Categories
Interior

How to use ssh tunneling to access restricted servers and browse securely

Join the DZone community and get the full member experience.

Have you ever been told that in your network serverX can only be reached by a serverY via SSH? Now you have access to serverY from your own PC with normal SSH access as well, but just not directly to serverX.

What can you do in situation like this if you need to access the restricted serverY? Well you can always ssh into serverY, then ssh again into serverX to check your work or log or whatever. But what happen if you have a database server or WebLogic Server instance running in serverX; and you want your local PC’s fancy tools to access the serverX? (Eg: Accessing the WLS admin console, or using SqlDeveloper to connect to your DB etc). In this case, that’s where ssh tunneling can help you, and here is how.

1. Establish a connection to your serverY that you have access to from your PC. On top of that and at the same time, you will create a tunnel to serverX (your restricted server) by letting serverY redirect all the network traffic data back to your local PC on a specific port. Sounds scary, but it can be done with single command. For example this is how I can access the WLS Admin Console app that was running on server Y. On your own PC, open a terminal and run the following:

bash> ssh -L 12345:serverY:7001 serverX

Above will prompt you to access serverX with ssh credential. Once logged in, you need to keep the terminal open. Now the tunnel is established and redirecting traffic from port 7001 on serverY to your own PC on port 12345, which is where the WLS admin console is running.

2. Open a browser on your own PC and type in address http://localhost:12345/console

Now you should able to access your restricted serverY WLS admin console!

Join the DZone community and get the full member experience.

Have you ever been told that in your network serverX can only be reached by a serverY via SSH? Now you have access to serverY from your own PC with normal SSH access as well, but just not directly to serverX.

What can you do in situation like this if you need to access the restricted serverY? Well you can always ssh into serverY, then ssh again into serverX to check your work or log or whatever. But what happen if you have a database server or WebLogic Server instance running in serverX; and you want your local PC’s fancy tools to access the serverX? (Eg: Accessing the WLS admin console, or using SqlDeveloper to connect to your DB etc). In this case, that’s where ssh tunneling can help you, and here is how.

1. Establish a connection to your serverY that you have access to from your PC. On top of that and at the same time, you will create a tunnel to serverX (your restricted server) by letting serverY redirect all the network traffic data back to your local PC on a specific port. Sounds scary, but it can be done with single command. For example this is how I can access the WLS Admin Console app that was running on server Y. On your own PC, open a terminal and run the following:

bash> ssh -L 12345:serverY:7001 serverX

Above will prompt you to access serverX with ssh credential. Once logged in, you need to keep the terminal open. Now the tunnel is established and redirecting traffic from port 7001 on serverY to your own PC on port 12345, which is where the WLS admin console is running.

2. Open a browser on your own PC and type in address http://localhost:12345/console

Now you should able to access your restricted serverY WLS admin console!

Besides sending ssh data, the ssh protocol can tunnel other traffic between two hosts. The most common ssh tunnels are remote and local. Knowing how to spin up an ssh tunnel can help you reach otherwise inaccessible networks and systems.

Local SSH Tunnel with Port Forwarding

You can use a local ssh tunnel when you want to get to a resource that you can’t get to directly, but a ssh server that you have access to can. Here are some scenarios.

Proxy to Remote Server

In the image above, the blue host cannot reach http://192.168.0.3 but can ssh to 192.168.0.2. The following ssh command executed on the blue host will allow the blue host to reach the red host.

Now the blue host can open a browser, and go to http://localhost:8080 and be presented with the webpage hosted on 192.168.0.3.

Local Port Forward

In the image above, the blue host wants to connect to the red host on port 80 but there’s a firewall in between which is denying this. Because the blue host can ssh to the red host, we can create a local port forwarding ssh tunnel to access that port.

The command on the blue host will be:

Now when the blue host opens a browser and goes to http://localhost:8080 they will be able to see whatever the red server has at port 80.

Local Port Forwarding Syntax

This syntax to create a local ssh port forwarding tunnel is this:

Remote SSH Tunnel with Port Forwarding

In this scenario we are creating a reverse ssh tunnel. Here we can initiate an ssh tunnel in one direction, then use that tunnel to create an ssh tunnel back the other way. This may be useful for when you drop a drone computer inside a network and want it to “phone home”. Then when it phones home, you can connect to it through the established ssh tunnel.

We are on the green host and want to ssh to the blue host. However, the firewall blocks this connection directly. Because the blue host can ssh to the green host, we can connect using that, and when the green host wants to ssh back to the blue host, it can ride along this previously established tunnel.

Blue host initiates ssh tunnel like this:

This opens port 2222 on the green host, which is then port forwarding that to port 22 on the blue host. So if the green host were to ssh to itself on port 2222 it would then reach the blue host.

Green host can now ssh to blue host like this:

Using the -N Option

When using ssh, you can specify the -N flag which tells ssh you don’t need to send any commands over the ssh connection when it’s established. This option is often used when making tunnels since often we don’t need to actually get a prompt.

Autossh

The autossh command is used to add persistence to your tunnels. The job it has is to verify your ssh connection is up, and if it’s not, create it.

Here is an autossh command which you may recognize.

The -i /home/blueuser/.ssh/id_rsa option says to use a certificate to authenticate this ssh connection.

Now when your tunnel goes down it will automatically try to reconnect and keep trying until it is successful. To make it persistent through a reboot, add the ssh command as a cron job.

The fastest, most robust Telnet Server for Windows and SSH Server for Windows on the market!

The GSW Business Tunnel is a versatile and secure connectivity tool that allows you and your coworkers secure access to required network services that are often risky due to non-secure locations or impossible due to firewall configurations.

With the GSW Business Tunnel, secure tunnels are built over a network between the Business Tunnel Software and an SSH Server. Each tunnel may contain one or more channels where encrypted traffic is encapsulated and is sent through an encrypted channel providing the security you need to confidently connect over a wifi network.

Scenario: Matt is on vacation, but his company needs him to run payroll today. He does not want to risk accessing payroll via non-secure internet access.

Solution: Matt can create a secure tunnel for his laptop to access his companies payroll website.Case: Matt is on vacation. But his company needs him to run payroll today. He does not want to risk accessing payroll via non-secure internet access. Matt can create a secure tunnel for his laptop to access his companies payroll website. He can securely browse the internet using the GSW Business Tunnel by using a generic SSH Server on the Amazon Cloud. By setting up the Tunnel, the Channel within the Tunnel and the browser configuration on your computer, Matt can be set up to browse securely within minutes.

Setting up the Tunnel –

  1. Set the address of the SSH Server Host. This is provided when you set up your Amazon Cloud.
  2. Set the Authentication Requirements. This is the logon ID and the private key provided when you set up the Amazon Cloud.

Setting up the Channel –

  1. Select Dynamic Port Forwarding
  2. Use the loopback address
  3. Choose an available port for the local port.

Setting up your Browser Configuration –

  1. Enable the Proxy Server
  2. Click on Advanced (this opens the proxy settings)
  3. Configure the Proxy Address and Port Number. The channel configuration for the local address and local ort is used in the browser configuration. These must match.
  4. Click OK, OK, and Apply!

Matt can now use the GSW Business Tunnel to securely browse the internet connecting an SSH Sever to the Amazon Cloud.

I can use my home computer A to connect by SSH to a server B where access to the external network is blocked. In other words, all requests to Internet from B throw an error: Network is unreachable. Can I redirect all these requests to pass through the computer A which has an unrestricted access to Internet?

Server B is a server which hosts one of my website. I want to download files in order to install some software. But the connection is blocked. I was able to transfer files but it was complicated because the software versions are different on A and B, so the dependencies where different and it required different files on A and B.

I searched on Internet and it seems that I need a reverse tunnel. But I only found solutions where a port is redirected. But it’s not what I need since I don’t want B to access to A but to Internet.

How to use ssh tunneling to access restricted servers and browse securely

3 Answers 3

You can run a proxy on Computer A that computer B would then connect to in order to access the internet through Computer A.

Something like this

Install a proxy like squid on A which listens on port 3128, and then you can ssh to the server with this –
ssh -L 3128:127.0.0.1:3128 [email protected]

That will allow B to access the internet through A

Just adding some more and clear steps to @Lawrence and @SpiRail’s answers.

Do the setup as follows:

Setup on Host A:

  1. Install proxy server Squid on Host A . By default Squid listens on port 3128.
    yum install squid
  2. Comment the http_access deny all then add http_access allow all in /etc/squid/squid.conf
  3. If Host A itself uses some proxy say 10.140.78.130:8080 to connect to internet then also add that proxy to /etc/squid/squid.conf as follows:

Setup on Host B:

  1. Add the following entries to /etc/environment
  1. source /etc/environment

Now our setup is complete.

Creating SSH tunnel with Remote port forwarding

Run the following SSH command from Host A
ssh -R 3129:localhost:3128 [email protected]

If you want to make persistent SSH tunnel, you can use autossh as follows:
autossh -M 20000 -f -NT -R 3129:localhost:3128 [email protected]
For above autossh command to work, you should be having SSH Keys setup from HostA to HostB

  • This will allow Host B to access the internet through Host A.
  • Checking the internet:

    1. Run the following command from Host B
      wget https://google.com

    Traffic flow diagram : How to use ssh tunneling to access restricted servers and browse securely

    Chris Hoffman is Editor-in-Chief of How-To Geek. He’s written about technology for over a decade and was a PCWorld columnist for two years. Chris has written for The New York Times, been interviewed as a technology expert on TV stations like Miami’s NBC 6, and had his work covered by news outlets like the BBC. Since 2011, Chris has written over 2,000 articles that have been read nearly one billion times—and that’s just here at How-To Geek. Read more.

    How to use ssh tunneling to access restricted servers and browse securely

    If you want to send your web browser traffic—and only your browser traffic—through a proxy, Mozilla Firefox is a great option. It uses your system-wide proxy settings by default, but you can configure separate proxy settings for Firefox only.

    Generally, you’ll use a proxy if your school or work provides it to you. You could also use a proxy to hide your IP address or access geoblocked websites that aren’t available in your country, but we recommend a VPN for that instead. If you need to set up a proxy for school or work, get the necessary credentials from them and read on.

    Firefox is unique here because Chrome, Edge, and Internet Explorer don’t allow you to set a custom proxy server. They only use your system-wide proxy settings. With Firefox, you can route only some web traffic through the proxy without using it for every application on your system.

    To access proxy settings in Mozilla Firefox, click on Firefox’s menu and go to Options.

    How to use ssh tunneling to access restricted servers and browse securely

    Click the “Advanced” icon at the left side of the Preferences window, click the “Network” tab at the top of the window, and then click the “Settings” button under Connection.

    How to use ssh tunneling to access restricted servers and browse securely

    You can select four different proxy options here. By default, Firefox is set to “Use system proxy settings”.

    • No proxy: Firefox won’t use a proxy server, even if one is configured in your system-wide proxy settings.
    • Auto-detect proxy settings for this network: Firefox will use the Web Proxy Auto-Discovery Protocol, also known as WPAD, to detect the appropriate proxy for your network. This feature is sometimes used only on business and educational networks to automatically provide the necessary proxy settings to all PCs on a network.
    • Use system proxy settings: Firefox follows whatever proxy settings you have configured in your system settings. If you don’t have a system-wide proxy configured, Firefox won’t use a proxy.
    • Manual proxy configuration: Firefox allows you to manually set custom proxy settings that will only be used for Firefox itself.

    How to use ssh tunneling to access restricted servers and browse securely

    If you select “Manual proxy configuration”, you’ll need to enter your proxy server settings in the boxes here. Your proxy service provider—or employer, if it’s provided by your employer—will be able to provide the settings you need.

    Enter the address of the proxy server you want to use for normal, unencrypted HTTP browsing connections in the “HTTP Proxy” box. You’ll also need to enter the port the proxy server uses in the “Port” box.

    You’ll usually want to click the “Use the proxy server for all protocols” option. Firefox will also use your HTTP proxy server for SSL-encrypted HTTPS connections and File Transfer Protocol (FTP) connections.

    Uncheck this box if you want to enter separate proxy servers for HTTP, HTTPS, and FTP connections. This isn’t common.

    How to use ssh tunneling to access restricted servers and browse securely

    If you’re configuring a SOCKS proxy, leave the HTTP Proxy, SSL Proxy, and FTP Proxy boxes empty. Enter the address of the SOCKS proxy into the “SOCKS Host” and its port into the “Port” box.

    When you’re hosting a SOCKS proxy on your local PC, you’ll need to enter 127.0.0.1 and the port the SOCKS proxy is listening on. For example, you’ll need to do this if you create an SSH tunnel using dynamic port forwarding and want to send your browsing traffic through it. Firefox will send your browsing activity through the proxy server running on your local computer.

    By default, Firefox uses SOCKS v5 for the connection. Select SOCKS v4 if your SOCKS proxy uses the older standard instead. If you’re not sure, leave the option set to SOCKS v5.

    How to use ssh tunneling to access restricted servers and browse securely

    Firefox also allows you to provide a list of addresses that it will bypass the proxy for. Enter these in the “No Proxy for” box. By default, the list here includes localhost and 127.0.0.1 . These addresses both point to your local PC itself. When you attempt to access a web server running on your PC, Firefox will access it directly rather than attempting to access the addresses through the proxy.

    You can add other domain names and IP addresses to this list. Just separate each address in the list with a comma followed by a space. For example, if you want Firefox to access howtogeek.com directly instead of accessing howtogeek.com through the proxy, you’d add howtogeek.com to the end of the list like so:

    If Firefox can’t access the proxy sever you configure—for example, if the proxy server is down, if your Internet connection is down, or if you entered the details incorrectly—you’ll see an “Unable to find the proxy server” error message when you attempt to access a website.

    You’ll need to go back into Firefox’s proxy server settings and either disable the proxy or fix your proxy settings to browse the web.

    SSH tunneling (also referred to as SSH port forwarding) is simply routing the local network traffic through SSH to remote hosts. This implies that all your connections are secured using encryption. It provides an easy way of setting up a basic VPN (Virtual Private Network), useful for connecting to private networks over unsecure public networks like the Internet.

    You may also be used to expose local servers behind NATs and firewalls to the Internet over secure tunnels, as implemented in ngrok.

    SSH sessions permit tunneling network connections by default and there are three types of SSH port forwarding: local, remote and dynamic port forwarding.

    In this article, we will demonstrate how to quickly and easily set up SSH tunneling or the different types of port forwarding in Linux.

    Testing Environment:

    For the purpose of this article, we are using the following setup:

    1. Local Host: 192.168.43.31
    2. Remote Host: Linode CentOS 7 VPS with hostname server1.example.com.

    Usually, you can securely connect to a remote server using SSH as follows. In this example, I have configured passwordless SSH login between my local and remote hosts, so it has not asked for user admin’s password.

    Connect Remote SSH Without Password

    Local SSH Port Forwarding

    This type of port forwarding lets you connect from your local computer to a remote server. Assuming you are behind a restrictive firewall or blocked by an outgoing firewall from accessing an application running on port 3000 on your remote server.

    You can forward a local port (e.g 8080) which you can then use to access the application locally as follows. The -L flag defines the port forwarded to the remote host and remote port.

    Adding the -N flag means do not execute a remote command, you will not get a shell in this case.

    The -f switch instructs ssh to run in the background.

    Now, on your local machine, open a browser, instead of accessing the remote application using the address server1.example.com:3000, you can simply use localhost:8080 or 192.168.43.31:8080 , as shown in the screenshot below.

    Access a Remote App via Local SSH Port Forwarding

    Remote SSH Port Forwarding

    Remote port forwarding allows you to connect from your remote machine to the local computer. By default, SSH does not permit remote port forwarding. You can enable this using the GatewayPorts directive in your SSHD main configuration file /etc/ssh/sshd_config on the remote host.

    Open the file for editing using your favorite command-line editor.

    Look for the required directive, uncomment it, and set its value to yes , as shown in the screenshot.

    Enable Remote SSH Port Forwarding

    Save the changes and exit. Next, you need to restart sshd to apply the recent change you made.

    Next run the following command to forward port 5000 on the remote machine to port 3000 on the local machine.

    Once you understand this method of tunneling, you can easily and securely expose a local development server, especially behind NATs and firewalls to the Internet over secure tunnels. Tunnels such as Ngrok, pagekite, localtunnel, and many others work in a similar way.

    Dynamic SSH Port Forwarding

    This is the third type of port forwarding. Unlike local and remote port forwarding which allows communication with a single port, it makes possible, a full range of TCP communications across a range of ports. Dynamic port forwarding sets up your machine as a SOCKS proxy server that listens on port 1080, by default.

    For starters, SOCKS is an Internet protocol that defines how a client can connect to a server via a proxy server (SSH in this case). You can enable dynamic port forwarding using the -D option.

    The following command will start a SOCKS proxy on port 1080 allowing you to connect to the remote host.

    From now on, you can make applications on your machine use this SSH proxy server by editing their settings and configuring them to use it, to connect to your remote server. Note that the SOCKS proxy will stop working after you close your SSH session.

    Summary

    In this article, we explained the various types of port forwarding from one machine to another, for tunneling traffic through the secure SSH connection. This is one of the very many uses of SSH. You can add your voice to this guide via the feedback form below.

    Attention: SSH port forwarding has some considerable disadvantages, it can be abused: it can be used to bypass network monitoring and traffic filtering programs (or firewalls). Attackers can use it for malicious activities. In our next article, we will show how to disable SSH local port forwarding. Stay connected!

    If You Appreciate What We Do Here On TecMint, You Should Consider:

    TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

    If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

    We are thankful for your never ending support.

    using free software

    This is a basic guide to SSH dynamic port forwarding. It is intended as an introduction to this technology for intermediate to advanced computer users in the hopes that it will be useful. It is not intended to be the best nor most comprehensive guide on the subject. I found a similar document here.

    SSH is a protocol for secure (encrypted) communications, most commonly used for remote login sessions to the command line on various Unix-like environments (Linux, Solaris, BSDs, Darwin, etc.). Many academic and other institutions offer accounts on Unix clusters or other machines with a Unix-like operating system. Often these accounts allow login using SSH. If you do not already have one of these accounts, you may be able to get one at one of the sites listed here. [Note: I do not endorse any of the services.]

    Most other Internet traffic can also be transmitted through this secure channel through several options called “tunneling” or “port forwarding”. Here I will introduce one of these methods, called “dynamic port forwarding”, which I find particularly useful. It emulates a SOCKS proxy on the local computer, which Internet applications can then use to tunnel their traffic. [Note: If you are using a corporate computer, restrictions may prohibit this from being done.]

    Note that this specific method only works for outgoing TCP connections. UDP connections and incoming connections cannot take advantage of this method. If you need to listen to incoming connections from specific ports (and those ports are not already reserved on the SSH server computer), you can use remote port forwarding; it is pretty straightforward, but outside the scope of this tutorial.

    A similar but more versatile method that is often used to solve many of the same problems is a secure virtual private network (VPN). However, VPN services may not always be available in many institutions, or may cost additional money.

    Part 1: setting up the SSH connection

    • You need an SSH client. For Windows I recommend the free (libre) GUI client PuTTY with lots of features, including the ones we will need. PuTTY will be used for the rest of this section.
    • Run PuTTY. It starts in the “Session” screen; fill in the settings for your SSH connection. The fields “Host Name” and “Port” are pretty self-explanatory. You can enter the username too by filling the “Host Name” field in the “[email protected]” format. Make sure “SSH” is selected in “Connection type:”.
    • Go to the “Connection” -> “SSH” -> “Tunnels” screen to configure our tunnel.
      • Under “Add new forwarded port:”, enter some big integer of your choice to enter for the “Source port” field. (The first thousand or so ports are sometimes reserved by the operating system; so pick something bigger.) Here I will use arbitrarily choose 1080 (the SOCKS port).
      • Leave the “Destination” field blank.
      • Select the “Dynamic” radio button.
      • Click the “Add” button. You should see a line in the text box that reads “D1080” (or whatever number you chose).
      • (For those interested, this is the “-D” option in OpenSSH.)
    • (Optional:) By default the a login session is opened in the terminal, which usually runs a “shell”, allowing you to run commands on the command line on the remote computer. If you absolutely do not wish to use this, you may be able to disable it via the following:
      • Go to the “Connection” -> “SSH” screen.
      • Check the “Don’t start a shell or command at all” box.
      • (For those interested, this is the “-N” option in OpenSSH.)
    • (Optional:) At this point, it is a good idea to create a saved session, so you do not have to go through this process every time. If you wish to do so, go back to the “Session” screen; enter a name for the session and click “Save”.
    • Now you can open the connection. Click the “Open” button at the bottom.
    • The session window will open. If this is your first time connecting, it will ask you to add the key; “yes” is recommended. Enter the password when prompted. (You may also set it up to authenticate using public key instead of password, but that is beyond the scope of this tutorial.)
    • The login session is now connected. As long as the session is open, you will now have a SOCKS proxy running on on the local computer (localhost) at port 1080 (or whatever port you chose).

    Part 2: using the SOCKS proxy

    Method 1: SOCKS-supporting applications

    Many applications support using SOCKS proxies to connect.

    Subscribe to Email Updates

    We promise to send you awesome stuff you’ll want to read more than once.

    • CATEGORIES

    IT and system administrators are faced with a dilemma: how to ensure people working from home can access specific internal systems securely. Allowing VPN access is not an ideal solution if access is needed only to a particular Windows application or internal website.

    Another example of specific access: a remote worker would need to transfer files to/from a Linux/Unix/Windows system that under normal operation would have no access from the demilitarized zone (DMZ). These extraordinary times require easy-to use and easy-to-deploy solutions to get the work done remotely without sacrificing security in the process.

    Here are five ways how our solution PrivX, typically deployed for privileged user access, can be used to provide easy, secure, restricted and monitored remote access to all employees working out of office with just their favorite modern web browser.
    .

    1. Multi-Factor Authentication (MFA) for employee access

    Option 1) Leverage your existing LDAP user directory, for example an on-premise Active Directory together with a Time-based One-time Password (TOTP) to enforce Multi-Factor Authentication (MFA) for your employees. They will log in to the PrivX GUI with their browser using their familiar domain password and TOTP from an authenticator application like Microsoft Authenticator or Google Authenticator – installed on the user’s mobile phone.

    Option 2) If you have an OpenID Connect (OIDC) Identity Provider that already enforces MFA, for example Microsoft Azure Active Directory, you can use it to authenticate PrivX users.

    Option 3) Alternatively, the PrivX GUI can be configured to use an X.509v3 certificate client authentication for Active Directory users, for example to authenticate PrivX users with a smart card.

    2. Temporary access to authorized targets – without passwords

    PrivX provides role-based access controls (RBAC) to authorized targets that consist of both the target host and target account. The configured target account can be either the user’s personal account that enables your employee to log in as self, or a shared account.

    PrivX uses ephemeral certificates that are created just-in-time and used automatically when the user initiates an Secure Shell (SSH) or Remote Desktop Protocol (RDP) connection from the PrivX GUI to the authorized target. The certificates are short-lived and disappear automatically soon after the authorization, so there are no leave-behind credentials for anyone to share or steal.

    For a shared target account, it is also possible to configure stored credentials that are never revealed to the PrivX user. So even when using shared accounts, the user cannot share any credentials to anyone else.

    In both cases, there’s always a solid audit trail of activities linked to an individual, There is also no need to distribute any credentials or show any secrets to the user at any point. This is a great boost to security.

    If the conditions that grant access to the PrivX user no longer apply, for example the user is removed from an Active Directory group configured in the role, then the authorized target(s) is no longer available in the user’s allowed connections and any ongoing connections are disconnected. No need to wait for the user to log out for changes to take effect.

    If needed, you can use PrivX to grant temporary access, for example by granting a time-limited access for 10 hours that expires automatically after the time is up. In this case, the authenticated PrivX user requests a role via PrivX and one or more steps (with approval roles) have to be approved before the role is granted to the user. Once again, no leave-behind credentials for anyone to misuse.

    3. Restricted Windows RDP access to targets or applications

    You can also grant limited RDP access to specific targets, for example RDP without file transfer or clipboard could be allowed for some PrivX users to login as self to access their Windows workstations.

    You can restrict access even further. Together with the target host Windows configuration you can allow only particular Windows application(s) to be used on Windows Servers. If PrivX session recording is enabled for the authorized target host, monitored RDP connections can be viewed as a video and transferred files downloaded by your auditors or PrivX administrators.

    How to use ssh tunneling to access restricted servers and browse securely.

    4. Restricted SSH access

    Any target host running a secure shell server can be configured with PrivX Roles to allow restricted access. Secure Shell access via the PrivX GUI is restricted by design to Shell (terminal) and File Transfers only. Access from the internet to PrivX Server itself should be restricted in your firewall/load balancer to the PrivX GUI only.

    SSH access can be restricted further, for example, to allow only File Transfers. The target host operating system file permissions apply to the target account within the SFTP connection. If the PrivX session recording is enabled for the authorized target host, also the uploaded/downloaded files are recorded in addition to the terminal session for viewing.

    5. Restricted HTTPS/HTTP web access

    You can also restrict access to only to specific networks/target hosts when connecting from the PrivX GUI to websites. Login as self to web target is possible if the user provides own credentials for the web service. Again, optional session recording is possible. If needed, additional PrivX Extender component can be used to access Web targets (as well as SSH and RDP targets) in a private network or virtual private clouds (VPC).

    Remote access management made easy

    Our solution, PrivX, is a quick-to-implement and scalable privileged access management (PAM) solution that extends to all employees working from home for establishing secure remote access to web applications. It’s a viable alternative for VPNs and other traditional remote secure access tools. Setting it up takes only days, it can be installed remotely and it requires virtually no maintenance. You are in control of costs: start small and scale if needed.

    Learn more about the solution here in this short video:

    You can also sign up for the PrivX test drive to play in your own PrivX sandbox in a browser or contact us here to request a demo.

    Can the SSH Forward tunneling destination be restricted on a per user basis?

    Example: client ‘a’ can forward tunnel to 192.168.10.2:22 – only. Client ‘b’ can forward tunnel to 192.168.11.2:22 – exclusively.

    Update

    I’m looking to restrict the following tunneling command, on a per user or per group basis:

    • client_a can forward tunnel to 192.168.10.*, exclusive.
    • client_b can forward tunnel to 192.168.11.*, exclusive.

    Valid tunneling command (for client_a):

    Invalid tunneling command (for client_a) – SSH connection on gateway should close immediately.

    Valid tunneling command (for client_b):

    Invalid tunneling command (for client_b) – SSH connection on gateway should close immediately.

    Can this restriction be achieved with modifications to the sshd_config?

    1 Answer 1

    Assuming its a modern sshd version, /etc/ssh/sshd_config supports the Match and PermitOpen directives, which can be combined to restrict the targets specified by clients setting LocalForward options

    PermitOpen
    Specifies the destinations to which TCP port forwarding is permitted. The forwarding specification must be one of the following forms:

    Multiple forwards may be specified by separating them with whites- pace. An argument of “any” can be used to remove all restrictions and permit any forwarding requests. By default all port forwarding requests are permitted. https://www.freebsd.org/cgi/man.cgi?sshd_config(5)

    So something like this should work.

    I am not 100% sure of the ordering of those PermitOpens.. ( By default all port forwarding requests are permitted. ) so you might have to reverse them, or add a Permit none at the appropriate point to block unmatched forwardings.