[olug] restricting ports on SSH forwarding

Trent Melcher trentm at trackd.run
Fri May 29 15:17:36 CDT 2020


It is, just don't use sequential ports. I did that when I first started
testing it and a port scan like Nmap will trip it, since it typically scans
ports in sequence.



On Fri, May 29, 2020, 1:10 PM Reiners Cloud Consulting LLC <
justin at reiners.io> wrote:

> Port knocking is neat I use it at home for a couple things
>
> On Fri, May 29, 2020, 12:39 PM Trent Melcher <trentm at trackd.run> wrote:
>
> > You want to make it even more secure, look up ssh port knocking. :)
> >
> > On Fri, May 29, 2020, 4:43 AM Lou Duchez <lou at paprikash.com> wrote:
> >
> > > Update, it turns out it was pretty easy to do, once I'd opted for
> > > OpenSSH instead of freeSSHd.  I found the sshd_config file and added
> > > these parameters to the main body of options:
> > >
> > > PermitTTY no
> > > PermitOpen 127.0.0.1:3389
> > > #Subsystem    sftp    sftp-server.exe
> > >
> > > That last one was commenting out the line that by default allowed SFTP
> > > access.  My goal here is to allow tunneling just to port 3389 (i.e.,
> > > RDP) and not even allow any shell access, and those three lines do the
> > > trick.  Now if a person wants to hack the system, they need to figure
> > > out which port I've moved SSH to, guess the non-root login and password
> > > I've set up, THEN figure out which port I've moved RDP to and guess the
> > > appropriate login and password for that. Yeah, I'm going to call that
> > > pretty secure.
> > >
> > >
> > >
> > > On 5/28/2020 10:52 PM, Lou Duchez wrote:
> > > > I am on Team Linux as much as possible myself, but we do have a few
> > > > servers that do WIndows.  Some run ASP.Net applications (and as good
> > > > as Mono is, it's still less stable than genuine .Net).  And we have,
> > > > on the cloud, some virtual PCs that we use for development or running
> > > > other Windows utilities; accessing them securely is a big deal.
> > > >
> > > >
> > > >
> > > > On 5/28/2020 10:16 PM, Reiners Cloud Consulting LLC wrote:
> > > >> Absolutely, I'd recommend replacing with openSSHd myself, but I'm
> team
> > > >> Linux for everything whenever possible. Should work fine, and follow
> > all
> > > >> standards as close as possible.
> > > >>
> > > >> I've never installed it on windows before myself, but I can't see
> why
> > it
> > > >> wouldn't work.
> > > >>
> > > >>
> > > >>
> > > >> On Thu, May 28, 2020, 8:39 PM Lou Duchez <lou at paprikash.com> wrote:
> > > >>
> > > >>> Thanks for the pointer; alas it's specific to OpenSSH.  Perhaps I
> > need
> > > >>> to install Win32-OpenSSH, which will hopefully include the
> > > >>> authorized_keys functionality.
> > > >>>
> > > >>> I went with freeSSHd because it installed easily and smoothly, and
> > > >>> seemed to work well for the most part.  That's when it dawned on me
> > > >>> that
> > > >>> port forwarding comes with a BIG security risk ...
> > > >>>
> > > >>>
> > > >>> On 5/28/2020 8:22 PM, Reiners Cloud Consulting LLC wrote:
> > > >>>> I realize it's windows based ssh but maybe it has some similar
> > > >>>> flags to
> > > >>> get
> > > >>>> you in pointed in the right direction.
> > > >>>>
> > > >>>> On Thu, May 28, 2020, 7:19 PM Justin Reiners <
> > justin at hotlinesinc.com>
> > > >>> wrote:
> > > >>>>> Here's a good write-up on restricting access, hope it helps
> > > >>>>>
> > > >>>>>
> > > >>>>>
> > > >>>
> > >
> >
> https://blog.tinned-software.net/restrict-ssh-access-to-port-forwarding-to-one-specific-port/
> > > >>>
> > > >>>>> On Thu, May 28, 2020, 6:41 PM Lou Duchez <lou at paprikash.com>
> > wrote:
> > > >>>>>
> > > >>>>>> So SSH forwarding is a dandy way to get data to travel back and
> > > >>>>>> forth
> > > >>>>>> over a secure encrypted connection.  The only problem I'm aware
> > > >>>>>> of is,
> > > >>>>>> if I open up SSH port forwarding on my server to allow access to
> > > >>>>>> port
> > > >>>>>> 11111, there's nothing stopping a user from using the same SSH
> > > >>>>>> connection get at port 22222.
> > > >>>>>>
> > > >>>>>> ... or is there?  Any thoughts on how to limit the port
> > > >>>>>> forwarding on
> > > >>> an
> > > >>>>>> SSH connection?  In particular I'm using freeSSHd on a Windows
> > > >>>>>> server,
> > > >>>>>> so if anyone knows anything about that, that would help.
> > > >>>>>> _______________________________________________
> > > >>>>>> OLUG mailing list
> > > >>>>>> OLUG at olug.org
> > > >>>>>> https://www.olug.org/mailman/listinfo/olug
> > > >>>>>>
> > > >>>>> _______________________________________________
> > > >>>>> OLUG mailing list
> > > >>>>> OLUG at olug.org
> > > >>>>> https://www.olug.org/mailman/listinfo/olug
> > > >>>>>
> > > >>>> _______________________________________________
> > > >>>> OLUG mailing list
> > > >>>> OLUG at olug.org
> > > >>>> https://www.olug.org/mailman/listinfo/olug
> > > >>> _______________________________________________
> > > >>> OLUG mailing list
> > > >>> OLUG at olug.org
> > > >>> https://www.olug.org/mailman/listinfo/olug
> > > >>>
> > > >> _______________________________________________
> > > >> OLUG mailing list
> > > >> OLUG at olug.org
> > > >> https://www.olug.org/mailman/listinfo/olug
> > > > _______________________________________________
> > > > OLUG mailing list
> > > > OLUG at olug.org
> > > > https://www.olug.org/mailman/listinfo/olug
> > > _______________________________________________
> > > OLUG mailing list
> > > OLUG at olug.org
> > > https://www.olug.org/mailman/listinfo/olug
> > >
> > _______________________________________________
> > OLUG mailing list
> > OLUG at olug.org
> > https://www.olug.org/mailman/listinfo/olug
> >
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug
>


More information about the OLUG mailing list