Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I've set up a Minecraft server on OpenShift, a free PaaS. OpenShift requires internal applications (like my server) to bind to a port in the range of 15000 to 35530 or port 8080. However, it also requires external client to access the server in one of these ports:
22,
25,
80,
109,
110,
143,
220,
443,
465,
587,
993,
or 995.
In other words, none of the internally exposed ports are exposed externally; however, there are two ways to communicate. One is SSH port tunneling, which I have setup on my computer already. The second one is through HTTP, which is automatically forwarded to 80 when it is sent through 8080 internally. The problem with SSH tunneling is that one needs to add a client's public key through OpenShift, and the client needs to setup their private key, which is too complicated for most of my friends.
I would like to make the connection process easier, so I thought of two possible ways of doing this. The first, which would be simpler to setup, would be to "unsecure" the SSH connections by not requiring a certain public or private key to connect. It's a game server, so security isn't an issue for me at all, but I think that this may not be possible, as SSH was built to be secure. The other way, which would be harder, would be to embed Minecraft packets into HTTP packets, which the OpenShift system automatically forwards. Perhaps this would be possible using an existing HHTP proxy system?
If anyone could help me solve this either of those two ways (or another way, if you can think of one), I would be very grateful!
Why not just create an ssh key pair specifically for this application and create a script that opens the tunnel using that specific key and then launches the program? You can also put restrictions on what any connection using that key is allowed to do (nothing).
#!/bin/sh
ssh -i ~/pathtoidfile -L 25565:localhost:yourport -f -N
# run minecraft to local server?
This is just off the cuff - probably not exactly correct. Also, assumes a unix (Mac or Linux) system. For windows, you'd have to install an ssh client (mingw?) and use cmd syntax.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 1 year ago.
Improve this question
I have a Raspberry Pi behind an LTE-router to connect to the internet. The LTE router prevent the Pi to get assigned a static IP, so I created a service that builds a reverse ssh tunnel with auto-ssh to my private Server to be able to access my pi remotely. The problem is now, if someone gets the SD card of the Pi, he can read the private key from the file system and has access to my server.
Is there any way to protect my server from access through the ssh connection with this key while keep the abillity to build a reverse tunnel wihtout password?
The server is hosted by strato, which is managed by Plesk, so every domain has its own vhost file system in /var/www/vhost/domain.de. Would it be possible to isolate this space for the ssh access with exact this key on the Pi, so the Client can only see whats inside this folder? Or ist there any other solution for my problem?
Create a new (tunnel) key on the raspberry, only to build the reverse tunnel to your strato server.
On your strato server add the public key into .ssh/authorized_keys, but add in front
command=/bin/false ssh-rsa ....
To connect you have to add -N to ssh this will build a tunnel but doesn't try to open a shell.
Now it's unimportant if that key get lost, as it can only build a reverse tunnel, but can not open a shell.
You can even use that key for all raspi's to build individual reverse tunnels.
Obviously, you add on your raspi in .ssh/authorized_keys only your user key, not the tunnel key
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I have a server at home and another on a VPS hosting. I tried to create L2TP/IPsec tunnel between them. The tunnel works and one server can access HTTP services from the other server (VPS server is client and server at home is VPN server to which I am connecting and runs HTTP and HTTPS services that I am trying to access from VPS server). But when I try to connect via HTTPS, the connection does not work.
This is what happens when I run this command from the remote server connected to the other one via L2TP/IPsec: openssl s_client -connect SERVER:443:
CONNECTED(00000003)
And if I try wget --verbose https://SERVER/:
Resolving SERVER (SERVER)... SERVERIP
Connecting to SERVER (SERVER)|SERVERIP|:443... connected.
So the connection is started, but no data is exchanged. I have tested with nmap and the port is detected as open.
I tried to connect to this VPN via my laptop and from there, I can access both HTTP and HTTPS services, but from this server, I can only use HTTP. I have tried turning off all firewalls that are on the path of the packets but the problem persists.
I know this is a very specific case so if there is no actual answer to what the problem might be, I am at least looking for guidelines to how to debug this as wget, curl and openssl s_clinent don't provide me any details as they stay on the connection established state.
UPDATE: I have opened 443 port on NAT on the home server and tried to connect to HTTPS service directly from VPS server without VPN and it worked. So only when I access HTTPS via VPN, the connection does not work.
The problem was the MTU setting of the L2TP connection. I had to lower the MTU to 1300 as HTTPS + IPSec add so much overhead that the packet was over 1500, which is the upper limit of the Ethernet and SSL packages set DF (Do not fragment) flag on Layer 3 which disables package fragmentation.
Normally, the server would send special ICMP message to notify the VPN server about this problem but I had ICMP blocked by the firewall so there was no error, just connection was not able to establish as packages had too big size and were just dropped.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
i want to telnet or ssh my pc (mac) at home from my office. How can i do this ? the problem i'm using router with private ip .Gateway is 192.168.1.1 and my pc is 192.168.1.100. I think i should be able to do this when i forward the port in the router setting. But the problem i don't have public ip. My isp only give my dynamic ip (DHCP) , my router's external ip is just another private ip which is connected to another gateway (another level of LAN) which of course i don't have any access. so is it still possible to get access using telnet to my computer ? i read about the reverse ssh but that only works if i have to setup the connection first from my pc. In my case now there's no body near my pc. i just turn it on so i can hopefully access it.
Is there any workaround ? or it's just impossible to do that ?
Thanks
As you don't have a stable IP, I can only think of two options:
VPN
Were you to make a VPN with your local network, and then connect to said VPN, it would give you access to everything on on the network.
Reverse SSH
With reverse SSH you make use of an external server, and set up a listening ssh session. Then, on the external server you can connect to the device behind the router without being bothered by firewalls/port forwarding/etc...
You could do this with:
Device on home network ssh -f -N -R 1234:localhost:22 remote_user#remote.server.example
Where 1234 is the port that remote would use forward to the device
remote.server.example is the remote's address
Then, on the remote server ssh -p 1234 -t device_user#localhost
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Is there any way to execute a ssh connection with out use interactive password autentification and non public keys, I need too run a command in the remote server all this with out manual intervention, I know that i can use a script but I donĀ“t have any example. The application will be running in different machines so it's a bit hard creating a key public for every machine.
Everything is possible with the right configurations, but there are some security points to consider.
You certainly don't want everyone on the net to be able to execute any command on your server. So simply allowing everything is not a good idea.
Everyone who has your application on a computer in her control can do everything what your application can do ... and maybe more, if the application has limits only build in itself, not the server side.
You can distribute a private key with your application (and pass to SSH on connection), but of course then anyone having the application can extract this key. (If the application can access it, so can do any attacker who has control over it.)
You could also distribute a password with your application and somehow pass it to ssh, but still, in principle anyone who has the application can get the password.
If there is always the same command to be executed (maybe with different inputs), you can force this specific command at the server-side - for example, for a specific public key in the authorized_keys file. Or you could create a SSH subsystem and only allow this by server configuration.
On the server side, you can put additional limits by IP address or host name, but this is not really secure (IP adresses can be faked, for example). If the computers on which the application is to be run have already existing SSH installations, they should have host keys, and maybe you can do host authentication. But this is still only really useful if these hosts are under your control, more or less.
For security issues, a password (if you don't use a certificate) will always asked to you interactively, unless you configure server in an advanced way.
You can use a certificate, by inserting password one time.
Take a look at this
On debian, a tool exists for this and it's called sshpass (a noninteractive ssh password provider)
It comes with lots of warnings and caveats though! Be sure you assess the risks properly before continuing down this path...
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 years ago.
Improve this question
I am running Apache/php on my localhost and would like to be able to make this publicly accessible from the internet.
I think this is achieved by port forwarding? Can someone point me in the right direction?
Well sir you should try ngrok it is free and works with everything that I throw at him (node servers, xampp etc.)
It depends on the connection you have.
If your machine has a public IP address, it's on the Internet already. Then all you need is to allow connections to port 80, both on the local firewall and the home/corporate firewall.
If your machine is behind a set-top-box, or inside a corporate network, chances are that you're not on the Internet. In some instances, a router does NAT (Network Address Translation) between a local (non-routable) network and the Internet. In this particular case, you need to set up port forwarding on the set-top-box or router.
You might want to check out Pagekite - it's an open-source software that allows you to expose your local resources to the outer internet without you needing to reconfigure your router or firewall.
There's a similar service called Show off which does much the same thing, although it seems a bit more limited.
You could try beame-insta-ssl, it's a good way to get free tunneling services and a free SSL certificate to expose your localhost. It's open source on git here: https://github.com/beameio/beame-insta-ssl/
Only port forwarding would work but you would need to connect to your server thru it's IP.
take a look at dyndns.com, there you can get a DNS ID that points to your server.
After that you set your router port 80 (HTTP) or 443(HTTPS) to point to your PC HTTP server port ( this can be any port you wish)
It depends of what do you mean localhost? Each system has its own "localhost".
If you mean that you have something like: "your system"<-->"gateway/wifi router"<-->Internet than you should configure port mapping from your router external interface to your server' IP address. Check your gateway/router documentation for more information.
Another tool for port forwarding through OpenVPN or SSH tunnel is https://portmap.io . If you're running multiple vhosts on local Apache, you can set host-header with required hostname.