I use MobaXterm for remote access to servers running in the cloud. For development and admin purposes, these servers expose admin application on local network interfaces. For example, Tomcat will expose 127.0.0.1/manager.
Since I prefer not to have to expose these services to the internet, I've set up ssh tunnels in MobaXterm to connect to these web applications on a local port through local port forwarding, which is easy to set up with the application itself.
My question: How can you get MobaXterm to automatically start a tunnel when a session is opened and to stop/close them when the session is ended?
I know a client like Putty would do this by default, but I don't want to use different clients for different jobs if I don't have to and MobaXterm has other features I need that Putty doesn't.
You can setup new SSH tunnels in Tunneling section (or from the MobaXterm's Tools menu, you can start MobaSSHTunnel). This will show a graphical port forwarding tool, where you can setup a new SSH tunnels which can be configured to be started automatically at MobaXterm startup by selecting Autostart from the tunnel settings.
Try to use MyEn Tunnel:
https://myentunnel.informer.com/
There is an option to Connect on Startup
Related
So I have been toying around with this for a week now and it is driving me bananas. I have the native Windows 10 SSH server and client installed on both machines. Most of the time when I try to connect I get "ssh: connect to host 10.0.0.8 port 22: Connection timed out" when I realized it might be my firewall I disabled it and tried again only to get "ssh: connect to host 10.0.0.8 port 22: Connection refused". The only time I have gotten closer is when using a Ubuntu VM, but then when I am prompted for a password none work, I assume that has to do with the rsa key that I have yet to establish.
How can I get either (Preferably Both) of these connections to work?
Can two Windows 10 PCs even SSH to each other?
Is there a solid tut out there that I should turn to?
I would be thankful for any help on this problem.
Thank you for your time
N/A
Yes, you can use the optional Windows 10 feature OpenSSH Server (sshd) and the corresponding ssh client to make connections between two Windows 10 PCs. You can actually use any ssh standard client to connect, i.e. ssh from Linux.
When you install the "OpenSSH SSH Server (sshd)" from the optional feature settings in Windows it will also automatically create a firewall rule in the Inbound Rules folder of the Windows Defender Firewall and activate the rule. This should make it possible to connect with any ssh client to your PC.
After the installation check the following:
The Windows Service called OpenSSH SSH Server is started and running, it is set to manual start as default so it will not be running unless you have started it.
The inbound firewall rule OpenSSH SSH Server (sshd) is enabled in Windows Defender Firewall with Advanced Security
If these are active you should be able to use ssh MACHINENAME from a shell, command prompt or terminal on another PC to connect to the PC running the SSH server.
When using a Microsoft Account the user name might display a shorter version of the username when you sign-in but the password would be the same as your Microsoft Account.
I just had a similar problem. In my case, I fixed it in the services settings on windows. Make sure that the startup options of the Open SSH Agent and Open SSH Server services are set to automatic and that you start the services. At best, do a reboot afterwards. Again check whether sshd and ssh-agent in the services tab in task manager are running. Then, it should work.
I have spun up a Google Cloud Compute virtual machine. It's a vanilla Windows Server 2016 image, and I can log in and see the desktop. I do that by downloading the RDP file and running it.
Due to a license manager for software I'm installing, I need to VPN to my own network. In "Settings -> Network", I add a new VPN connection (using the same creds I use on my machine) and click Connect. It makes an initial connection, verifies my credentials, but during the final stage, my RDP connection to the GCP VM ends.
What is really strange is that, sometimes, I can reconnect successfully after a few minutes and the VPN connection was successful. Sometimes I can't reconnect.
Any ideas?
The VPN connection added as such will be a force tunneled VPN which then adds a default route over the VPN interface on the VM disrupting your connection. The easiest way for maintaining the connection would be to do either of 2 things
Make the VPN split tunneled and add a route for the licensing box. You can do this by using the Set-VPNConnection Powershell commandlet and then adding a route using the route add command in an administrative command prompt
Add a more specific route for the IP Address by which u access the VM using the route add command
UPDATE: Simply setting the VPN to use split tunneling in PowerShell solved the problem.
Use: (Replace "VPNsName" with your VPNs Name)
Set-VpnConnection -Name "VPNsName" -SplitTunneling 1
Is it possible to only allow a Port to be used via SSH Port Tunneling if the user is in a specific Active Directory Group?
I have a client machine, a Windows Web Server and a Linux Server with a database. I would like the client to be able to connect to the Database using SSH, but only if they are in a specific AD group.
Is there any way of achieving this?
Basically: no. Any user with shell access can use his own forwarder and gain access to the port anyway. So if you have users root, bob and dbtunnel on the Linux machine, all three can "export" access to the database.
But what is it that you really want to do? Because it seems to me that you want to encrypt (possibly compress) the database connection between Web server and database. You can do that without SSH at all.
What you can do, with SSH, is disable port forwarding and shell altogether except for that one group. sshd_config allowgroups supports LDAP. You will be severely limiting all (or most) users on the Linux machine.
Some databases such as MySQL offer native encryption, possibly not so performant if compared to "born" solutions. MySQL also has compressed client/server protocol (which is best left disabled whenever using a third party encrypted connection).
You can set up a VPN and only allow access to port 3306 from the VPN interface.
Also, you can restrict connections (both SSH and VPN) to those coming from the web server to reduce the database machine's attack surface.
A fancy solution, even if it does little for security, is to not have SSHd on the Linux machine at all, and rather have it on the Windows machine. Then the Linux machine can connect with an autossh client and forward its local 3306 port to the remote. Anyone on the Windows machine can still connect to the database. And the tunnel user needn't even exist on the Linux machine. You can then disable SSH access to all users except bob for management purposes. To open the tunnel with auto-SSH from Linux to Windows, you'll need some SSH server or other for Windows.
The reason why VPN, iptables and reverse-tunnel make little difference is, how would an attacker get "into" the Windows machine? He would probably exploit the Web server. But at that point, whatever connection there is between the Web server and the database, the attacker would have full access no matter what. He would just piggyback on the existing connection.
So the firewall IP restriction and reverse-tunneling solutions do nothing for user identification, as it would be moot anyway, but rather remove the vulnerability of having the Linux machine accessible from outside the Web server by a non-admin user.
Fancy solution (in this example MySQL and port 3306; could be PostgreSQL and port 5432 just as well)
install a SSHd server on the Windows machine on some nonstandard port.
configure Windows firewall to allow connections to that port only if coming from the Linux machine's IP.
create a (limited) user on the Windows machine to allow Linux to connect.
install autossh script (above) on the Linux machine and configure it to connect to the Windows server, forwarding local 3306 port to a newly created listening remote 3306 port bound to localhost (no -g option).
tell the Web server there's a MySQL server at address 127.0.0.1 port 3306.
...and you're done.
Who can connect to the database now?
any user on that one Windows machine. This should mean only the Web server user (*).
any admin user with SSH access on the Linux machine (provided there is a SSH access to the Linux machine. You could have turned it off).
an attacker successfully exploiting the Windows Web server: but he could have done it anyway, since the Web server needs access to the database.
(*) and any other user could have done this also if port forwarding was LDAP limited -- they would have just needed to wait until the connection was performed by the LDAP enabled user, then they could have piggybacked on it.
I have a problem setting up a ipython cluster on a Windows server and connecting to this ipcluster using a ssh connection. I tried following the tutorial on https://ipython.org/ipython/doc/dev/parallel/parallel_process.html#ssh, but I have problems to understand what the options mean exactly and what parameters are to use exactly...
Could anyone help a total noob to set up an ipcluster? (Let's say the remote machine has ip 192.168.0.1 and the local machine has 192.168.0.2)
If you scroll roughly to the middle of the page https://ipython.org/ipython-doc/dev/parallel/parallel_process.html#ssh you will find this:
Current limitations of the SSH mode of ipcluster are:
Untested and unsupported on Windows. Would require a working ssh on Windows. Also, we are using shell scripts to setup and execute
commands on remote hosts.
That means, there is no easy way to build an ipcluster with ssh connection on windows (if it works at all).
Do you really need to connect the machines with an ssh connection? I guess it's possible with a ssh client on each windows machine, but if you are in a trusted local network you can also decide not to use the loopback interface and just expose the ports...
Sure you can start controller and engine separately! For further examples about ports (if you have problems with firewalls) see also How to setup ssh tunnel for ipython cluster (ipcluster)
I am trying to run an application locally that uses a database, webservices etc in another network so I am trying to tunnel through a computer with access. However web services are used over two (possibly more) ips and I can't map one port to multiple ips or is there a way to achieve this?
Can you reconfigure the web services client to access one of the services on another port? For example, if you open an ssh tunnel using something like:
ssh -L8080:ws1host:8080 -L8081:ws2host:8080 user#remotehost
Then you can access the remote ws1host:8080 on 127.0.0.1:8080 and the remote ws2host:8080 on 127.0.0.1:8081