[olug] restricting ports on SSH forwarding

Reiners Cloud Consulting LLC justin at reiners.io
Fri May 29 13:10:26 CDT 2020 

Port knocking is neat I use it at home for a couple things

On Fri, May 29, 2020, 12:39 PM Trent Melcher <trentm at trackd.run> wrote:

> You want to make it even more secure, look up ssh port knocking. :)
>
> On Fri, May 29, 2020, 4:43 AM Lou Duchez <lou at paprikash.com> wrote:
>
> > Update, it turns out it was pretty easy to do, once I'd opted for
> > OpenSSH instead of freeSSHd.  I found the sshd_config file and added
> > these parameters to the main body of options:
> >
> > PermitTTY no
> > PermitOpen 127.0.0.1:3389
> > #Subsystem    sftp    sftp-server.exe
> >
> > That last one was commenting out the line that by default allowed SFTP
> > access.  My goal here is to allow tunneling just to port 3389 (i.e.,
> > RDP) and not even allow any shell access, and those three lines do the
> > trick.  Now if a person wants to hack the system, they need to figure
> > out which port I've moved SSH to, guess the non-root login and password
> > I've set up, THEN figure out which port I've moved RDP to and guess the
> > appropriate login and password for that. Yeah, I'm going to call that
> > pretty secure.
> >
> >
> >
> > On 5/28/2020 10:52 PM, Lou Duchez wrote:
> > > I am on Team Linux as much as possible myself, but we do have a few
> > > servers that do WIndows.  Some run ASP.Net applications (and as good
> > > as Mono is, it's still less stable than genuine .Net).  And we have,
> > > on the cloud, some virtual PCs that we use for development or running
> > > other Windows utilities; accessing them securely is a big deal.
> > >
> > >
> > >
> > > On 5/28/2020 10:16 PM, Reiners Cloud Consulting LLC wrote:
> > >> Absolutely, I'd recommend replacing with openSSHd myself, but I'm team
> > >> Linux for everything whenever possible. Should work fine, and follow
> all
> > >> standards as close as possible.
> > >>
> > >> I've never installed it on windows before myself, but I can't see why
> it
> > >> wouldn't work.
> > >>
> > >>
> > >>
> > >> On Thu, May 28, 2020, 8:39 PM Lou Duchez <lou at paprikash.com> wrote:
> > >>
> > >>> Thanks for the pointer; alas it's specific to OpenSSH.  Perhaps I
> need
> > >>> to install Win32-OpenSSH, which will hopefully include the
> > >>> authorized_keys functionality.
> > >>>
> > >>> I went with freeSSHd because it installed easily and smoothly, and
> > >>> seemed to work well for the most part.  That's when it dawned on me
> > >>> that
> > >>> port forwarding comes with a BIG security risk ...
> > >>>
> > >>>
> > >>> On 5/28/2020 8:22 PM, Reiners Cloud Consulting LLC wrote:
> > >>>> I realize it's windows based ssh but maybe it has some similar
> > >>>> flags to
> > >>> get
> > >>>> you in pointed in the right direction.
> > >>>>
> > >>>> On Thu, May 28, 2020, 7:19 PM Justin Reiners <
> justin at hotlinesinc.com>
> > >>> wrote:
> > >>>>> Here's a good write-up on restricting access, hope it helps
> > >>>>>
> > >>>>>
> > >>>>>
> > >>>
> >
> https://blog.tinned-software.net/restrict-ssh-access-to-port-forwarding-to-one-specific-port/
> > >>>
> > >>>>> On Thu, May 28, 2020, 6:41 PM Lou Duchez <lou at paprikash.com>
> wrote:
> > >>>>>
> > >>>>>> So SSH forwarding is a dandy way to get data to travel back and
> > >>>>>> forth
> > >>>>>> over a secure encrypted connection.  The only problem I'm aware
> > >>>>>> of is,
> > >>>>>> if I open up SSH port forwarding on my server to allow access to
> > >>>>>> port
> > >>>>>> 11111, there's nothing stopping a user from using the same SSH
> > >>>>>> connection get at port 22222.
> > >>>>>>
> > >>>>>> ... or is there?  Any thoughts on how to limit the port
> > >>>>>> forwarding on
> > >>> an
> > >>>>>> SSH connection?  In particular I'm using freeSSHd on a Windows
> > >>>>>> server,
> > >>>>>> so if anyone knows anything about that, that would help.
> > >>>>>> _______________________________________________
> > >>>>>> OLUG mailing list
> > >>>>>> OLUG at olug.org
> > >>>>>> https://www.olug.org/mailman/listinfo/olug
> > >>>>>>
> > >>>>> _______________________________________________
> > >>>>> OLUG mailing list
> > >>>>> OLUG at olug.org
> > >>>>> https://www.olug.org/mailman/listinfo/olug
> > >>>>>
> > >>>> _______________________________________________
> > >>>> OLUG mailing list
> > >>>> OLUG at olug.org
> > >>>> https://www.olug.org/mailman/listinfo/olug
> > >>> _______________________________________________
> > >>> OLUG mailing list
> > >>> OLUG at olug.org
> > >>> https://www.olug.org/mailman/listinfo/olug
> > >>>
> > >> _______________________________________________
> > >> OLUG mailing list
> > >> OLUG at olug.org
> > >> https://www.olug.org/mailman/listinfo/olug
> > > _______________________________________________
> > > OLUG mailing list
> > > OLUG at olug.org
> > > https://www.olug.org/mailman/listinfo/olug
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://www.olug.org/mailman/listinfo/olug
> >
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug
>

More information about the OLUG mailing list