I would like to connect to an Oracle database hosted on a remote box using Oracle SQL Developer. I am able to create a standard connection BUT I have to be connected to a VPN for security reasons. I want to bypass this vpn.
I do this all the time with normal ssh connections. There is one machine (gateway) on my company network than can be accessed outside the network (no vpn). From gateway, I can connect to any machine on our network. I would like to connect to the database hosted on machine (dbmachine) on the network (which cannot be accessed without being on the vpn unless I am first connected to the gateway).
This seems to be a common issue because I was easily able to bake this functionality seamlessly into my ssh config. Example:
Host gateway
HostName gateway.company.org
User marc
Host dbmachine
HostName dbmachine.company.org
User marc
ProxyJump gateway
Host exampleMachine
HostName exampleMachine.company.org
User marc
ProxyJump gateway
By using ProxyJump, I am able to type ssh dbmachine to seamlessly connect to dbmachine or ssh exampleMachine to seamlessly connect to exampleMachine. I want to do a similar jumping technique with Oracle SQL Developer. How can I connect to the database on dbmachine from Oracle SQL Developer?
I'm not sure what port the db is running on dbmachine, but I can access it though sqlplus when I'm logged into the box.
The answer is to create an SSH Tunnle:
ssh -L 1521:localhost:1521 -N -f dbmachine
This will forward all traffic on localhost:1521 to dbmachine:1521 (where the database is running). It will respect the user's configuration so you do not have to setup two tunnles.
-N Will not switch to remote shell
-f Requests ssh to go to background just before command execution
I'm not sure if there's a better solution that is configurable directly in a database client, but this works for me on Arch Linux.
Related
I'm hosting Odoo on AWS and need to connect from my local machine. I am using AWS Certificate Manager instead of using a local .pem file ( no SSL configuration done on Apache as I am using AWS CM).
My odoo application works well, If I type https://myodoosite.com it works well.
What I need is to connect to the Postgresql DB on myodoosite.com
I can connect to the Postgresql DB from within the myodoosite.com server by uisng the command $psql -U postgres odoo_prod
Does anyone have an idea how to achieve this?
WHen I connect from my local, it says " Is the server running at myodoosite.com accepting TCP/IP connections on port 5432? "
Thank you for your replies.
Did I understand correctly your situation:
Odoo, Apache and PostgreSQL in one or multiple EC2 instances in AWS.
Load Balancer with SSL termination (using certificate from Certificate Manager) that exposes only your Odoo/Apache http service.
You probably have firewall rules in security groups preventing the PostgreSQL traffic in tcp port 5432. You need to open port 5432 to be accessible from your onpremise IP-address. You can do this by enabling the predefined PostgreSQL type in PostgreSQL EC2 instance's Security Group and set your IP address in the source address. Please note that this way the database is accessible for all traffic coming from that IP or IP range. So if you use shared IP this could be a problem.
Another easy and secure way to connect to PostgreSQL is to tunnel the traffic from your workstation with ssh. This is usable if you already have ssh port open and you do not want to open PostgreSQL port to public internet.
I have a microservice, let's call it RdsConnector, I want to test locally that is normally deployed on a machine on AWS. It connects to a MySQL instance, which is also in AWS, without any SSH tunnelling as they are in the same VPC. To connect to that MySQL instance from my local machine, I can use SSH tunnelling to get into the VPC I have set up in AWS. This is what that configuration looks like:
I could set up my microservice to also connect through SSH (optionally, perhaps), but I don't want to do that. Then I would have a different configuration running it locally vs in the cloud. What I want to do instead is set up some kind of proxy server on my local machine that will take the SSH credentials and do that SSH tunnelling, exposing the VPC MySQL endpoint locally. Then RdsConnector will just use that local endpoint, and I won't have to have a different config for RdsConnector just for local testing.
I'm not very familiar with the networking technologies in use here. I just know that there's no public IPs for my VPC, so I have to SSH in. I imagine that what I want is possible, but I have no idea what the moving parts would be.
Ok this turned out to be quite simple actually! The ssh program can do this for you, this is how I configure it with Mac OS ssh:
ssh -N -i "/Users/foo/aws_ssh_key.pem" \
-L "localhost:5990:stack-name-vpc-db.asdfqwerty.us-east-1.rds.amazonaws.com:3306" \
foo#12.34.567.890
With the -L flag, it'll proxy stuff over the SSH connection for you from the given endpoint to the provided endpoint on the other side. That -N flag is optional, it just turns off the regular SSH console since we only want to run a proxy server. The microservice can treat localhost:5990 as if it were the regular MySQL endpoint.
Is it possible to only allow a Port to be used via SSH Port Tunneling if the user is in a specific Active Directory Group?
I have a client machine, a Windows Web Server and a Linux Server with a database. I would like the client to be able to connect to the Database using SSH, but only if they are in a specific AD group.
Is there any way of achieving this?
Basically: no. Any user with shell access can use his own forwarder and gain access to the port anyway. So if you have users root, bob and dbtunnel on the Linux machine, all three can "export" access to the database.
But what is it that you really want to do? Because it seems to me that you want to encrypt (possibly compress) the database connection between Web server and database. You can do that without SSH at all.
What you can do, with SSH, is disable port forwarding and shell altogether except for that one group. sshd_config allowgroups supports LDAP. You will be severely limiting all (or most) users on the Linux machine.
Some databases such as MySQL offer native encryption, possibly not so performant if compared to "born" solutions. MySQL also has compressed client/server protocol (which is best left disabled whenever using a third party encrypted connection).
You can set up a VPN and only allow access to port 3306 from the VPN interface.
Also, you can restrict connections (both SSH and VPN) to those coming from the web server to reduce the database machine's attack surface.
A fancy solution, even if it does little for security, is to not have SSHd on the Linux machine at all, and rather have it on the Windows machine. Then the Linux machine can connect with an autossh client and forward its local 3306 port to the remote. Anyone on the Windows machine can still connect to the database. And the tunnel user needn't even exist on the Linux machine. You can then disable SSH access to all users except bob for management purposes. To open the tunnel with auto-SSH from Linux to Windows, you'll need some SSH server or other for Windows.
The reason why VPN, iptables and reverse-tunnel make little difference is, how would an attacker get "into" the Windows machine? He would probably exploit the Web server. But at that point, whatever connection there is between the Web server and the database, the attacker would have full access no matter what. He would just piggyback on the existing connection.
So the firewall IP restriction and reverse-tunneling solutions do nothing for user identification, as it would be moot anyway, but rather remove the vulnerability of having the Linux machine accessible from outside the Web server by a non-admin user.
Fancy solution (in this example MySQL and port 3306; could be PostgreSQL and port 5432 just as well)
install a SSHd server on the Windows machine on some nonstandard port.
configure Windows firewall to allow connections to that port only if coming from the Linux machine's IP.
create a (limited) user on the Windows machine to allow Linux to connect.
install autossh script (above) on the Linux machine and configure it to connect to the Windows server, forwarding local 3306 port to a newly created listening remote 3306 port bound to localhost (no -g option).
tell the Web server there's a MySQL server at address 127.0.0.1 port 3306.
...and you're done.
Who can connect to the database now?
any user on that one Windows machine. This should mean only the Web server user (*).
any admin user with SSH access on the Linux machine (provided there is a SSH access to the Linux machine. You could have turned it off).
an attacker successfully exploiting the Windows Web server: but he could have done it anyway, since the Web server needs access to the database.
(*) and any other user could have done this also if port forwarding was LDAP limited -- they would have just needed to wait until the connection was performed by the LDAP enabled user, then they could have piggybacked on it.
We have an AWS EC2 server that we've configured to be only accessible (via SSH) from within our office network. Obviously this isn't ideal for remote arrangements where someone has to connect to the EC2 instance and is working remotely outside the office such as during a business trip.
I've managed to set-up a VPN through PPTP and can connect to the office network (I have two local IP's one from wlan0 and one from ppp0) regardless of anywhere I am. However, when I SSH to the EC2 instance, it's still rejecting me most likely because it sees that I'm still trying to ssh from outside the network.
I think I'm missing something very important. What do you think, what am I missing to to get the ssh to use the vpn connection rather than one in wlan/eth?
I'm starting to think this isn't possible so kindly let me know. My other option is to ssh to a machine within the office network and then use that machine to ssh to the EC2 instance but I've been hesistant to do that as it seems excessive.
Find your gateway through which you want to connect to your ec2-instance.
For Linux systems, route -n will show you the routing table. Now add the route
sudo route add -host gw
Just having a VPN to your office does not mean all traffic from your machine will go through the VPN - that depends on how you configure the VPN.
You can SSH from your machine to an office machine, and from there ssh to EC2 - that should work.
Alternatively, configure your system to route traffic for the ec2 instance through the VPN connection - doing this depends on your specific VPN configuration.
I have my Openbravo appliance running by VMWare workstation on top of Win7 which is in a LAN connected to internet by router.
When I start the appliance. I can access ERP web console by typing in the address it gave at the end of the process (for example, 192.168.1.107). All computer in the LAN can access this address as well which is fine for now.
However, in the future, I need to access this console from my home pc running Win7 (which is, of course, connected to the internet). How do i set this up?. I have try the method given in http://planet.openbravo.com/?p=8612 (see case 3 - Expose my local ERP into a remote network)
I tried (in Openbravo Appliance console running in VMWare)
ssh -R :9999:localhost:80 myhomepc#101.108.70.128
(where 101.108.70.128 is the ip of my home pc read from whatismyip.org)
but it give the following error:
ssh: connect to host 101.108.78.128 port 22: connection timed out
Do I missed any step required?
What should i do the successfully connect to my Openbravo instance?
Best is to ask those questions directly in the Openbravo ERP forums over there: http://forge.openbravo.com
The case 3 from the blog-post you are referring to makes 2 implicit assumptions.
a.) the remote computer runs an ssh-server
b.) This ssh-server can be connected to from the erp instance
One of the two assumptions seems to not hold in your case either your win7 box does not run an ssh server and/or the router of your home network does not forward port 22 from the outside to your win7 box.
Without further information i assume both items are not done.
Let me propose another solution instead. As you want to connct to the commandline of the erp appliance from home you could do the following:
Configure the router of the network with the erp appliance to connect some external port (i.e. 2222) to the ip of the appliance, destination port 22.
This will allow you to access it from the home network (or any other system from the internet knowing the ip/port).
Using an external port different from 22 some simple ssh brute-force passwords scans.
As the appliance by default does not allow login by password but only allows authentication by public-key this is secure to not allow unauthorized access to your system.
After this either use case 1 from the blog-post or an normal ssh tunnel like (ssh -p external-port user#externalipoferplan -L 9999:localhost:22' and then access the ERP via 'http://localhost' from your win7 box.
If that is too complicated and you want to just make the ERP webinterface available from the internet without having the extra ssh security in the middle then you can just configure the router of the erp lan instead to forward port 80 or 443 (http or https) to the erp-instance and access the system directly from anymore as if it would be on some public server in the internet.