Reverse SSH Tunnel with Dynamic Port Allocation - ssh

We have a system that implements reverse ssh tunnel to enable remote port forwarding.
This enables to expose devices on local network via a Public IP.
However, we're achieving this by a static port allocation, i.e. We've mapped Serial No.s of devices to Ports and each time a request comes to our server with Serial No. , we forward it to the designated port.
Obviously this design isn't scalable and we want to replace it with dynamic port allocation, such that the server itself takes care of allocating the port and freeing it once the device goes offline.
It'd be great to have suggestions on how this can be achieved.
Thanks in anticipation and apologies for my lack of knowledge in case I didn't explain it better (I'm new to this)

This can be solved by using a ssh command script in ~/.ssh/authorized_keys on your server.
command="reverse_server.py" ssh-rsa <publicKey>
First, a client has to connect to the script and send it's own serial (in my case a use the MAC-adress of one NIC).
The server looks into a database and tell the assigned port number or creates a new one for an unknown serial.
In the next step, the client can connect, using the reported port number as reverse port.
Btw. You should add some logic to monitor and recreate the tunnel if it disconnects or get stuck.

Related

How do I ssh into a VPS running tailscale?

I've set up tailscale and connected to an exit node on my VPS on vultr.com. Predictably, I was kicked out and couldn't reconnect, as the VPS's public IP address has changed.
I can reboot the VPS and try again. What steps will I need to take? Does my VPS running behind an exit node even have a unique public address (which?), or does it need to be set up for something like port forwarding?
From looking at tailscale documentation, it looks like they came up with their own ssh, why? Why is the standard ssh inadequate for the purpose? I am not the admin of my tailscale network, and the admin is swamped right now. What can I do?
SSH uses TCP as transport and therefore requires the (srcaddr, srcport, dstaddr, dstport) tuple to be constant over the connection's lifetime.
I believe that since tailscale rotates connections dynamically, it is more suitable for use by clients than servers in a traditional client-server model, unless it provides an 'internal' virtual network over the distributed transport (which would kind of defeat the purpose of covering your tracks).
If you want to connect to your VPS over tailscale, you need to use their tools probably because of that. You can still connect directly to your VPS, though, through plain Internet, if it has any address of its own, and is not firewalled away (or similarly, NATed away). Your provider should either show you the address, or even better, provide access to out-of-band (like serial-port) command line access, where you can query the current addresses using commands like ip addr show.
In your Tailscale Admin console you should be able to see the machine's IP. Just use normal ssh and login that way.
So instead of ssh user#8.8.8.8 you'd do ssh user#100.64.0.1. Tailscale's own ssh client is useful if you want to hook deeper into their MagicDNS stuff, but it's not meant to be the only way to ssh into your machine.
If you run into errors, ping the machine you want to connect to (tailscale ping vps-machine-name). That should help you debug any tailscale client connection problems.

Pica8 SDN whiteswitch ping from mangement console to host port

I am connecting my controller PC to a Pica8 white switch via the Management port. I can SSH into the switch and ping the controller PC, however I cant ping the hosts through the standard ports. I have created a bridge of the first four ports and have successfully pinged from host to host after I installed a flow that allowed it.
My question is, is there some kind of mechanism separating the controller port from all of the data ports, I would think I should be able to ping from the switch to the hosts.
I'm not sure this answers your question, but before pinging the management port I believe you need to set an IP for it via the console port.
I use minicom per the instructions located here. However, I am using the RJ45 to DB9 adapter cable -> USB Serial port connection. That looks like so.
Unfortunately, that creates a problem with minicom, since the instructions tell you to simply power up the switch and observe the received data. There is actually a little more to it than that. You have to configure minicom's serial port. Fortunately, there is a tech blog that I found very helpful. If you follow the provided instructions, it will walk you through changing ports. Once you modify the port that minicom is listening on (For me it is Port /dev/ttyUSB0), you should be able to configure your management port.

best method port forwarding/tunelling

I'd like to use a server between two machines (with no static IP). The only IP known to me is the server's IP address. I'd like to build/use a system that listens to 2 different ports within the server and whatever is received from localhost:portA is sent to localhost:portB and vise versa. Consequently, both machines (with java apps) can communicate through the server in the middle.
Please what is the best solution to do this. I'm working on linux system and I thought of using an SSH java API (hudson / ganymed-ssh-2) to build a port forwarding server application.
Some issue:
1) determining the size of the data transmitted to buffer read or not to forward it to the other port.
2)The speed of reading/writing bytes.
If you can use ssh protocol you can tunnel local or remote ports (this need support on server side). You can also think about an OpenSSH VPN (take a look on ssh -w option, this will create a real VPN (TUN/TAP device is required). ).
You can use the the ssh program. Take a look at the -L and -R options specifically.

Net.Sockets : PC Portnumber changes dynamically in LAN via (DLINK)router

Hi i am creating server/client application using .net.Sockets something like cybercafe software.
Im following this example on codeproject Simple Socket Chat Program
there is no problem i run it on local pc. But when i run the client in the other pc in network i got a problem.
says :
No connection could be made because the target machine actively refused it.
I tried to use netstat -a on cmd and i found out that the portnumbers of all the p.c on our network always changes.
Is there any way to do it without using portnumber and just hostname or ipaddress only.
I need help...
Thanks in Regards
First, the random port numbers under Local Address in netstat are done so that everything gets a unique local port.
Also, a port is necessary for sockets.
The problem you are having is most likely because the firewall where your server software is located is blocking that port. For Windows 7 (and presumably Vista), you can unblock the port by running WF.msc, going to Inbound Rules on the left, clicking New Rule on the right, and adding a new program or port rule. The rest of the steps should be self-explanatory.

How do all the requests connect to a web-server using the same port?

How does a web-server serve its client using the same port(80) for a TCP connection. For a UDP connection, i understand that there is no connection, per se, so we can have multiple clients send packets to same port. If i try to use an already used port on my localhost, i get BindException.
One solution i see to this is starting a thread for each connection, but wouldnt this be cumbersome for site like google/yahoo where there a >100000 connections in each server?
What solutions do web servers employ for this problem?
Server listens on a well-known port (80) and delegate the request to a worker socket once it receive the request. That way it can serve the next request. You can write your own simple server to understand whats going on. Oracle site has a nice example code. [1]
[1] http://java.sun.com/developer/technicalArticles/Networking/Webserver/WebServer.java
first it creates a server socket;
ServerSocket ss = new ServerSocket(port);
then it listnes on the specified port and create a new socket once it accepts the request;
Socket s = ss.accept();
As shown in the code, it has a worker thread pool, so at a given moment you can control the number of request get served by the server at a given time. Others wait in a Queue may be.
You only have one port for listening, but a connection has two ports, one on each side of the connection. This pare must be unique.
So, say you connect to google.com port 80, then your connection will have some port on your machine, say 42312 and port 80 at google.com. You can see your connections with netstat -a. To get a shorter list: netstat -an| grep ESTABLISHED" Which shows all established connections without resolving their IPs to names.
AFAIK, Apache will start a new thread for every request, which is a big reason that event driven servers like Node.js are a little faster. Google and Yahoo also have TONS of servers and spread this large processing load among them. What Roger says also makes sense, although I'm not 100% sure on the details of how exactly google doing output on port 42312 would reach your computer at port 80 :P