Is it possible to only allow a Port to be used via SSH Port Tunneling if the user is in a specific Active Directory Group?
I have a client machine, a Windows Web Server and a Linux Server with a database. I would like the client to be able to connect to the Database using SSH, but only if they are in a specific AD group.
Is there any way of achieving this?
Basically: no. Any user with shell access can use his own forwarder and gain access to the port anyway. So if you have users root, bob and dbtunnel on the Linux machine, all three can "export" access to the database.
But what is it that you really want to do? Because it seems to me that you want to encrypt (possibly compress) the database connection between Web server and database. You can do that without SSH at all.
What you can do, with SSH, is disable port forwarding and shell altogether except for that one group. sshd_config allowgroups supports LDAP. You will be severely limiting all (or most) users on the Linux machine.
Some databases such as MySQL offer native encryption, possibly not so performant if compared to "born" solutions. MySQL also has compressed client/server protocol (which is best left disabled whenever using a third party encrypted connection).
You can set up a VPN and only allow access to port 3306 from the VPN interface.
Also, you can restrict connections (both SSH and VPN) to those coming from the web server to reduce the database machine's attack surface.
A fancy solution, even if it does little for security, is to not have SSHd on the Linux machine at all, and rather have it on the Windows machine. Then the Linux machine can connect with an autossh client and forward its local 3306 port to the remote. Anyone on the Windows machine can still connect to the database. And the tunnel user needn't even exist on the Linux machine. You can then disable SSH access to all users except bob for management purposes. To open the tunnel with auto-SSH from Linux to Windows, you'll need some SSH server or other for Windows.
The reason why VPN, iptables and reverse-tunnel make little difference is, how would an attacker get "into" the Windows machine? He would probably exploit the Web server. But at that point, whatever connection there is between the Web server and the database, the attacker would have full access no matter what. He would just piggyback on the existing connection.
So the firewall IP restriction and reverse-tunneling solutions do nothing for user identification, as it would be moot anyway, but rather remove the vulnerability of having the Linux machine accessible from outside the Web server by a non-admin user.
Fancy solution (in this example MySQL and port 3306; could be PostgreSQL and port 5432 just as well)
install a SSHd server on the Windows machine on some nonstandard port.
configure Windows firewall to allow connections to that port only if coming from the Linux machine's IP.
create a (limited) user on the Windows machine to allow Linux to connect.
install autossh script (above) on the Linux machine and configure it to connect to the Windows server, forwarding local 3306 port to a newly created listening remote 3306 port bound to localhost (no -g option).
tell the Web server there's a MySQL server at address 127.0.0.1 port 3306.
...and you're done.
Who can connect to the database now?
any user on that one Windows machine. This should mean only the Web server user (*).
any admin user with SSH access on the Linux machine (provided there is a SSH access to the Linux machine. You could have turned it off).
an attacker successfully exploiting the Windows Web server: but he could have done it anyway, since the Web server needs access to the database.
(*) and any other user could have done this also if port forwarding was LDAP limited -- they would have just needed to wait until the connection was performed by the LDAP enabled user, then they could have piggybacked on it.
Related
I would like to connect to an Oracle database hosted on a remote box using Oracle SQL Developer. I am able to create a standard connection BUT I have to be connected to a VPN for security reasons. I want to bypass this vpn.
I do this all the time with normal ssh connections. There is one machine (gateway) on my company network than can be accessed outside the network (no vpn). From gateway, I can connect to any machine on our network. I would like to connect to the database hosted on machine (dbmachine) on the network (which cannot be accessed without being on the vpn unless I am first connected to the gateway).
This seems to be a common issue because I was easily able to bake this functionality seamlessly into my ssh config. Example:
Host gateway
HostName gateway.company.org
User marc
Host dbmachine
HostName dbmachine.company.org
User marc
ProxyJump gateway
Host exampleMachine
HostName exampleMachine.company.org
User marc
ProxyJump gateway
By using ProxyJump, I am able to type ssh dbmachine to seamlessly connect to dbmachine or ssh exampleMachine to seamlessly connect to exampleMachine. I want to do a similar jumping technique with Oracle SQL Developer. How can I connect to the database on dbmachine from Oracle SQL Developer?
I'm not sure what port the db is running on dbmachine, but I can access it though sqlplus when I'm logged into the box.
The answer is to create an SSH Tunnle:
ssh -L 1521:localhost:1521 -N -f dbmachine
This will forward all traffic on localhost:1521 to dbmachine:1521 (where the database is running). It will respect the user's configuration so you do not have to setup two tunnles.
-N Will not switch to remote shell
-f Requests ssh to go to background just before command execution
I'm not sure if there's a better solution that is configurable directly in a database client, but this works for me on Arch Linux.
So I have been toying around with this for a week now and it is driving me bananas. I have the native Windows 10 SSH server and client installed on both machines. Most of the time when I try to connect I get "ssh: connect to host 10.0.0.8 port 22: Connection timed out" when I realized it might be my firewall I disabled it and tried again only to get "ssh: connect to host 10.0.0.8 port 22: Connection refused". The only time I have gotten closer is when using a Ubuntu VM, but then when I am prompted for a password none work, I assume that has to do with the rsa key that I have yet to establish.
How can I get either (Preferably Both) of these connections to work?
Can two Windows 10 PCs even SSH to each other?
Is there a solid tut out there that I should turn to?
I would be thankful for any help on this problem.
Thank you for your time
N/A
Yes, you can use the optional Windows 10 feature OpenSSH Server (sshd) and the corresponding ssh client to make connections between two Windows 10 PCs. You can actually use any ssh standard client to connect, i.e. ssh from Linux.
When you install the "OpenSSH SSH Server (sshd)" from the optional feature settings in Windows it will also automatically create a firewall rule in the Inbound Rules folder of the Windows Defender Firewall and activate the rule. This should make it possible to connect with any ssh client to your PC.
After the installation check the following:
The Windows Service called OpenSSH SSH Server is started and running, it is set to manual start as default so it will not be running unless you have started it.
The inbound firewall rule OpenSSH SSH Server (sshd) is enabled in Windows Defender Firewall with Advanced Security
If these are active you should be able to use ssh MACHINENAME from a shell, command prompt or terminal on another PC to connect to the PC running the SSH server.
When using a Microsoft Account the user name might display a shorter version of the username when you sign-in but the password would be the same as your Microsoft Account.
I just had a similar problem. In my case, I fixed it in the services settings on windows. Make sure that the startup options of the Open SSH Agent and Open SSH Server services are set to automatic and that you start the services. At best, do a reboot afterwards. Again check whether sshd and ssh-agent in the services tab in task manager are running. Then, it should work.
I want to make my site available world wide. Im using xampp server for hosting. I have no access to any kind of servers and modems. Situation is shown below:
My site server has local ip assigned by wifi router and it runs Windows 8.
Remember I have no access on any kind of servers and modems so port port-forwarding is impossible (out of my scope).
Its actually difficult, but not impossible.
One way, I would approach this is:
I would host a page on internet.
Then take request and store it in database.
One of my program will always be running from my computer.
Then check for request and curl the request to localhost. For this you may use Node.js (taking data from database using GET method and curl it to localhost).
This is the best I could think of. And I am working on it, when the code is ready I'll make it open source and notify you :)
But still, it's difficult, as you need to put user's request to sleep for 2 seconds and then transferring it.
Its slow, but may work out for you.
Disadvantages:
Program will be very slow and memory usage will be more.
Breaking may happen many times.
High bandwidth wastage
If not encrypted, MIM (Men in Middle) may possible.
Advantages:
Indirect method of hosting
Need not to worry about your code being lost.
I am looking forward for a better alternative and I would like to keep this question for bounty once again.
If you cannot open the necessary ports within your LAN you will require access to an external server. However, the external server does not need to host any code, e.g.
Create a Linux based ec2 instance using Amazon's free tier.
Install a package to redirect remote to local ports:
a. using socat:
Install socat using your distributions package manager
Connect via SSH: ssh -N -R 42500:127.0.0.1:80 -o ServerAliveInterval=60 ubuntu#xxx.xxx.xxx.xxx -N -R 8080:localhost:80 "socat TCP-LISTEN:8080,fork TCP:127.0.0.1:42500"
b. using a webserver and reverse proxy:
Install apache or nginx and any required reverse proxy modules and configure your VirtualHost to proxy requests to a local port, e.g. :8080 -> 127.0.0.1:42500
Connect via SSH: ssh -N -R 42500:127.0.0.1:80 -o ServerAliveInterval=60 ubuntu#xxx.xxx.xxx.xxx
Your machine is now reachable via the ec2 instance http://xxx.xxx.xxx.xxx:8080/.
I occasionally use this technique when debugging web service callbacks.
Update 17-02-2014
If you are a Windows user you will need to install a third-party tool to support ssh. Options include:
cygwin
git bash
PuTTY
PuTTY is the easiest choice if you are not familiar with *nix tools. To configure remote port forwarding in PuTTY expand the following setting: Connection -> SSH -> Tunnels. Given the previously described scenario, populate Source port as 42500, Desination as 127.0.0.1:80 and tick the Remote option. (You may also need to add the path to a PuTTY compatible private key in the Connection -> SSH -> Auth tab depending on your server configuration.
To test you have successfully forwarded a port, execute the command netstat -lnt on your server. You will see output similar to:
tcp 0 0 127.0.0.1:42500 0.0.0.0:* LISTEN
Finally you can test with curl http://127.0.0.1:42500. You will see the output of your own machines web root running on port 80.
if you don't have a public IP address and cannot use port forwarding it is impossible to host the site
As people have said you need a public IP address. However, even if you did you should not use xampp as a public server, as it is designed for development and therefore has some security settings disabled.
I would recommend buying some shared web hosting, and uploading it to that. (you can get cheap hosting if you google 'shared web hosting', plus free .tk domains are avaliable: http://www.dot.tk/)
Do your company has any vpn network?
If it does and you have access to the vpn network, you can include your server to the vpn network and your guest will only need to login to your company vpn network then access your site like in a local network without using port forwarding. And since your data is very confidential, I assume that using vpn will also help to increase the security of your data.
Please correct me if I'm wrong.
Thank You.
What you are asking is not possible without port forwarding.
Lets break it into steps.
To host your site locally you will need a IP that is static so that
users can access it specifically.
You will need a domain so that it can be converted into user friendly name.
A 24x7 Internet Connection is must! You added a Wifi Router in your Diagram and most of today's router are capable of port forwarding.
What i will do in your scenario is:
Instead of using XAMP, i will install WAMP because i am more familiar with it and easy to configure.(totally personal preference)
Then i would set my server "ONLINE".(Google how to set WAMP server online)
Forward port "80" from router settings to my local computer ip address.(mostly it is tagged as "Virtual Server","Firewall","Port Forwarding",etc vary router to router in settings)
Suppose you have a local ip "192.168.1.3" and global/router IP "254.232.123.232" then you would redirect all the HTTP request done towards router to your local IP.
[[[[254.232.123.232]]]] --+ :80 +-- --------->192.168.1.3
That is good for now, but then you will need to tackle dynamic IP problem of router. But don't worry, thanks to some free sites that will be easy!
Go to no-ip.org -> Setup Account -> and create a entry, just a subdomain for now to test whether everything is working fine.(subdomain like mysite.no-ip.org, later purchase a real Domain)
Input your IP address there(Router IP) and download its application which will automatically update their server if your local IP changes.
Wait for some minutes and Voila! Your site is live.
I'm using winexe to communicate with Windows running inside a virtual machine on my Linux system, to perform various test scenarios. I really don't want to have to be root to start the VMs.
When I start my Linux virtual machines, which I control with SSH, I simply map the SSH port (22) to a different, non-reserved port (>1024; say 19000). So I can start the VM without requiring root privileges. Then I use ssh -p 19000 ... when I want to ssh to the VM, and it works great.
But I cannot find a way to have winexe choose a different port than the default (I'm not sure what the default port is, actually; does it use 445 like SMB?). Is there a way to do it?
Note I cannot run an SSH server on Windows; because of my test environment requirements I can't add an SSH server to the virtual machines. Plus even if I were allowed I've had nothing but pain trying to get an SSH server to work reliably on Windows.
Winexe source code shows that the client-server communications happen over SMB in named pipes. As if you would write into unix pipes over nfs.
This results that it is very unlikely, that you can change the port. Maybe you can do that on the Linux side, but you have probably no way to do that in your Windows VM.
I have my Openbravo appliance running by VMWare workstation on top of Win7 which is in a LAN connected to internet by router.
When I start the appliance. I can access ERP web console by typing in the address it gave at the end of the process (for example, 192.168.1.107). All computer in the LAN can access this address as well which is fine for now.
However, in the future, I need to access this console from my home pc running Win7 (which is, of course, connected to the internet). How do i set this up?. I have try the method given in http://planet.openbravo.com/?p=8612 (see case 3 - Expose my local ERP into a remote network)
I tried (in Openbravo Appliance console running in VMWare)
ssh -R :9999:localhost:80 myhomepc#101.108.70.128
(where 101.108.70.128 is the ip of my home pc read from whatismyip.org)
but it give the following error:
ssh: connect to host 101.108.78.128 port 22: connection timed out
Do I missed any step required?
What should i do the successfully connect to my Openbravo instance?
Best is to ask those questions directly in the Openbravo ERP forums over there: http://forge.openbravo.com
The case 3 from the blog-post you are referring to makes 2 implicit assumptions.
a.) the remote computer runs an ssh-server
b.) This ssh-server can be connected to from the erp instance
One of the two assumptions seems to not hold in your case either your win7 box does not run an ssh server and/or the router of your home network does not forward port 22 from the outside to your win7 box.
Without further information i assume both items are not done.
Let me propose another solution instead. As you want to connct to the commandline of the erp appliance from home you could do the following:
Configure the router of the network with the erp appliance to connect some external port (i.e. 2222) to the ip of the appliance, destination port 22.
This will allow you to access it from the home network (or any other system from the internet knowing the ip/port).
Using an external port different from 22 some simple ssh brute-force passwords scans.
As the appliance by default does not allow login by password but only allows authentication by public-key this is secure to not allow unauthorized access to your system.
After this either use case 1 from the blog-post or an normal ssh tunnel like (ssh -p external-port user#externalipoferplan -L 9999:localhost:22' and then access the ERP via 'http://localhost' from your win7 box.
If that is too complicated and you want to just make the ERP webinterface available from the internet without having the extra ssh security in the middle then you can just configure the router of the erp lan instead to forward port 80 or 443 (http or https) to the erp-instance and access the system directly from anymore as if it would be on some public server in the internet.