SSH Tunnelling#
SSH Tunnelling
is often used to create an encrypted connection between local machine and a remote server which relay traffic. Through the secure tunnel, it can protect unencrypted traffic, such as VNC or database connection, from being eavesdropping.
Depends on the situation, there are 3 ways to create tunnelling with SSH port forwarding.
- Local port forwarding
- Remote port forwarding
- Dynamic port forwarding
Choosing which tunnelling depends on the firewall configuration. Refer to the prerequisite
sections below.
SSH Local Port Forwarding#
SSH local port forwarding
allows you to securely access a service running on a remote server through an encrypted SSH tunnel.
Prerequisite
Local port forwarding can only be used provided you can successfully establish a SSH connection (22/tcp) to the SSH server through the firewall. This means the firewall has to grant access to to SSH server on port 22/tcp.
Here’s the cmdline to create a SSH local port forwarding:
ssh -L [bind_addr]:<port>:<host>:<host_port> <ssh_server>
Below is the diagram to show how local port forwarding
connection works:
- Established the secure tunnel [blue]
- Connect from client(*) to web1:8080 (or web2:9090) in clear text traffic [yellow]
The flow diagram on the left, is a typical way how remote worker can establish remote access with local port forwarding
. However, it can be extended to the flow diagram at the right, to allow other to access web server (web2 at port 9090/tcp).
Scenario 1 (left)#
Run the below cmdline at client, and point the (client) browser to http://localhost:8080
, should be connecting to http://web1:8080
ssh -L 8080:web1:8080 user@ssh_svr
Scenario 2 (right)#
Run the below cmdline at client, and allow other’s to browse at http://client:9090
, should be connecting to http://web2:9090
ssh -L 0.0.0.0:9090:web2:9090 user@ssh_svr
SSH Remote Port Forwarding#
SSH remote port forwarding
allows remote server to access a service running on local machine/network through an encrypted SSH tunnel.
Prerequisite
Remote port forwarding is only useful when you have a SSH server that locates at the Internet and is accessible by both client and remote worksapce.
Here’s the cmdline to create a SSH remote port forwarding:
ssh -R [bind_addr]:<port>:<host>:<host_port> <ssh_server>
Below is the diagram to show how remote port forwarding
connection works:
- Established the secure tunnel [blue]
- Connect from remote to web:8080 in clear text traffic [yellow]
Scenario#
Run the cmdline below at the client to establish the tunnel. Then the remote workspace can browse to http://fport:80 and the traffic will be redirected to http://web:8080.
ssh -R 0.0.0.0:80:web:8080 user@sshd
In this case, the fport can be the same IP address as sshd.
SSH Dynamic Port Forwarding#
SSH dynamic port forwarding
provides greater flexibility for client to connect into Intranet (or datacenter) via SOCKS proxy server.
Prerequisite
Dynamic port forwarding turns on the SOCKS proxy at SSH server. It allows the client browser to connect to any server behind SSHD server with the SOCKs proxy config. And all these must require access to SSHD server at port 22/tcp, (similar to local port forwarding setup).SOCK DNS setup: At Firefox browser, setup
about:config > network.proxy.socks_remote_dns;true
Here’s the cmdline to create a SSH dynamic port forwarding:
ssh -D [bind_addr]:<port> <ssh_server>
Below is the diagram to show how dynamic port forwarding
connection works:
- Established the secure tunnel [blue]
- Setup SOCK proxy at browser by pointing to client and SOCK port.
- Ensure SOCK DNS is configured (see above).
Scenario#
Run the cmdline below at the client to establish the tunnel. Then configure the browser SOCK proxy and pointing to socks://client:1080 with remote SOCK DNS setup (for SSHD server to resolve the destination dynamically), then the browser will able to browse to any HTTP/HTTPS server behind the SSHD server.
ssh -D 1080 user@sshd
Additional Tips#
To disable remote shell when creating tunnel (port forwarding), use -N
.
To make SSH session into background, add the -f
.
Additional 2 options can be applied while creating tunnel (port forwarding) as below:
ssh -f -n -N ... user@ssh_server
-f To run/put SSH request at background. -N To disable remote shell cmd execution. -n Redirects stdin from /dev/null (no input from stdin). Must used together with -f (backfround).
Tunnelling Detection#
Due to the nature of how SSH protocol works, it is possible for firewall, such as Palo Alto firewall (PAN-OS), to allow SSH traffic but blocking the SSH tunnelling.
The firewall checks the traffic between the client and server to see if it is routed normally or if it uses SSH port forwarding (SSH tunneling). If the firewall identifies SSH port forwarding, the firewall blocks the tunneled traffic and restricts it according to the configured Security policy. The firewall only looks for SSH port forwarding, it does not perform content and threat inspection on SSH tunnels.
- PAN-OS Adminitrator Guide: SSH Proxy
- Metallic Code: Detecting SSH Tunnels
- Trisul: Traffic analysis of Secure Shell (SSH)
- Trisul: Detecting SSH Tunnels
Tools for SSH Tunnelling#
These are the tools used for automating SSH tunnelling creation.
About SSH Protocol Stack#
SSH is organized as 3 protocols that run on top of TCP: SSH User Authentication Protocol, SSH Connection Protocol, SSH Transport Layer Protocol.
SSH Transport Layer
- responsbile for server authentication, confgidentiality, integrity and compression.
- focus on the 3 functions: Host Keys, Packet Exchange, and Key Generation.
SSH User Authentication Protocol
- responsbile for authenticates user/client to the server.
- focus on main 3 functions: Message Types and Formats, Message Exchange and Authentication Methods.
SSH Connection Protocol
- responsible for multiplexes the encrypted tunnel into several logical channel.
- focus on main 3 functions: Channel Mechanism, Channel Types and Port Forwarding.
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| SSH_User_Auth | SSH_Connection |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
+ SSH_Transport_Layer +
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| TCP |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| IP |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Here’s the cmd that I generate the SSH protocol stack above:
$ protocol "SSH_User_Auth:16,SSH_Connection:16,SSH_Transport_Layer:64,TCP:32,IP:32" -n
Links#
- SSH Protocol Stack
- Trisul-scripts
- HoldMyBeer: Detecting SSH Brute Forcing with Zeek
- Mozilla OpenSSH Security Guide: Providing a sane baseline policy recommendation for SSH configuration parameters (eg. Ciphers, MACs, and KexAlgos).