| View previous topic :: View next topic |
| Author |
Message |
Fillepe The Mexican
n00b
Joined: 12 Mar 2004
Posts: 71
|
 Posted: Thu May 05, 2005 4:05 am Post subject: [solved] http through ssh |
 |
|
Hello, I have an interesting porblem that I was hoping you might be able to help me solve. Currently I am doing an e-commerce course and am learning ASP.
The lab that they provide us is has about half as many computers as nessacary and as such it is difficult to get a machine. As ASP needs IIS to work properly I have set myself up a server at home on a Win2000 box I had. This works great when I'm at home but i'd like to be able to access it from varsity. I could just expose it to the net but I don't know the first thing about locking down IIS and really don't like the idea of having a poorly configured web server on my network (or a webserver at all for that matter  ).
What I want to try and do is threefold
1. Set up an ssh tunnel to my linux machine that tunnels a port (say 1080) to my gentoo box at home.
2. The gentoo box recieves the traffic through ssh on 1080 and rebroadcasts it on port 80 to my Win2K box.
3. The win2K box recieves the web request on port 80 and replies.
4. Gentoo box sends it back to varsity on port 1080 through ssh
Now I don't actually know how to port forward through ssh but I can find out so this is not my question. The question that I have is how to accomplish parts 2 and 4. Is anybody able to provide me with a reasonably easy to understand reference on how to do it or possibly provide the rules for IP tables to achieve the desired results?
Thanks
Fillepe
Last edited by Fillepe The Mexican on Mon May 16, 2005 3:25 am; edited 1 time in total |
|
| Back to top |
|
 |
Gherald
Veteran
Joined: 23 Aug 2004
Posts: 1399
Location: CLUAConsole
|
| Posted: Thu May 05, 2005 4:14 am Post subject: |
|
|
why not just open your win2k machine to the world on some obfuscated port (9222 off the top of my head) and leave the rest firewalled with e.g. zonealarm?
simple is better... |
|
| Back to top |
|
|
jdgill0
Veteran
Joined: 25 Mar 2003
Posts: 1366
Location: Lexington, Ky -- USA
|
| Posted: Thu May 05, 2005 4:41 am Post subject: |
|
|
If you are not absolutely requiring ssh, you could use rinetd, it's description
| Quote: | | Description: redirects TCP connections from one IP address and port to another |
I have used this in the past, works quiet well. You would setup your gentoo box to listen on port 1080 with the IP of the machine running rinetd (that's the "from" IP), then have rinetd redirect that to port 80 and IP of your Win box.
_________________
Vim has excellent syntax highlighting for configuration files: emerge gentoo-syntax
Learn how to use Vim: vimtutor |
|
| Back to top |
|
|
Fillepe The Mexican
n00b
Joined: 12 Mar 2004
Posts: 71
|
| Posted: Thu May 05, 2005 11:22 am Post subject: |
|
|
These ideas would both work however I still have one potential problem with both of these ideas if I understand post 3 correctly would just expose the server on another port. I know that having an unsecured/poorly secured IIS server on port 80 is suicide. How much is the risk of worm infections mitigated by running on a non-standard port? It could still determine a web server was available from a port scan could it not?
If it was tunneled through ssh it would not be open to any machine that I was not personally logged into. Is this an accurrate appraisial? |
|
| Back to top |
|
|
nielchiano
Veteran
Joined: 11 Nov 2003
Posts: 1287
Location: 50N 3E
|
| Posted: Thu May 05, 2005 11:28 am Post subject: |
|
|
| Fillepe The Mexican wrote: | | It could still determine a web server was available from a port scan could it not? |
A regular port-scan will just show that port xxxxx is "open", but WHAT is behind it stays unknown. More advanced scanners could indeed try to talk HTTP and check if it is a webserver...
| Fillepe The Mexican wrote: | | If it was tunneled through ssh it would not be open to any machine that I was not personally logged into. Is this an accurrate appraisial? |
true |
|
| Back to top |
|
|
Percius
n00b
Joined: 13 Jul 2004
Posts: 47
|
| Posted: Thu May 05, 2005 1:42 pm Post subject: |
|
|
You can open the port, but if you aready have SSH setup and secured. Remember that SSH can mean potential remote root access as you are running a program that is designed to give access.
I am going to Presume that you are useing a Windows box at LocationX. The program I use for SSH is Putty
Free from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
In the putty Window on the Side you have Connections --> SSH --> Tunnnels.
Source Port is the port that is going to accept the data on the local machine IE 1080 or whatever.
Destination is where that information is going to go. It should be 192.168.xxx.xxx:80 where the IP is that of your windows box.
If you save your configuration in putty then you wont have to enter it again every time.
This only works if you enable Port forwording in SSH on your server. That option is found in /etc/ssh/sshd.conf if my memory serves me correctly.
The setup used above would mean that http://127.0.0.1:1080 would redirect you to your M$ evil machine running ASP.
If you need more help please let me know otherwise I recomend you put [SOLVED] in the thead tile. |
|
| Back to top |
|
|
Fillepe The Mexican
n00b
Joined: 12 Mar 2004
Posts: 71
|
| Posted: Fri May 06, 2005 2:53 am Post subject: |
|
|
Ok the answers I need are in fact here I just gotta get this sorted in my head.
The machine that I am running on a "Location X" (actually university) is actually a fedora core 3 machine. The whole dilema stems from the fact that I want to develop on these machines and at home and not have to touch the WinXP/Frontpage nastyness.
The Plan (tm)
1. Setup ssh tunnel of port 1080 from uni FC3 box to home Gentoo box.
2. Setup home Gentoo box to use port forwarding in sshd.conf
3. On uni box connect to http://localhost:1080
4. Profit?
Well igonoring the poor slashdot jokes I'll let you know how this gets on.
Thaks for the help. |
|
| Back to top |
|
|
taskara
Advocate
Joined: 10 Apr 2002
Posts: 3763
Location: Australia
|
| Posted: Sun May 15, 2005 12:46 pm Post subject: |
|
|
or via the ssh command..
| Code: | | ssh remote-server-ip -N -L localport:localhost:remoteport |
ie
| Code: | | ssh 192.168.0.1 -N -L 8080:localhost:80 |
will bring apache (port 80) from a remote computer (192.168.0.1) to my local machine on port 8080 (localhost:8080)
_________________
Kororaa install method - have Gentoo up and running quickly and easily, fully automated with an installer! |
|
| Back to top |
|
|
Fillepe The Mexican
n00b
Joined: 12 Mar 2004
Posts: 71
|
| Posted: Mon May 16, 2005 3:24 am Post subject: |
|
|
Well I can now safely say it worked. I can now access my Win2k server from uni. It is not available to anybody on the public net. The ssh account also operates in a passwordless chroot jail using private/public keys. Yay!
The following config is fairly straight forward but for the benefit of anybody looking for a solution I have included my ssh_config.
This is in te client side file ~/.ssh/config
| Code: |
Host afis
HostName <myHomeIP>
User afis
IdentityFile /path/to/ssh/key.dsa
LocalForward 1080 192.168.0.229:80
|
This forwards port 1080 of the local machine to port 80 of 192.168.0.2299 on my home network. You connect via http://localhost:1080.
Thanks For the help everybody. |
|
| Back to top |
|
|
|
Networking & Security
