows pc and dmz server (i.e. server2).
If jack is using an Unix workstation with ssh client, he can set up ssh session to the secured internal server by using additional port forwarding parameters, and then the session will act as SSH tunnel between the unix workstation and DMZ server.
Note: Be aware of security policies of your organizations before you set up any such tunnels. Establishing unapproved SSH tunnels to restricted servers may be treated as an violation of network policy. And it could lead for a disciplinary action.
Task: Configuring the Server1 as Tunnel Server.
Jack can set up his Secured-internal-server as tunnel server, by connecting to the server using a ssh session configured “ to forward a local port to a remote port of the DMZ machine” . Once the SSH session is established, a background tunnel will be activated between the host (with ssh client) and the target DMZ servers.
Jack can connect to the DMZ directly from his PC/workstation as long as the SSH session to the internal server is active. And at the same time he can configure multiple port forwarding with single SSH session so that he can directly reach multiple DMZ servers from his PC/Workstation.
The Sample diagram below shows SSH tunnel setup by forwarding a local port 2022 to a remote port 22 ( for ssh) of DMZ server. The Secured internal server, in middle, is just acting as tunnel server.
Procedure to configure Port forwarding with SSH session initiated from Unix workstation
Step A : Identify a unused local port
Ports 1 to 1024 are called privileged ports and are used for well-known networking services. For SSH tunneling purposes we can pick any port above 1024 which is not yet in use. If you are using a Unix workstation to connect to target servers, you can use following methods to find if the specific port is in use or not:
a. By checking the /etc/services, to see the specific port configured for any service. by using below command
# cat /etc/services | grep 2022
b. netstat tells if the specific port already in use / listen state.
# netstat -anp | grep 2022
c. lsof maps open ports to services.
# lsof -i | grep 2022
Step B : Initiate SSH session with port forward options
Below command can be used to initiate a SSH session with port forwarding options
Syntax : # ssh –L <local-port>:target-DMZ-Server:<Remote-Port> <Internal-Server>
Example : # ssh –L 2022:server2:22 Server1 ( it will ask for the password for server1)
Once SSH connection established we will have a tunnel ready between our workstation and Target DMZ server. And we can make direct SSH /SCP /SFTP session to the target-DMZ-server without making extra session to internal server (i.e. server1)
Procedure to Configure port forwarding using the putty client SSH session
Step A: Connect to the internal Secured Server using the putty client session which is configured with port forwarding, by using below steps
1: Enter the Internal Secured Server IP address/hostname
2: Name the session, so that you can use it for future purpose without repeating the entire configuration every time.
3: Expand the SSH menu
4: Open the “Tunnels” Tab
5: Add the local port that we want to use for port forwarding
6: Provide the target DMZ server and port information (for SSH it is 22 by default)
7: Click “add” button
8: Once added you will see the port forwarding in forwarded ports section. You can create multiple port forwarding to reach multiple remote DMZ servers from the same session by repeating the steps 5, 6 and 7.
9: Save the Session again with the name given in the step 2.
Step B: Once we have established connection from the step A , we can reach the remote server directly from local host by connecting to the ports mentioned in the putty client.
Below Putty Configuration diagram helps you to understand the above setup
Back to the original question, what is your comment?
Is ssh tunneling a system administrator’s friend or foe?
What is your organizational policy concerning port tunneling?
For what purpose do you use tunnels in your organization?