News
Seven days of Black Friday madness — great deal from Serverspace!
Serverspace Black Friday
RF
August 3, 2023
Updated August 2, 2023

SSH tunnel: how to create and use?

Networks Security

Introduction

The purpose of SSH tunneling is to provide secure and secure data transfer between two nodes or devices over unreliable or open networks such as the Internet. When traffic needs to pass through internal ports and be safely redirected outside, SSH tunneling can be used to create a secure communication channel that allows traffic to safely leave the internal network and head to the external network.

The main uses of SSH tunneling for such a purpose include:

  • Secure Port Forwarding: SSH allows you to forward local ports on a client device to a remote server via a secure connection. This allows you to redirect traffic from internal ports to external ports and provide secure access to resources that are located outside the internal network;
  • Traffic protection: SSH tunneling provides encryption of data transmitted through the tunnel, which makes it inaccessible for listening or interception by third parties. This ensures the confidentiality of data and protects it from unauthorized access;
  • Bypassing network restrictions: SSH tunneling allows you to bypass network restrictions that can be set by network administrators, allowing users to access resources or services that may be restricted within the network;
  • Creating a Secure Proxy: SSH tunneling can be used to create a secure proxy server that allows the user to anonymously and securely access external resources through a secure connection.

In general, SSH tunneling provides powerful capabilities to ensure secure data transfer and access to resources through unreliable networks. It allows you to create a secure communication channel and provide secure access to external resources from the internal network, which makes it an important tool for ensuring data security and confidentiality.

Requirements

  • Root rights;
  • Debian 11 or higher version;
  • Several knowledge about work OS ;
  • Internet connection.

Create tunnel

For the securely transfer we think more complex about our guard system and we need to update, upgrade all packages before using utility:

apt update && apt upgrade -y
Update OS
Screenshot №1 — Update OS

For making tunnel via SSH we need to form public and private key, that help to authorize user more securely and automate process. We will run command ssh-keygen:

ssh-keygen -t rsa
key-gen1
Screenshot №2 — Generation key

In that part choose path to save public and private keys to connection via SSH, by the default settings they will save in /root/.ssh/ folder. Then enter passphrase if you want make way more complicated to compromises private key:

Finished of generation key
Screenshot №3 — Finished of generation key

Also you can see fingerprint as result of hashing your public key, that can help to identify your personality and rights to having that one. But the main purpose of hashing public keys in the context of SSH is the convenience and efficiency of key authentication. After the hash of the client's public key is stored on the server, the server can quickly and efficiently compare the hash with hashes that are already stored in its database. Although hashing public keys does not provide additional security in the sense that it does not make keys secret (public keys must always remain public), it provides protection against accidental or malicious key changes or copying errors.

After that you need to copy your public key and save into the target server via command bellow

nano /root/.ssh/id_rsa.pub

After you enter command you will see long line with different symbols, in nano text editor you need to press Alt + 6 and then press combination of button Ctrl + X!

Public key
Screenshot №4 — Public key

Change windows of terminal and past file into the needed directory by the default setting it's /home/user/.ssh/id_rsa.pub on the target machine or usually for that purposes we can send right through to the target server via command bellow:

ssh-copy-id root@94.141.96.47

In that command you need to replace IP-address yours target machine and add public key. In that moment that server will compare his base of hash keys and your hash of public key. In our situation we don't add file to the server and connect at the first time:

Send key
Screenshot №5 — Send key

For confirmation that you have permission add key to that account - type accordance credential.

Add key
Screenshot №6 — Add key

No we have seen added key to our server, therefore next process of authentification will be easy: we need to type credentials as we consider before and target will check hash, reliability bundle of public and private keys.

Change SSH port

Changing the default SSH port from 22 to a non-standard port is a straightforward yet effective practice to bolster security and protect against automated scanning and brute-force attacks. It enhances the organization's security posture by deterring opportunistic attackers and reducing log clutter. Although it is not a standalone security solution, changing the SSH port serves as a proactive measure that contributes to a comprehensive security strategy, promoting a safer and more resilient computing environment. For that open configuration file on your machine:

nano /etc/ssh/sshd_config
Configuration
Screenshot №7 — Configuration

In opened window delete hashtag infront of Port and change value for your preferred. After that press Ctrl+O for save file and restart ssh service via command below:

systemctl restart ssh

Now you port for SSH was modified and you can use it for setup connection!

Usage of SSH tunnel

Except control and transfer data to another machine with tunneling we can use it for redirect traffic and represent our tunnel as proxy server.

SSH port forwarding allows users to securely access services running on a remote server, even if they are not directly exposed to the internet. Through SSH tunneling, services such as web applications, databases, or remote desktops can be forwarded to a local machine, enabling efficient management and administration of remote systems. For that purposes type command:

ssh  -L 9999:127.0.0.1:80 root@94.141.96.47
port-forward-static
Screenshot №8 — Port forwarding static

Besides a detailed explanation:

  • When you execute the specified command, it initiates an SSH connection to the remote server on behalf of the user. Once the connection is established, your local machine starts listening on port 9999;
  • Whenever a request is made to port 9999 on your local machine, SSH redirects that traffic through the established SSH connection to the remote server. The remote server then redirects the traffic to port 80, which is typically used for HTTP servers;
  • So, when you access "127.0.0.1:9999" (localhost:9999) on your local machine, the traffic is actually forwarded to the remote server and connects to its port 80. This functionality becomes beneficial when you need to access a web server on the remote machine that is not directly reachable from the internet but can be accessed via the SSH tunnel.

By setting up a dynamic SSH tunnel and configuring it as a SOCKS proxy server, we can efficiently route network traffic from our local machine through the remote server. This enables any application or service on the local machine that supports SOCKS proxy settings to utilize the tunnel as its proxy server. To achieve this, you can use the specified command:

ssh -D 8888 root@94.141.96.47
Port forwarding dynamic
Screenshot №9 — Port forwarding dynamic

When you execute the specified command, it initiates an SSH connection to the remote server on your behalf. Once the connection is established, your local machine sets up a listening port, which in this case is port 8888.

Unlike local port forwarding that we discussed earlier (using the -L option), dynamic port forwarding (using the -D option) creates a SOCKS proxy server directly on your local machine. When an application on your local machine attempts to access the internet, it can use this SOCKS proxy server by configuring it to connect through localhost:8888.

As a result, all network traffic from your local machine will be redirected through the established SSH connection to the remote server. The remote server will then handle the outgoing traffic and forward it to its final destination on the internet.

This dynamic port forwarding technique provides your applications with a secure and encrypted internet connection via the remote server. It can be particularly useful when certain internet servers or resources are inaccessible due to restrictions or firewalls on your local network. By using dynamic port forwarding, you can bypass these restrictions and access the internet securely through the remote server.

Conclusion

SSH tunneling provides a robust solution for secure data transfer and access to resources across unreliable networks. With its ability to create secure communication channels and securely redirect traffic, SSH tunneling enhances data security and privacy, making it an essential tool for safeguarding sensitive information and ensuring secure access to remote resources. By leveraging SSH tunneling, users can establish secure connections, protect sensitive data, and bypass network restrictions, contributing to a more secure and resilient computing environment.

Vote:
5 out of 5
Аverage rating : 5
Rated by: 1
1101 CT Amsterdam The Netherlands, Herikerbergweg 292
+31 20 262-58-98
700 300
ITGLOBAL.COM NL
700 300

You might also like...

We use cookies to make your experience on the Serverspace better. By continuing to browse our website, you agree to our
Use of Cookies and Privacy Policy.