02.08.2023

SSH tunnel: how to create and use?

Introduction

The purpose of SSH tunneling is to provide secure and secure data transfer between two nodes or devices over unreliable or open networks such as the Internet. When traffic needs to pass through internal ports and be safely redirected outside, SSH tunneling can be used to create a secure communication channel that allows traffic to safely leave the internal network and head to the external network.

The main uses of SSH tunneling for such a purpose include:

In general, SSH tunneling provides powerful capabilities to ensure secure data transfer and access to resources through unreliable networks. It allows you to create a secure communication channel and provide secure access to external resources from the internal network, which makes it an important tool for ensuring data security and confidentiality.

Requirements

Create tunnel

For the securely transfer we think more complex about our guard system and we need to update, upgrade all packages before using utility:

apt update && apt upgrade -y

Screenshot №1 — Update OS

For making tunnel via SSH we need to form public and private key, that help to authorize user more securely and automate process. We will run command ssh-keygen:

ssh-keygen -t rsa

Screenshot №2 — Generation key

In that part choose path to save public and private keys to connection via SSH, by the default settings they will save in /root/.ssh/ folder. Then enter passphrase if you want make way more complicated to compromises private key:

Screenshot №3 — Finished of generation key

Also you can see fingerprint as result of hashing your public key, that can help to identify your personality and rights to having that one. But the main purpose of hashing public keys in the context of SSH is the convenience and efficiency of key authentication. After the hash of the client's public key is stored on the server, the server can quickly and efficiently compare the hash with hashes that are already stored in its database. Although hashing public keys does not provide additional security in the sense that it does not make keys secret (public keys must always remain public), it provides protection against accidental or malicious key changes or copying errors.

After that you need to copy your public key and save into the target server via command bellow

nano /root/.ssh/id_rsa.pub

After you enter command you will see long line with different symbols, in nano text editor you need to press Alt + 6 and then press combination of button Ctrl + X!

Screenshot №4 — Public key

Change windows of terminal and past file into the needed directory by the default setting it's /home/user/.ssh/id_rsa.pub on the target machine or usually for that purposes we can send right through to the target server via command bellow:

ssh-copy-id root@94.141.96.47

In that command you need to replace IP-address yours target machine and add public key. In that moment that server will compare his base of hash keys and your hash of public key. In our situation we don't add file to the server and connect at the first time:

Screenshot №5 — Send key

For confirmation that you have permission add key to that account - type accordance credential.

Screenshot №6 — Add key

No we have seen added key to our server, therefore next process of authentification will be easy: we need to type credentials as we consider before and target will check hash, reliability bundle of public and private keys.

Change SSH port

Changing the default SSH port from 22 to a non-standard port is a straightforward yet effective practice to bolster security and protect against automated scanning and brute-force attacks. It enhances the organization's security posture by deterring opportunistic attackers and reducing log clutter. Although it is not a standalone security solution, changing the SSH port serves as a proactive measure that contributes to a comprehensive security strategy, promoting a safer and more resilient computing environment. For that open configuration file on your machine:

nano /etc/ssh/sshd_config

Screenshot №7 — Configuration

In opened window delete hashtag infront of Port and change value for your preferred. After that press Ctrl+O for save file and restart ssh service via command below:

systemctl restart ssh

Now you port for SSH was modified and you can use it for setup connection!

Usage of SSH tunnel

Except control and transfer data to another machine with tunneling we can use it for redirect traffic and represent our tunnel as proxy server.

SSH port forwarding allows users to securely access services running on a remote server, even if they are not directly exposed to the internet. Through SSH tunneling, services such as web applications, databases, or remote desktops can be forwarded to a local machine, enabling efficient management and administration of remote systems. For that purposes type command:

ssh  -L 9999:127.0.0.1:80 root@94.141.96.47

Screenshot №8 — Port forwarding static

Besides a detailed explanation:

By setting up a dynamic SSH tunnel and configuring it as a SOCKS proxy server, we can efficiently route network traffic from our local machine through the remote server. This enables any application or service on the local machine that supports SOCKS proxy settings to utilize the tunnel as its proxy server. To achieve this, you can use the specified command:

ssh -D 8888 root@94.141.96.47

Screenshot №9 — Port forwarding dynamic

When you execute the specified command, it initiates an SSH connection to the remote server on your behalf. Once the connection is established, your local machine sets up a listening port, which in this case is port 8888.

Unlike local port forwarding that we discussed earlier (using the -L option), dynamic port forwarding (using the -D option) creates a SOCKS proxy server directly on your local machine. When an application on your local machine attempts to access the internet, it can use this SOCKS proxy server by configuring it to connect through localhost:8888.

As a result, all network traffic from your local machine will be redirected through the established SSH connection to the remote server. The remote server will then handle the outgoing traffic and forward it to its final destination on the internet.

This dynamic port forwarding technique provides your applications with a secure and encrypted internet connection via the remote server. It can be particularly useful when certain internet servers or resources are inaccessible due to restrictions or firewalls on your local network. By using dynamic port forwarding, you can bypass these restrictions and access the internet securely through the remote server.

Conclusion

SSH tunneling provides a robust solution for secure data transfer and access to resources across unreliable networks. With its ability to create secure communication channels and securely redirect traffic, SSH tunneling enhances data security and privacy, making it an essential tool for safeguarding sensitive information and ensuring secure access to remote resources. By leveraging SSH tunneling, users can establish secure connections, protect sensitive data, and bypass network restrictions, contributing to a more secure and resilient computing environment.