Thursday, May 5, 2011

SSH and GatewayPorts configuration

I love SSH, like alot, but I was having a problem with lately. Specifically the problem was with the security of remote forwarded ports (-R). I was told that by default SSH only allows remote ports to be bound to the local interface for security reasons. I understand that, completely. The problem is that wanted to be able to use my VPS's SSH connections like a bouncer. I wanted to be able to type:

ssh -p2222

and have the connection go through vpsserver into the server behind it. In effect, making vpsserver a type of central hub for reverse ssh connections. You can think of it almost like a ghetto botnet.

I found out that all i had to do was change GatewayPorts to "yes" in /etc/ssh/sshd_config and it would work if I issued the following command on the BACK server.

ssh -R 2222:localhost:22

All was well with the world for a while. Then my paranoia was sinking in. I didnt want someone to portscan my vps and see that i have 20 different ports open from reverse ssh connections. What was I to do? Well it turns out that GatewayPorts has 3 different settings; yes, no, and clientspecified.

no(default) = force remote port forwardings to only be accessible to localhost
yes = Force remote port forwardings to public interface (technically no, but in essence thats what it does)
clientspecified = the client decides which to choose

So i changed GatewayPorts to clientspecified and experimented. If you typed the remote forward command we typed in earlier:
ssh -R 2222:localhost:22
we would get a port remotely bound to the vpsserver's localhost address. This would force you to first log into the VPS and then log into the 2222 on localhost.

BUT, if you want the port to be bound publicly on vpsserver, it only takes 1 more character. pay attention closely:
ssh -R :2222:localhost:22
notice that ":" in from of the 2222? that essentially tells ssh to bind it to the public interface*.

Now i have two very similar commands to do two importantly different things. I am a happy camper.

*technically it tells SSH to bind it to all interfaces, which consequently includes the external facing one :)

No comments:

Post a Comment