[olug] restricting ports on SSH forwarding
Lou Duchez
lou at paprikash.com
Fri May 29 04:43:02 CDT 2020
Update, it turns out it was pretty easy to do, once I'd opted for
OpenSSH instead of freeSSHd. I found the sshd_config file and added
these parameters to the main body of options:
PermitTTY no
PermitOpen 127.0.0.1:3389
#Subsystem sftp sftp-server.exe
That last one was commenting out the line that by default allowed SFTP
access. My goal here is to allow tunneling just to port 3389 (i.e.,
RDP) and not even allow any shell access, and those three lines do the
trick. Now if a person wants to hack the system, they need to figure
out which port I've moved SSH to, guess the non-root login and password
I've set up, THEN figure out which port I've moved RDP to and guess the
appropriate login and password for that. Yeah, I'm going to call that
pretty secure.
On 5/28/2020 10:52 PM, Lou Duchez wrote:
> I am on Team Linux as much as possible myself, but we do have a few
> servers that do WIndows. Some run ASP.Net applications (and as good
> as Mono is, it's still less stable than genuine .Net). And we have,
> on the cloud, some virtual PCs that we use for development or running
> other Windows utilities; accessing them securely is a big deal.
>
>
>
> On 5/28/2020 10:16 PM, Reiners Cloud Consulting LLC wrote:
>> Absolutely, I'd recommend replacing with openSSHd myself, but I'm team
>> Linux for everything whenever possible. Should work fine, and follow all
>> standards as close as possible.
>>
>> I've never installed it on windows before myself, but I can't see why it
>> wouldn't work.
>>
>>
>>
>> On Thu, May 28, 2020, 8:39 PM Lou Duchez <lou at paprikash.com> wrote:
>>
>>> Thanks for the pointer; alas it's specific to OpenSSH. Perhaps I need
>>> to install Win32-OpenSSH, which will hopefully include the
>>> authorized_keys functionality.
>>>
>>> I went with freeSSHd because it installed easily and smoothly, and
>>> seemed to work well for the most part. That's when it dawned on me
>>> that
>>> port forwarding comes with a BIG security risk ...
>>>
>>>
>>> On 5/28/2020 8:22 PM, Reiners Cloud Consulting LLC wrote:
>>>> I realize it's windows based ssh but maybe it has some similar
>>>> flags to
>>> get
>>>> you in pointed in the right direction.
>>>>
>>>> On Thu, May 28, 2020, 7:19 PM Justin Reiners <justin at hotlinesinc.com>
>>> wrote:
>>>>> Here's a good write-up on restricting access, hope it helps
>>>>>
>>>>>
>>>>>
>>> https://blog.tinned-software.net/restrict-ssh-access-to-port-forwarding-to-one-specific-port/
>>>
>>>>> On Thu, May 28, 2020, 6:41 PM Lou Duchez <lou at paprikash.com> wrote:
>>>>>
>>>>>> So SSH forwarding is a dandy way to get data to travel back and
>>>>>> forth
>>>>>> over a secure encrypted connection. The only problem I'm aware
>>>>>> of is,
>>>>>> if I open up SSH port forwarding on my server to allow access to
>>>>>> port
>>>>>> 11111, there's nothing stopping a user from using the same SSH
>>>>>> connection get at port 22222.
>>>>>>
>>>>>> ... or is there? Any thoughts on how to limit the port
>>>>>> forwarding on
>>> an
>>>>>> SSH connection? In particular I'm using freeSSHd on a Windows
>>>>>> server,
>>>>>> so if anyone knows anything about that, that would help.
>>>>>> _______________________________________________
>>>>>> OLUG mailing list
>>>>>> OLUG at olug.org
>>>>>> https://www.olug.org/mailman/listinfo/olug
>>>>>>
>>>>> _______________________________________________
>>>>> OLUG mailing list
>>>>> OLUG at olug.org
>>>>> https://www.olug.org/mailman/listinfo/olug
>>>>>
>>>> _______________________________________________
>>>> OLUG mailing list
>>>> OLUG at olug.org
>>>> https://www.olug.org/mailman/listinfo/olug
>>> _______________________________________________
>>> OLUG mailing list
>>> OLUG at olug.org
>>> https://www.olug.org/mailman/listinfo/olug
>>>
>> _______________________________________________
>> OLUG mailing list
>> OLUG at olug.org
>> https://www.olug.org/mailman/listinfo/olug
> _______________________________________________
> OLUG mailing list
> OLUG at olug.org
> https://www.olug.org/mailman/listinfo/olug
More information about the OLUG
mailing list