I have 2 linux servers with an app that communicate over a simple telnet protocol (unencrypted).
I would like to force the app to run over some form of encrypted tunnel/etc. Is there a simple way to create a point-to-point encrypted tunnel, and force only my apps' traffic over that tunnel (? (eg: create a virtual NIC thats encrypted traffic) I don't want to route all network traffic over this tunnel.
Use SSH port tunneling. You only need to change the connection (IP and port) on your client end once you have the tunnel set up.
Say system 1 listens on a socket on port AAAA and system 2 connects to system 1. Use ssh tunneling from an arbitrary port (say PPPP) on system 2 to port AAAA on system 1. Now direct the 'app' on system 2 to connect to 127.0.0.1:PPPP and the connection will be tunneled to system 1.
If both system listen and accept connections then also setup a tunnel in the opposite direction.
For completeness setup a custom user on both systems for your ssh tunnel. Set the new users login shell on both systems to /sbin/nologin and do not put them in any groups beyond their own. Now use 'sudo - u ' to launch ssh on system 2. Also block traffic from external interfaces to port AAAA on system 1, assuming you no longer need it. Also set ServerAliveInterval and ClientAlivalInterval in your ssh and sshd configurations respectively.
The alternative to this configuration is to set up a VPN between the two boxes.
Related
Sorry, if it is a trivial question: I use the port forwarding the port 22 on remote computer is redirected to port 2222 on my local computer. The tunnel is created with the following azure command:
az network bastion tunnel
I can start the first session with ssh
ssh seva#localhost -p 2222
and it works fine However, when I'm starting from another terminal window another ssh session with the same command
ssh seva#localhost -p 2222
the connection hangs and goes through only when the first connection is terminated I'm aware, that I can run multiple sessions with azure native client:
az network bastion ssh
But I need multiple sessions through the same port 'classical way' because it is obviously the way, the Visual Studio Code uses when I trying to connect with it the remote computer. One session is obviously for the terminal window and another one for data transfer.
Many thanks in advance.
=Seva
You can work around this limitation by enabling SSH multiplexing. The first session will setup a control connection, and any subsequent session will simply re-use this. This removes the need for a second connection which, weirdly enough, az network bastion does not seem to support.
To do this for all of your connections, add the following to your SSH client config (ie. ~/.ssh/config):
Host *
# Connection Multiplexing
ControlMaster auto
ControlPersist 600
ControlPath ~/.ssh/ctrl/%C
This should be all you need. If you want/need even more information though check out https://en.wikibooks.org/wiki/OpenSSH/Cookbook/Multiplexing.
I am aware of how to access my router under normal circumstances (simply entering your public IP address), however I have forwarded a few ports to a web server that I have setup. Ports 22, 80, 8080 are all forwarded (for different reasons), and my public IP is set up through a DNS system.
Now when I attempt to access my router settings (through my public IP) it re-directs me to my website. I tried entering:
PU:BL:IC:IP:8080
and
PU:BL:IC:IP:80
with no success. I did attempt to disable my web server (which I still have access to) and that also failed. Is there anyway around this without having to go home and change setting manually. I have DMZ disabled if that's any help.
You have forwarded port 22, which is usually the SSH port. There are three ways to access your router from SSH:
Use SSH port forwarding to poke a hole through the router to access you're router's admin interface from the local computer. To do this in OpenSSH from the command line, you would use the option -L 12345:router-ip:80. In PuTTY, you would use the Connection/SSH/Tunnels category to add a local forwarded port with source 12345 and destination router-ip:80. Then you can access your admin interface from your local machine by browsing to http://localhost:12345. If your router uses a different port than 80, change that in the examples above. If you want to use a different local port than 12345, you may change that as well.
Use a text-mode browser, such as lynx or elinks, from the SSH connection. This is the simplest to set up, but using modern web apps in text-mode browsers can be difficult or impossible.
If you have an X server running at your current location, use SSH's X11 forwarding to run a graphical browser. Use the -X option for OpenSSH at the command line, or check the X11 forwarding box in Connection/SSH/X11 in PuTTY.
I want to access my work computer, which is behind a firewall, from my home computer.
As the work firewall blocks unexpected incoming connections, I would have to open a reverse SSH tunnel from my work computer to my home computer like so:
ssh -R 12345:localhost:22 homeuser#homeip
From my home computer, I could then use port 12345 to access the work computer:
ssh -p 12345 workuser#localhost
The problem is that this requires me to open holes in my home firewall and forward ports to my home computer.
This is my question:
Is there any method by which I could have both machines meet each other half way?
Assuming that I am at my home computer and a co-worker is at my work computer, and we both know each other's local IP (that the computer gets from the router) and internet IP (that the router gets from the ISP), is there some way each of us could initiate an outgoing connection to the other?
No. If you don't want to forward ports in routers, then you need some mutually accessible computer in between for both computers to connect to. (This could be a virtual machine such as those offered by Digital Ocean, or a web host that offers shell login, or you could dedicate something like a Raspberry Pi on your home network with SSH forwarded to it so it's always available.)
If you wanted to access port 22 on the remote computer:
ssh -R 12345:localhost:22 user#your.sshgateway.com
Then on the home computer:
ssh -L 2222:localhost:12345 user#your.sshgateway.com
Then you can connect to the remote computer with:
ssh -p 2222 workuser#localhost
Question: How can I allow inbound SSH traffic on a non-standard port when using Amazon Security Groups and also provisioning with Chef?
Amazon EC2: Allow inbound ssh traffic on port 999 instead of 22 by adding this rule to a Security Group.
Custom TCP Rule Port Range: 999
Chef: Create a new server with access to ssh on a non-standard port via:
knife ec2 server create .... -p 999 ....
Ubuntu: Allow ssh access on a non-standard port by editing /etc/ssh/sshd_config
Port 999
Easy enough? Why doesn't it work?
When using knife ec2 server create ... -p 999 ... the instance creates. However it hangs on "Waiting for sshd...". Eventually that errors out. The instance is not available using ssh -p 999 username#ip-address nor ssh -p 22 username#ip-address.
As some of the commenters have said, you are being locked out because the instance is listening on port 22, but your security groups are only allowing TCP connections on port 999.
There is no way to connect to the instance in this state.
There are three solutions to this problem that I can see.
Solution 1: Make a new AMI
Create a new AMI which has sshd configured to listen on 999.
Once you have done so, create your EC2 servers using your custom AMI and everything should work.
There are fancy-pants ways of doing this using cloudinit to let you customize the port later, but it hardly seems worth the effort.
Just hardcode "999" instead of "22" into /etc/ssh/sshd_config
The obvious downside is that for any new AMI that you want to use, you'll have to bake a new base AMI that uses the desired port instead of 22.
Furthermore, this diverges away from the Cheffy philosophy of layering configuration on a base image.
Solution 2: Icky Icky Security Groups
You can hack your way around this by modifying your security groups every time you bring up a new server.
Simply add an exception that allows your machine to SSH into the box for the duration of your bootstrapping process, then remove this from the security group(s) that you are using once you are done.
The downside here is that security groups in EC2 are not dynamic, so you either have to create a new security group for each machine (ick!), or let this open port 22 for your workstation on all of your servers during the bootstrapping window (also ick!).
Solution 3: Tunneling
The last option that I can think of is to allow connections on port 22 amongst your live servers.
You can then tunnel your connection through another server by connecting to it, opening an SSH tunnel (i.e. ssh -L ...), and doing the knife ec2 actions through the tunnel.
Alternatively, you can pass through one of the other servers manually on your way to the target, and not use knife to bootstrap the new node.
The downside here is that you need to trust your servers' security, since you'll have to do some agent forwarding or other shenanigans to successfully connect to the new node.
This is probably the solution that I would choose because it does not require new AMIs, doesn't open port 22 to the outside world, and requires a minimal amount of effort for a new team member to learn how to do.
I have the following network:
PC1 --|¯¯¯¯¯¯¯¯¯| |¯¯¯¯¯¯¯¯¯|-- board2
PC2 --| gateway |-- (eth0) [server] (eth1) --| gateway |
PC3 --|_________| |_________|-- board1
As you can see, the server (running Linux) has 2 interfaces so that the PCs and embedded boards are not on the same subnetwork.
I would like to develop a simple application (or use an existing one) that tunnels incomming Telnet connections from eth0 (using a specific port) to boards through eth1.
I don't have root privileges on the server, but I have a regular Unix account. I don't want the PCs to actually "log in" to the server; I just want them to pass through it to connect to the boards. The server has Python, PHP and Perl installed.
I want to support multiple connections. The port number could be used to forward the connection to the right board (say I have 10 boards, then the tunnel listens on ports 3000 to 3009).
I can imagine a simple Web application to do that, but I want a native Telnet connection that will support CTRL+C and all that stuff and allow you to use any terminal emulator on the PCs (i.e. PuTTY or another one), which run Windows.
Any help would be much appreciated.
It sounds like you're looking for a TCP proxy. A proxy accepts connections on one port, connects to another ip/port, and then passes traffic back and forth.
If you have xinetd on your system you already have what you need. The redirect directive for a service causes xinetd to open a connection to another host/port and act as a proxy. See this document for an example.
balance is another very simple proxy tool that will do what you need. This is probably easier to run as a non-root user, especially since it's configured entirely on the command line.
Since you're not root on your server you'll need to run these on ports > 1024, but otherwise you should be all set.