I'm trying to run an rsync through a bastion host onto an SSH server that listens on a non-standard port, like this:
Source Host -> Bastion Host -> Destination Host (sshd on non-standard port)
I can get onto the destination host via the Bastion box using this:
ssh -o ProxyCommand="ssh -W %h:%p admin#bastion-host" user#destination-host
But this gets me onto the "default" SSH server, running on port 22, and not the one I want to get to, which, for sake of argument, is running on port 12345.
If I want to rsync using the non-standard port, the examples I can find, like this for example:
https://www.tecmint.com/sync-files-using-rsync-with-non-standard-ssh-port/
Indicate I should use -p, but that wouldn't work since I need port 22 all the way through the tunnel until the end.
How can I rsync to/from this destination server on port 12345, via a tunnel through the bastion server on the standard port 22?
Source Host (22) -> Bastion Host (22) -> Destination Host (12345)
Ah, I think I figured it out. My destination server was only allowing port 22 from the bastion host, and not the non-standard port.
Related
I have a two step solution to access a certain server via SSH:
Step 1, in bash:
ssh -L 127.0.0.1:5000:server2.com:22 server1.com
Step 2, in a new bash session:
ssh -P 5000 127.0.0.1 # This gets me into server2.com
Q1: Is there any way I can combine these two commands into one ssh command, and...
Q2: can I set up one single host entry in my ~/.ssh/config for this connection (allowing me to just type e.g. ssh my-tunnel)?
I suppose this comes down to chaining the hosts in some way. I am new to this and can't quite figure this out...
I came accross this question and was surprised by the fact that ssh supports jump hosts.
You can use single command to connect to the target server while ssh will take care about intermediate hop.
ssh -J server1.com server2.com
-J [user#]host[:port]
Connect to the target host by first making a ssh connection to the jump host and then establishing a TCP
forwarding to the ultimate destination from there. Multiple jump hops may be specified separated by
comma characters. This is a shortcut to specify a ProxyJump configuration directive
And here is the corresponding jump host configuration for SSH config:
Host jumphost
Hostname server1.com
User $YOUR_USERNAME
Port 22
Host my-tunnel
Hostname server2.com
User $YOUR_USERNAME
Port 22
ProxyJump jumphost
...enabling the command: ssh my-tunnel
I use this for remote port forwarding over SSH tunnel:
ssh root#X.X.X.X -R 443:127.0.0.1:443
this binds to 0.0.0.0:443 and forwards to 127.0.0.1:443 .
The remote server has multiple IPs. Is it possible to specify the IP I want to bind to, for instance 10.10.10.1:443, instead of binding to all interfaces?
iptables is not available on the remote server.
I managed to solve it.
On the remote server I set in sshd_config:
GatewayPorts clientspecified
Then I changed the arguments on the client like this:
ssh root#X.X.X.X -R 10.10.10.1:443:127.0.0.1:443
Now it works as expected, SSH binds to port 443 on interface 10.10.10.1 and forwards all traffic over the tunnel to localhost:443 .
Setup:
My computer (linux / unix) has an arbitrary IP address
I can connect to a central linux server which has a static ip
Remote linux systems are set up so they only respond to central server IP address on port 22
I want to port forward through the central server so I can use MySQLWorkbench and make python scripting connections on port 3306 to the remote systems.
Ideally, I would like the syntax for ssh command to make the port forwarding work;
Suppose I want to forward local port 3307 to 3306 on the remote system. Assume my ip is x.x.x.x, the central server IP is y.y.y.y, and the remote system IP is z.z.z.z;
I think it has something to do with ssh -L but I can only forward to the central server so far. Maybe I need to connect to the central server, set up forwarding there, then set up forwarding on my machine? I think functionality exists to do it with a single command using ssh.
If this is a duplicate, it should not be marked as such because without knowing what magic keyword to search for, you can't find the duplicate;
Clarification: port 3306 is NOT open on the remote server. Only 22
ssh -L :3307:z.z.z.z:3306 user#y.y.y.y -Nf
Works fine
or
ssh -L 3307:z.z.z.z:3306 user#y.y.y.y -Nf
To only bind to x.x.x.x's localhost
The first example binds to all interfaces
edit...
Just seen that z.z.z.z only has port 22 open.
on y.y.y.y you will also need to have a local port open
run on y.y.y.y
ssh -L 3307:localhost:3306 user#z.z.z.z -Nf
then on x.x.x.x
ssh -L 3307:localhost:3307 user#y.y.y.y -Nf
run these commands in a screen for best results
You can actually condense these 2 commands together
ssh -L 3307:localhost:3307 user#y.y.y.y -f 'ssh -L 3307:localhost:3306 user#z.z.z.z -Nf'
ssh -L <local-port-to-listen>:<remote-host>:<remote-port>
The āLā switch indicates that a local port forward is need to be created
Best method is to create the tunnel using putty (ssh client). so you can start the shell, and it will create the ssh tunnel for you. this is a good reference
https://howto.ccs.neu.edu/howto/windows/ssh-port-tunneling-with-putty/
I can now forward one port 8080 to the remote port 80 by ssh -L 8080:localhost:80 user#host.com, Is it possible to do multiple port forwarding with one ssh connection?
Yes, use -L option for each port to be forwarded.
Example:
ssh -L 8080:localhost:80 -L 7070:localhost:70 user#host.com
That is called dynamic port forwarding and if both the SSH server and SSH client support this, you configure your clients to use the SSH client as a SOCKS proxy and the SSH does the rest. In this case one "SSH connection" (in fact SSH connection carries multiple independent channels "inside") is used to connect to multiple destinations.
I have an Apache webserver running on a local machine through reverse ssh tunnel, i.e.:
ssh -R *:80:local_machine:8080 username#gateway_machine
In other words, all traffic from port 80 on gateway_machine
is sent to port 8080 on local_machine.
For monitoring purposes, I wish to know IP addresses of the remote clients
connected to gateway_machine. However my local Apache server sees
all traffic coming from the IP address of gateway_machine.
My question: Is there any way to setup ssh server running on gateway_machine such that
it sends all traffic to local_machine with actual remote IP addresses ?
The SSH protocol uses a channel type called "direct-tcpip" for forwarding a TCP connection. The protocol message for opening one of these channels includes the address and port of the client whose connection is being forwarded. So the information that you want is available to the ssh client (which in your case is opening the connection to the target of the forward).
The OpenSSH ssh client logs the originator address and port in a debug level message, so you can see it if you run ssh with the -v option:
$ ssh -v -R 2000:localhost:1000 localhost
...
debug1: client_request_forwarded_tcpip: listen localhost port 2000, originator ::1 port 51101
Here the originator address was ::1 (IPv6 localhost) and port 51101. The ssh utility doesn't do anything else with the information.
So, depending on your needs, you have three approaches to collect this information:
Invoke the ssh process which creates these forwards with the -v option, and arrange to collect and parse the relevant debug information.
Make source code changes to ssh to make it do what you want it to do with the information.
Write your own ssh client which does what you want. SSH client libraries are available for most modern programming languages.