my setting is as follows:
server1 is behind a firewall. its running a service on port X.
server2 is an already dyndns reachable homeserver, lets say "mydomain.com"
i am trying to forward (via ssh reverse tunneling) port X to server2, so that anyone can access the service originally provided on server1 through simply connecting to "mydomain.com:X" with the related app.
my steps so far were:
1. establish ssh reverse tunnel on server1
ssh -p22 $nokey $keepalive -nNT -R "*:$PortX:localhost:$PortX" sshuser#$dyndnsIP"
--> tunnel is okay as far as i am can tell, its present on server2 (tested via netstat -tlpn)
2. now established portforwarding on homeDSLModemRouter from PortX to server2:PortX (used internal ip here, no error here)
3. now trying to connect via app to "mydomain.com:PortX" - no success.
Am i missing something vital? help is greatly appreciated!
Answer - jst read my Comment above.
It was necessary to set "GatewayPorts yes" in the public reachable dyndns-Server2.
I want to connect to remote amazon aws service(EC2 instance) , and I would like to be able to ssh to it from my laptop while using the campus provided network (which has cyberoam firewall). However, they have pretty much every port blocked and ssh won't work. Is there anything i can do? does ssh run through port 80? I don't really know what to do .
All it says is :
ssh_exchange_identification: read: Software caused connection abort
ssh works elsewhere.
You can set your SSH server to use port 80 (or 443 if 80 is used for a webserver). Just check the configuration file of your ssh server for more details!
I have recently starred out with EC2. Currently I am using the Free Tier to test and learn about it. However as I am behind a proxy that allows only connections at port 80 and 443, I am unable to connect the EC2 instance. Is there a way to get past this ?
So far I've guess that running sslh on the EC2 instance, as described here might help. But I am not sure if this behavior should remain persistent once the instance is terminated and re-started (as I am using Free Tier). Is there a way I can achieve persistence in terms of settings and installed resources like sslh (and many others) while using the Free Tier ?
Thanks in advance.
Once when behind a firewall that only allowed outgoing communication on ports such as 80, I just ran an sshd on the server on a different port. You won't be able to set this up while behind the firewall, you'll have to go somewhere else, ssh in, and reconfigure ssh.
Instead of running sshd on a non-standard port, you could also just have something redirect traffic from some other port to port 22.
If your ec2 instance isn't running a web server, you can use port 80 or 443 for the sshd. If you're not using https, then use 443.
You say they only allow outgoing traffic to remote ports 80 and 443, but often times ports above 1024 are also unblocked.
Make sure you've also correctly configured your security groups on the ec2 instance, since it has a firewall as well. You'll have to make sure it's configured to allow incoming traffic on the port supplying the sshd from your IP address. This can be done through the aws management console.
Here there's is a neat solution. I haven't tried it. The idea is to pass a script to boot the instance with ssh bind to port 80.
Goto instances
at the top of the list of your running instances you should see "instance action"
In that menu you should see "connect"
Select "connect from your browser using Java ssh client"
note, you need Java to be installed.
Although I use some alias to do ssh tunnel or reverse tunnel, I never understand how it works. Does somebody know how to explain it in very simple way?
I think the 3 primary uses are:
First of all, I can use my home computer to ssh to foo.mycompany.com, without using any password
(foo is a server at work)
How to make foo.mycompany.com:8080 go to my home computer's localhost:3000 ?
If at home, I cannot access http://bar.mycompany.com, but foo can access bar, how to make the home computer able to access http://bar.mycompany.com?
If at home, I cannot access MySQL db at db.mycompany.com, but foo can, how to make it possible to access db.mycompany.com also using ssh tunnel.
Can it be explain in very simple terms? Are there actually some other popular use besides these 3? thanks.
1) Assuming you connect from home to foo, you need a reverse tunnel (-R)
ssh -R 8080:localhost:3000 foo.mycompany.com
This will enable processes running at foo to connect to localhost:8080 and actually speak to your home computer at port 3000. If you want other computers at your work to be able to connect to foo:8080 and access your home computer at port 3000, then you need
ssh -R 0.0.0.0:8080:localhost:3000 foo.mycompany.com
but for this to work you also need this option to foo's sshd_config
GatewayPorts yes
2) The best way to create an http proxy with ssh is with socks. First connect with
ssh -D 8888 foo.company.com
then go to your browser connection settings and enable proxy connection, choose socks4/5 and host: localhost, port 8888. Then just type http://bar.mycompany.com in your browser's address bar.
3) Now you need a local port forward (-L).
ssh -L 3333:db.mycompany.com:3306 foo.mycompany.com
This means that you will be able to connect at localhost:3333 from your home computer and everything will be forwarded to db.mycompany.com:3306 as if the connection was made by foo.mycompany.com. Host db will see foo as the client connecting, so you need to login with the same username and password you use when working from foo.
Adding -g flag will enable other computers from your home network to connect to your computer port 3333 and actually access db:3306.
SSH tunnelling is very simple. It opens a listening socket at one end. Whenever anyone connects to that listening socket, it opens a corresponding connection from the other end to the configured location, then forwards all information both ways between the two, over the SSH link.
Quite an old question, but see if this page helps explain it for you, it's got pretty pictures and all. :)
https://www.ssh.com/ssh/tunneling/
Basically, a SSH Tunnel is a tunnel that can be used to pass (tunnel) data from one place to another, encrypted.
It is also commonly used to route traffic (via a tunnel, think wormhole) to somewhere else, which allows for things such as tunnelling through a firewall or redirecting traffic (encrypted port forwarding).
Let's say you have a firewall between you and the server. The server can access another server (server2) on it's internal network.
[client]--------||------[server]----[sever2]
Let's say you want to access a web server on server2, and for obvious reasons you can't do this directly. Let's say that port 22 (ssh) is open on the firewall. So what we would do is create an SSH tunnel (on server) from server to server2. This will mean that any (outbound?) traffic on port 22 will be sent, via this tunnel, from server:22 -> server2:80.
[client]--------||------[server:22]======[sever2:80]
So (as I understand it), if we connect to server:22, it should redirect traffic on port 22 to the web server on server2:80 using this new SSH tunnel. (as far as I understand, the data is only encrypted in the tunnel, so the end will be decrypted data, if you're wondering if server:80 has to be SSL).
I suppose in one way that using SSH, is in itself, an SSH Tunnel for your old telnet communication. It's just that in most times you hear about SSH Tunnelling, people are referring to the (secure) port forwarding feature it offers, without having to have access to the firewall admin, which is a nifty little feature that a lot of hackers like to use to get around security.
On the more legitimate reasons; it's great way to relay certain traffic to an internal server that works on a different port, should you be limited by a firewall and such, or you want to secure the traffic between two machines (like the SSH program does).
Hope this helps.
EDIT
Found this over at the UNIX SO https://unix.stackexchange.com/questions/46235/how-does-reverse-ssh-tunneling-work, lots of answers with very clear (and pictorial) explanations of what you need!
First of all I will explain SSH:
SSH is remote login shell that helps you to connect remote machines using encrypted connection. So once you made ssh connection to any remote host the connection between hosts are secure and encrypted.
SSH tunneling is routing your traffic through SSH secure connection.
In simple words SSH tunneling is nothing but one connection is encapsulated by another connection. By taking this as a advantage we make tunnels by using SSH client.
Following command helps you to create simple socks proxy
ssh -D 8080 user#sshserverip
Read the man page, specifically the -L, -R and -D options. I don't think someone rewriting this, and possibly introducing mistakes, is useful. If you don't understand it though you could ask more specific questions.
-D gives a SOCKS proxy, which is another useful application of ssh tunnelling.
At my workplace, the traffic blocker/firewall has been getting progressively worse. I can't connect to my home machine on port 22, and lack of ssh access makes me sad. I was previously able to use SSH by moving it to port 5050, but I think some recent filters now treat this traffic as IM and redirect it through another proxy, maybe. That's my best guess; in any case, my ssh connections now terminate before I get to log in.
These days I've been using Ajaxterm over HTTPS, as port 443 is still unmolested, but this is far from ideal. (Sucky terminal emulation, lack of port forwarding, my browser leaks memory at an amazing rate...) I tried setting up mod_proxy_connect on top of mod_ssl, with the idea that I could send a CONNECT localhost:22 HTTP/1.1 request through HTTPS, and then I'd be all set. Sadly, this seems to not work; the HTTPS connection works, up until I finish sending my request; then SSL craps out. It appears as though mod_proxy_connect takes over the whole connection instead of continuing to pipe through mod_ssl, confusing the heck out of the HTTPS client.
Is there a way to get this to work? I don't want to do this over plain HTTP, for several reasons:
Leaving a big fat open proxy like that just stinks
A big fat open proxy is not good over HTTPS either, but with authentication required it feels fine to me
HTTP goes through a proxy -- I'm not too concerned about my traffic being sniffed, as it's ssh that'll be going "plaintext" through the tunnel -- but it's a lot more likely to be mangled than HTTPS, which fundamentally cannot be proxied
Requirements:
Must work over port 443, without disturbing other HTTPS traffic (i.e. I can't just put the ssh server on port 443, because I would no longer be able to serve pages over HTTPS)
I have or can write a simple port forwarder client that runs under Windows (or Cygwin)
Edit
DAG: Tunnelling SSH over HTTP(S) has been pointed out to me, but it doesn't help: at the end of the article, they mention Bug 29744 - CONNECT does not work over existing SSL connection preventing tunnelling over HTTPS, exactly the problem I was running into. At this point, I am probably looking at some CGI script, but I don't want to list that as a requirement if there's better solutions available.
Find out why the company has such a restrictive policy. It might be for a good reason.
If you still find that you want to bypass the policy, you could write a small proxy that will listen on your server on port 443 and then, depending on the request, will forward the traffic either to your web server or to the SSH daemon. There are two catches though.
To determine whether it's an HTTPS request or an SSH request, you need to try to read some data with a (small) timeout, this is because TLS/SSL handshakes start with the client sending some data, whereas the SSH handshake starts with the server sending some data. The timeout has to be big enough to delays in delivering the initial data from the client in the TLS/SSL handshake, so it'll make establishing SSH connections slower.
If the HTTP proxy in your company is smart, it'll actually eavesdrop on the expected TLS/SSL "handshake" when you CONNECT to port 443, and, when it detects that it's not an TLS/SSL handshake, it might terminate the SSH connection attempt. To address that, you could wrap the SSH daemon into an TLS/SSL tunnel (e.g., stunnel), but then you'll need to differentiate requests based on the TLS/SSL version in your client request to determine whether to route the TLS/SSL connection to the web server or to the TLS/SSL-tunneled SSH daemon.
You should be able to use iptables to forward ssh traffic from your work machines to ssh while all other machines attaching to your home server on port 443 get the Apache server.
Try a rule like this:
iptables -t nat -A PREROUTING -p tcp -s 111.111.111.111 --dport 443 -j REDIRECT --to-port 22
Where 111.111.111.111 is your office computer's ip address.
That all assumes you're running Linux >= 2.4, which you should be by now. It's been out for almost a decade.
Documentation for iptables is at http://www.netfilter.org.
Set up OpenVPN 2.1 server at home, use port 443 (if you set up your home any HTTPS service at port 443, trigger OpenVPN's port-share option to handle both OpenVPN and HTTPS transactions at port 443; this feature is only available to non-Windows OS)
Then, set up your OpenVPN client on your laptop in road-warrior mode to access the OpenVPN server at home. You will be able to call home or anywhere you like within a secure VPN network you've created with OpenVPN. It is no longer required to use SSH for this purpose.
I'm really sorry for being the Devil's advocate here, but if they are blocking ports at your work, its likely because they don't want people breaching security.
Now if you get permission to open a tunnel from your boss, that's fine, but IF something happens, ANYTHING, and they figure out you have a tunnel, I can almost assure you, you'll become the scapegoat. So if I were you I'd not be opening tunnels at work if they are setting up firewalls against it.
How about using 2 IP adresses on your machine?
Bind apache/https on one IP_1:443 and your sshd on the other IP_2:443?
Could you set up a middle man?
Run a small/free/cheap instance in the cloud listening on 443 for SSH, then though that cloud instance tunnel to your home box on your favorite port - 22 or whatever.
It'll add some latency I'm sure, but it solves the problem of leaving the original home setup intact.
I think you'll have to find a port that you're not using currently that you can get out on, and listen on that. 443 is the obvious candidate, but you say that's not possible. What about mail (25, 110, 143), telnet (23), ftp (21), DNS (53), or even whois (43)?
Proxy tunnel may be your answer
http://proxytunnel.sourceforge.net/
lets say my ssh server is host.domain.tld and my works proxy server is 10.2.4.37
I would add this to my local ssh config
Host host.domain.tld
ProxyCommand /usr/local/bin/proxytunnel -q -p 10.2.4.37:3128 -d %h:%p
ProtocolKeepAlives 30
See:
SSH Through or Over Proxy
http://daniel.haxx.se/docs/sshproxy.html
http://www.agroman.net/corkscrew/
Since apache has no problem whatsoever with CONNECT when no SSL is involved, I turn off SSL features and I use stunnel to serve an https version of my site. This does not require any recompilation, and allows your site to serve https normally. So far, the cleanest workaround I know.
See http://chm.duquesne.free.fr/blog/?p=281 for details.
Must work over port 443, without disturbing other HTTPS traffic (i.e. I can't just put the ssh server on port 443, because I would no longer be able to serve pages over HTTPS)
Is it possible to bind your HTTPS server to a different port? Depending on what it's used for, you may even be able to get around the problem of not being able to directly access it from work by just SSHing home and then using lynx from there.
So, then, give proxifier a try (- it supports HTTP Proxy Server)!
http://www.proxifier.com/documentation/intro.htm
I managed to bypass my company's firewall using the following design via AjaxTerm, it works for me.
PC on company network --> company's proxy via https --> INTERNET --> My home Apache reverse proxy server on SSL + .htpasswd protection --> AjaxTerm Server(From here on ward, I can SSH to any other servers ).
Still not the perfect world... would be good if I can can tunneling to my home network via HTTPS.