installation has been completed. (See Chapter 1 for details on how to install an SSH server.) SSH Communications provides the ability to restrict or permit port forwarding, also known as tunneling, on the SSH server. For example, if port forwarding is not desired, the tunneling settings can restrict access while still allowing terminal and/or SFTP access. In addition to permitting or restricting port forwarding, the ability to allow port forwarding for only a specified set of users and denying everyone else is possible. Furthermore, the ability to deny port forwarding for a set number of users and allow everyone else is possible. Lastly, in addition to allowing and denying specific users and/or groups, the SSH server can restrict port forwarding using ACLs based on IP addresses and port numbers. For example, if port forwarding is not desired to all internal machines but rather to a selected few, port forwarding ACLs can be set to allow only certain IP addresses on certain ports to be acces- sible to port forwarding SSH clients. To view the tunnel configuration options and configure these options on SSH Communications’ SSH server, perform the following steps: 1. Change directories to /etc/sshd2: #cd /etc/sshd2 2. View the sshd2_config file, specifically, the tunneling section: #more sshd2_config 3. The tunneling section of the sshd2_config is as follows: ## Tunneling # AllowX11Forwarding yes # AllowTcpForwarding yes # AllowTcpForwardingForUsers sjl, cowboyneal@slashdot\.org # DenyTcpForwardingForUsers 2[[:digit:]]*4,peelo # AllowTcpForwardingForGroups privileged_tcp_forwarders # DenyTcpForwardingForGroups coming_from_outside # # Local port forwardings to host 10.1.0.25 ports 143 and 25 are # allowed for all users in group users. # Note that forwardings using the name of this host will be allowed (if it can be resolved from the DNS). # # ForwardACL allow local .*%users \i10\.1\.0\.25%(143|25) # # Local port forwardings requested exactly to host proxy.company.com # port 8080 are allowed for users that have ‘s’ as first character # and belong to the group with group id 10: # # ForwardACL allow local s.*%10 proxy\.company\.com%8080 218 Chapter 6 # # Remote port forwarding is denied for all users to all hosts: # ForwardACL deny remote .* .* 4. Uncomment the AllowTcpForwarding line by deleting the # symbol. 5. Uncomment the AllowTcpForwardingForUsers line by deleting the # symbol. 6. On the same line, delete the default entries (sjl, cowboyneal@ slashdot\.org). 7. Enter the following accounts to allow port forwarding: root, admin, and system@Aum-sshserver.com: AllowTcpForwarding yes AllowTcpForwardingForUsers root, admin, system@Aum-sshserver\.com Notice that the \ is required before the .com. A \ is mandatory when using a symbol. 8. Continue to enter values, deny access to the backup, and test accounts while allowing the RemoteAccess group: AllowTcpForwarding yes AllowTcpForwardingForUsers root, admin, system@Aum-sshserver\.com DenyTcpForwardingForUsers backup, test AllowTcpForwardingForGroups RemoteAccess 9. At this point, port-forwarding restrictions based on users have been applied. In addition to restricting port forwarding to users and/or groups, specific IP address and ports can be granted/denied access from port-forwarded rules. This feature is very important in terms of security, since you may not want to allow port-forwarding access from the outside to every server on the inside or every server that the SSH server has access to. These filters can specifically state which servers should be accessible and automatically deny everything else. To set port- forwarding filters according to Figure 6.11, the following set- tings should be set in the sshd2_config file: ForwardACL allow local.*%users \i192.\.168\.0\.10%(25) ForwardACL allow local.*%users \i172.\.16\.11\.17%(80|443) ForwardACL allow local.*%users \i172.\.16\.11\.8%(143) ForwardACL allow local.*%users \i172.\.16\.11\.72%(3389) These rules allow all users and groups to only port forward to 192.168.0.10 (port 25), 172.16.11.17 (port 80 and 443), 172.16.11.8 (port 143), and 172.16.11.72 (port 3389), while denying access to all other servers. Notice the syntax used SSH Port Forwarding 219 for the port forwarding ACLs. A \i is required before the first octet of the IP address, and a \ is required before every following octet. The complete syntax is as follows: ForwardACL argument users \iIP\.Address\.of\.server%(port|port|port) DNS names can also be used for ForwardACL statements. For example, if Aum.terminalserver.com is the destination server, on port 3389, the following syntax can be used: ForwardACL Allow .*%users Aum\.terminalserver\.com%3389 Note that once Allow rules are applied on the SSH server, all other servers and/or devices will not be granted port-forwarding access. For example, only the servers specifically allowed will be accessible by the SSH clients who are port forwarding. All other servers will be denied by default unless otherwise stated. (This denial makes any Deny rules redundant, since everything else besides the server that has been allowed is denied automatically.) Furthermore, any server port-forwarding filtering overrides any client port-forwarding rules on the SSH clients themselves. Configuration for SSH Communications’ SSH Server (Windows) SSH Communications provides an SSH server for Windows as well as Unix. Unlike the Unix version, the Windows version is configured and enabled using a GUI, as described earlier in the “SSH Communications’ SSH server” section of Chapter 2. The SSH server in Figure 6.11, 11.30.11.21, has a routable IP address that can be accessible from both internal networks and external networks, such as the Internet. By default, SSH Communications’ SSH server enables port forward- ing, so there is no special configuration required on the SSH server after instal- lation has been completed. (See Chapter 1 for how to install an SSH server.) SSH Communications provides the ability to permit or deny port forwarding, also known as tunneling, on the SSH server. For example, if port forwarding is not desired, tunnel settings can be denied completely while still allowing ter- minal and/or SFTP access. In addition to permitting or restricting port for- warding, SSH Communications’ allows port forwarding for only a specified set of users and denial for everyone else. Furthermore, the ability to deny port forwarding for a set number of users and allow everyone else is possible. To view the tunnel configuration options and configure these options on SSH Communications’ SSH server, perform the following steps: 220 Chapter 6 Figure 6.20 SSH Communications’ Tunneling options. 1. Start ➪ Programs ➪ SSH Secure Shell Server ➪ Configuration. 2. Under SSH Server Settings, browse to Tunneling. As shown in Figure 6.20, SSH Communications’ Tunneling menu can allow or deny tunnels. 3. Check the Allow TCP Tunneling checkbox. 4. In the Allow TCP Tunneling for Users textbox, enter the usernames you would like to permit port forwarding to, such as the administrator account and other admin-level accounts (separated by a comma). 5. In the Deny TCP Tunneling for Users textbox, enter the usernames you would like to restrict port forwarding to, such as the guest account and other nonauthorized accounts (separated by a comma). 6. Select the Apply button. 7. Tunneling (port forwarding) restrictions have now been applied. As shown in Figure 6.21, tunneling restrictions and permissions are easy to apply. The SSH server has now been configured with Terminal, SFTP/SCP, and port forwarding; port forwarding, however, is restricted to the administrator, chandradhar, and prabha accounts and is specifically denied to the guest, IUSR_SSH, and backup accounts. SSH Port Forwarding 221 Figure 6.21 SSH Communications’ Tunneling configuration options. Configuration for VanDyke Software’s VShell SSH Server VanDyke Software provides an SSH server for Windows called VShell. The Windows version is configured and enabled using a GUI, as described earlier in the “VShell SSH Server” section of Chapter 2. The SSH server in Figure 6.11, 11.30.11.21, also has a routable IP address that can be accessible from both internal networks and external networks, such as the Internet. Port forwarding is also enabled by default on the VShell server, so there is no special configuration needed on the SSH server after installation has been completed (see Chapter 1 for installing an SSH server). Similar to SSH Communications’ SSH server, VShell also provides the ability to restrict or permit port-forwarding access, but it places the permissions and/or restric- tions on the port-forwarded servers instead of on the users. For example, in Figure 6.11, port forwarding would be filtered by allowing the tunneling to the mail relay, mail server, Web server, and windows terminal server but then restricted to the other IP addresses on the internal network. In addition to per- mitting or restricting port forwarding by IP address, the ability to allow port forwarding for a specified hostname, network subnet (netmask), or domain can also be set. For example, if all servers in the 192.168.0.0 network were allowed to be port forwarded to, the entire network subnet could be set, instead of adding several hundred machines. Similarly, if all servers in the internal network are off limits and have the IP address range of 172.16.1.0-172.16.1.254, the entire subnet can be restricted. To view the filter- configuration options and configure these options on the VShell SSH server, perform the following steps: 222 Chapter 6 Figure 6.22 The VShell filtering options. 1. Start ➪ Programs ➪ VShell ➪ VShell. 2. Browse to the Port-Forward Filters section (see Figure 6.22). In order to configure the port-forwarding options according to Figure 6.11, use the following steps. 1. Notice the default rule that allows port forwarding to all machines. Delete this rule by highlighting the rule and selecting Delete. 2. Select Add to add filtering entries. 3. Select the drop-down box next to Filter Type to view the type options, including IP address, Hostname, Netmask, and Domain (see Figure 6.23). Figure 6.23 VShell’s Filter Type options for port-forwarding filters. SSH Port Forwarding 223 4. In the Allow section, select the Allow radio button. 5. For the Filter type, select IP address. 6. In the IP address field, type 192.168.0.10. 7. In the Port section, select the Port radio button and type 25 in the text box. 8. In the Comment field, type Mail Relay. 9. Select OK. 10. Repeat steps 7 through 11 for the other three servers. The final result should look like Figure 6.24. Once Allow rules are applied on the VShell SSH server, only the servers specifically allowed will be accessible via port forwarding, all other servers and/or devices will not be accessible. This makes any Deny rules redundant, since everything else is denied automatically besides the server that has been allowed. Furthermore, any server port-forwarding filters override any client port-forwarding rules on the SSH clients themselves. If the entire network were allowed to port forward, except for a few speci- fied servers, both Allow filters and Deny filters would be required. For exam- ple, if the internal network had an IP range of 172.16.1.1-172.16.1.254 and the only server restricted was 172.16.1.100, the VShell port-forwarding filtering would need to look like Figure 6.25, where the 172.16.1.0 network is permitted and the 172.16.1.100 server is specifically denied. Figure 6.24 VShell’s filtering rules for port-forwarding according to Figure 6.11. 224 Chapter 6 Figure 6.25 Access to the internal network, except for one server. Make sure the Deny filter comes before the Allow filter, since filters are read from top to bottom and are executed immediately once there is a match. Advantages to SSH Port Forwarding The strong benefits of port forwarding involve its advanced usage, with little to no added complexity. While many organizations spend thousands of dol- lars and architectural resources to deploy IPSec VPNs, restrictions on the IPSec, such as NAT-enabled networks, often limit the type of access that remote users may utilize. While SSH port forwarding also has its limitations, the use of port forwarding, combined with its ease of use, its low overhead for setup, and its simplicity, makes port forwarding a very attractive remote- access solution. You also probably notice that unlike other client/server architectures, most of the configuration of port forwarding is required on the SSH client, not on the SSH server. Most, if not all, SSH2 servers have SSH port forwarding enabled by default. This allows any client to take full advantage of the features after a basic default install of any SSH server. No special configuration or options are required after the initial installation of the SSH server is com- pleted; however, additional configuration options can be enabled on certain SSH servers after installation. As stated before, the SSH client requires most, if not all, the configuration attention. In order to forward ports from the client to a remote server or vice-versa, the options need to be configured on the SSH SSH Port Forwarding 225 client and enabled before the SSH connection has been established. While this effort is relatively low and usually required only once, many new users are not accustomed to the fact that no server-side configuration is required, only client- side configuration. The concept, while being relatively simple, confuses many new SSH users, thinking that in addition to client-side configuration, some mag- ical tricks need to be configured on the SSH server also, which could not be far- ther from the truth. Once the port-forwarding configuration has been enabled on the SSH client, the port-forwarding tunnels should be fully functional. The use of different SSH clients with port forwarding are also described in this chapter. While many of the SSH clients provide similar, if not the same, fea- tures as one another, there are some subtle differences that should be reviewed in order to select the best SSH client for your situation or organization. While providing different functionality and usage, both local and remote port forwarding offer benefits to the entire SSH architecture. The fact that most TCP ports can be tunneled over an encrypted SSH session gives port forward- ing and SSH a whole new identification. Instead of SSH being a solution for only encrypted Telnet, SSH now becomes a viable solution for any insecure TCP ports, especially mail protocols, such as POP3, IMAP, SMTP, intranet pro- tocols, such as HTTP, and remote-management protocols, such as VNC, Win- dows Terminal server, X11, and pcAnywhere. Also, the most popular usage of SSH, which is encrypted terminal access, becomes a completely secondary fea- ture. SSH is often deployed only for its port-forwarding capabilities, ignoring any terminal or SFTP access it may provide. Lastly, with its completely flexible architecture, combined with its fully encrypted communication, SSH port for- warding provides the ability to access almost any machine over any hostile or untrusted network with the full assurance of the safety and security of the remote session. The fact that the SSH session is fully encrypted, provides two- factor authentication options, and still grants virtually full access to the desired remote server or network makes SSH more flexible than other stan- dard encryption applications. Summary This chapter discusses some of the networking basics of one of the more pow- erful features of SSH. Details on the port-forwarding architecture from both an SSH-client and an SSH-server perspective are introduced and demonstrated. From the initial discussion in the early sections of this chapter, you learn that not only does port forwarding allow SSH to secure weak protocols, such as mail protocols, file transfer protocols, and remote management protocols, but that it also provides the same functionality that end-users are accustomed to. Both remote and local port forwarding give SSH and SSH users an abundance 226 Chapter 6 of flexibility in current network architectures, due to their ability to adapt and co-exist with existing technologies, devices, and applications. Once a framework is established regarding what port forwarding is, the chapter focuses on how to use it. The chapter discusses the configuration details of port-forwarding options on three SSH clients: OpenSSH, SSH Com- munications’, and SecureCRT. Also, the chapter discusses the configuration details of three SSH servers: OpenSSH, SSH Communications’, and VShell. Now that you know what port forwarding is and how to use it, how to opti- mize it with its basic and advanced features can be addressed. In the next chapter, the focus shifts from the theory, setup, and basic installation of port forwarding on clients and servers to the advanced uses of port forwarding, such as remote-access solutions. Many of the concepts discussed in this chap- ter are fully utilized in the next one, but with an added demonstration of their full flexibility and optimal usage. When deploying a remote-access solution for an organization or a backup VPN solution for a particular department/ entity, it is important to understand the many uses of resources, such as port forwarding. SSH Port Forwarding 227 [...]... on the Windows file server ( 172 .16.1.100) and allow the SSH server (11.30.11.21) on any source port to port 2049 and 1026 on the Solaris NFS file server ( 172 .16.1.150) Table 7. 1 shows an example of the firewall rules After the SSH server has been completely installed and the firewall rules are in place, the SSH server is ready for the secure file transfer architecture Setting Up the SSH Client Once the. .. architecture, open SecureCRT and connect to the SSH server, as shown in Figure 7. 6 To verify the port-forwarding tunnels, type netstat –an on the command line, and both port 25 and port 110 should be listening on the IP address 0.0.0.0, as shown in Figure 7. 7 Figure 7. 7 Local port-forwarding connections listening on ports 25 and 110 2 37 238 Chapter 7 Figure 7. 8 Outlook Express Once the SSH server has been... make it the optimal solution for you Following up from the previous chapter, in this chapter I examine the advanced usage of port forwarding in the context of remote access, specifically: ■ ■ Secure e-mail with SSH ■ ■ Secure File Transfer (SMBand NFS) with SSH ■ ■ Secure management (pcAnywhere, VNC, Terminal Services) with SSH ■ ■ Secure VPN with SSH (PPP over SSH) Secure E-mail with SSH The use of... unchecked 24 In the Local subsection, enter 5901 for the Port field 25 In the Remote subsection, make sure “Destination host is different from the SSH server” is checked a Enter 10.1.0.150 for the Hostname field 26 In the Remote subsection, enter port 5901 for the Port field 27 In the Application subsection, you can either leave it blank or enter the path for the VNC client If you decide to put in the path,... IP address 172 .16.1.100 Lastly, connections from the SSH server to the mail relay inside the DMZ network need to be allowed, specifically from 11.30.11.21 on any source port to port 25 on IP address 11.30.11.22 After the SSH server has been completely installed and the firewall rules are in place, the SSH server is ready for the secure e-mail architecture Setting Up the SSH Client Once the SSH server... connections” is unchecked 25 In the Local subsection, enter 110 for the Port field 26 In the Remote subsection, make sure “Destination host is different from the SSH server” is checked a Enter 11.30.11.22 for the Hostname field 27 In the Remote subsection, enter port 110 for the Port field 28 In the Application subsection, enter the path for Outlook Express Once the SSH session has been established,... of directing things to the real servers, will be directed locally to the loopback interface, specifically 1 27. 0.0.1, to connect to the local port forwards set up by the SSH connection, which will then take those connections and forward them to the appropriate servers over the SSH connection Executing Secure File Transfer At this point, you have completed the necessary steps for secure file transfer You... log in to the Windows SMB file server To transfer files to and from the c share on the Windows file server, type the following command on the Unix SSH client: #smbclient \\\\1 27. 0.0.1\\c -U -p 445 smbclient has very simple syntax: -U is for the username; -p is for the port number This command will connect to the local port on 445 and then be forwarded by the SSH session After the connection... completed the e-mail client setup for SSH Secure Remote Access Figure 7. 6 Connection to the SSH server Executing Secure E-mail At this point, you have completed the necessary steps for secure e-mail You have configured your SSH server and appropriate firewall rules, configured your SSH client for port forwarding, and configured your e-mail client to use your loopback address In order to start using the secure. .. 32 In the Local subsection, enter 5631 for the Port field 33 In the Remote subsection, make sure “Destination host is different from the SSH server” is checked a Enter 10.1.0.200 for the Hostname field 34 In the Remote subsection, enter port 5631 for the Port field 35 In the Application subsection, you can either leave it blank or enter the path for the pcAnywhere client If you decide to put in the path, . 172 .16.11. 17 (port 80 and 443), 172 .16.11.8 (port 143), and 172 .16.11 .72 (port 3389), while denying access to all other servers. Notice the syntax used SSH Port Forwarding 219 for the port forwarding. 11.30.11.22. After the SSH server has been completely installed and the firewall rules are in place, the SSH server is ready for the secure e-mail architecture. Setting Up the SSH Client Once the SSH server. options on the VShell SSH server, perform the following steps: 222 Chapter 6 Figure 6.22 The VShell filtering options. 1. Start ➪ Programs ➪ VShell ➪ VShell. 2. Browse to the Port-Forward Filters