reverse ssh
hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D wrote: > hello > > i have a linux machine with a private ip connected to the internet > i have a public ip and need to ssh to the linux box > > any tools for that ? > > ___ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan wrote: > ssh itself ? > > http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) > > Kaplan > > > On Sun, Jul 20, 2014 at 11:36 AM, Erez D wrote: >> >> hello >> >> i have a linux machine with a private ip connected to the internet >> i have a public ip and need to ssh to the linux box >> >> any tools for that ? >> >> ___ >> Linux-il mailing list >> Linux-il@cs.huji.ac.il >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
Didn't check it, but login in with a user who has /bin/true might do the trick. Kaplan On Sun, Jul 20, 2014 at 12:03 PM, Erez D wrote: > On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan > wrote: > > ssh itself ? > > > > http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ > nice, however this requires me to give access to my server, which i do > not want ... > (or, can i give people permission to ssh to my server only for reverse > tunnels and no shell ?) > > > > > Kaplan > > > > > > On Sun, Jul 20, 2014 at 11:36 AM, Erez D wrote: > >> > >> hello > >> > >> i have a linux machine with a private ip connected to the internet > >> i have a public ip and need to ssh to the linux box > >> > >> any tools for that ? > >> > >> ___ > >> Linux-il mailing list > >> Linux-il@cs.huji.ac.il > >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > > > > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On 2014-07-20 12:03, Erez D wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Yes you can: http://stackoverflow.com/questions/8021/allow-user-to-set-up-an-ssh-tunnel-but-nothing-else http://serverfault.com/questions/56566/ssh-tunneling-only-access But, as it's a security issue, make sure you know what you are doing! :-) ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan wrote: > Didn't check it, but login in with a user who has /bin/true might do the > trick. you are correct, it works. however it is still a security risk, as this means the client may listen on unused port ... > > Kaplan > > > On Sun, Jul 20, 2014 at 12:03 PM, Erez D wrote: >> >> On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan >> wrote: >> > ssh itself ? >> > >> > http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ >> nice, however this requires me to give access to my server, which i do >> not want ... >> (or, can i give people permission to ssh to my server only for reverse >> tunnels and no shell ?) >> >> > >> > Kaplan >> > >> > >> > On Sun, Jul 20, 2014 at 11:36 AM, Erez D wrote: >> >> >> >> hello >> >> >> >> i have a linux machine with a private ip connected to the internet >> >> i have a public ip and need to ssh to the linux box >> >> >> >> any tools for that ? >> >> >> >> ___ >> >> Linux-il mailing list >> >> Linux-il@cs.huji.ac.il >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> > >> > > > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
you can add a port-knocking tool like fwknop to add a dynamic rule to forward your connection into the privet machine. *--Rabin* On Sun, Jul 20, 2014 at 12:16 PM, Erez D wrote: > On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan > wrote: > > Didn't check it, but login in with a user who has /bin/true might do the > > trick. > you are correct, it works. > however it is still a security risk, as this means the client may > listen on unused port ... > > > > > Kaplan > > > > > > On Sun, Jul 20, 2014 at 12:03 PM, Erez D wrote: > >> > >> On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan > >> wrote: > >> > ssh itself ? > >> > > >> > http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ > >> nice, however this requires me to give access to my server, which i do > >> not want ... > >> (or, can i give people permission to ssh to my server only for reverse > >> tunnels and no shell ?) > >> > >> > > >> > Kaplan > >> > > >> > > >> > On Sun, Jul 20, 2014 at 11:36 AM, Erez D wrote: > >> >> > >> >> hello > >> >> > >> >> i have a linux machine with a private ip connected to the internet > >> >> i have a public ip and need to ssh to the linux box > >> >> > >> >> any tools for that ? > >> >> > >> >> ___ > >> >> Linux-il mailing list > >> >> Linux-il@cs.huji.ac.il > >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > >> > > >> > > > > > > > ___ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On 7/20/2014 12:03 PM, Erez D wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) What I did is to run a second SSH server listening on a port that no one would expect SSH connections and ONLY allow connections with key exchanges. So someone could connect to that port randomly or with a scan, but would be unable to do anything with it. The regular SSH server, which ran on port 22, allowed much looser connections, root connections, etc, but port 22 was NOT forwarded out the firewall. This allowed me to do RSYNC, etc locally as root or a user with no restrictions. Once the SSH connection is established, it can be used to tunnel anything. Geoff. -- Geoffrey S. Mendelson 4X1GM/N3OWJ Jerusalem Israel. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On 20/07/2014 12:45, geoffrey mendelson wrote: On 7/20/2014 12:03 PM, Erez D wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) What I did is to run a second SSH server listening on a port that no one would expect SSH connections and ONLY allow connections with key exchanges. So someone could connect to that port randomly or with a scan, but would be unable to do anything with it. The regular SSH server, which ran on port 22, allowed much looser connections, root connections, etc, but port 22 was NOT forwarded out the firewall. This allowed me to do RSYNC, etc locally as root or a user with no restrictions. Once the SSH connection is established, it can be used to tunnel anything. Geoff. Well, that's the essence of port knocking, isn't it :) -- Moish ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
looks a little complicated - extra ssh server, firewall with port knocking all this for a ssh connection ... On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe wrote: > you can add a port-knocking tool like fwknop to add a dynamic rule to > forward your connection into the privet machine. > > -- > Rabin > > > On Sun, Jul 20, 2014 at 12:16 PM, Erez D wrote: >> >> On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan >> wrote: >> > Didn't check it, but login in with a user who has /bin/true might do the >> > trick. >> you are correct, it works. >> however it is still a security risk, as this means the client may >> listen on unused port ... >> >> > >> > Kaplan >> > >> > >> > On Sun, Jul 20, 2014 at 12:03 PM, Erez D wrote: >> >> >> >> On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan >> >> wrote: >> >> > ssh itself ? >> >> > >> >> > http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ >> >> nice, however this requires me to give access to my server, which i do >> >> not want ... >> >> (or, can i give people permission to ssh to my server only for reverse >> >> tunnels and no shell ?) >> >> >> >> > >> >> > Kaplan >> >> > >> >> > >> >> > On Sun, Jul 20, 2014 at 11:36 AM, Erez D wrote: >> >> >> >> >> >> hello >> >> >> >> >> >> i have a linux machine with a private ip connected to the internet >> >> >> i have a public ip and need to ssh to the linux box >> >> >> >> >> >> any tools for that ? >> >> >> >> >> >> ___ >> >> >> Linux-il mailing list >> >> >> Linux-il@cs.huji.ac.il >> >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> >> > >> >> > >> > >> > >> >> ___ >> Linux-il mailing list >> Linux-il@cs.huji.ac.il >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
If you just want an ssh connection you can simply redirect connection attempts to some port on the Internet-accessible machine to port 22 on the private-ip one - using whatever tool that fits you best - iptables, xinetd, redir, probably many others. -- Didi 2014-07-20 13:31 GMT+03:00 Erez D : > looks a little complicated - extra ssh server, firewall with port knocking > all this for a ssh connection ... > > On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe > wrote: > > you can add a port-knocking tool like fwknop to add a dynamic rule to > > forward your connection into the privet machine. > > > > -- > > Rabin > > > > > > On Sun, Jul 20, 2014 at 12:16 PM, Erez D wrote: > >> > >> On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan > >> wrote: > >> > Didn't check it, but login in with a user who has /bin/true might do > the > >> > trick. > >> you are correct, it works. > >> however it is still a security risk, as this means the client may > >> listen on unused port ... > >> > >> > > >> > Kaplan > >> > > >> > > >> > On Sun, Jul 20, 2014 at 12:03 PM, Erez D wrote: > >> >> > >> >> On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan > >> >> wrote: > >> >> > ssh itself ? > >> >> > > >> >> > http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ > >> >> nice, however this requires me to give access to my server, which i > do > >> >> not want ... > >> >> (or, can i give people permission to ssh to my server only for > reverse > >> >> tunnels and no shell ?) > >> >> > >> >> > > >> >> > Kaplan > >> >> > > >> >> > > >> >> > On Sun, Jul 20, 2014 at 11:36 AM, Erez D > wrote: > >> >> >> > >> >> >> hello > >> >> >> > >> >> >> i have a linux machine with a private ip connected to the internet > >> >> >> i have a public ip and need to ssh to the linux box > >> >> >> > >> >> >> any tools for that ? > >> >> >> > >> >> >> ___ > >> >> >> Linux-il mailing list > >> >> >> Linux-il@cs.huji.ac.il > >> >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > >> >> > > >> >> > > >> > > >> > > >> > >> ___ > >> Linux-il mailing list > >> Linux-il@cs.huji.ac.il > >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > > > > > ___ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David wrote: > If you just want an ssh connection you can simply redirect connection > attempts to some port on the > Internet-accessible machine to port 22 on the private-ip one - using > whatever tool that fits you best - > iptables, xinetd, redir, probably many others. > -- > Didi i do not understand what do you mean > > > 2014-07-20 13:31 GMT+03:00 Erez D : >> >> looks a little complicated - extra ssh server, firewall with port knocking >> all this for a ssh connection ... >> >> On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe >> wrote: >> > you can add a port-knocking tool like fwknop to add a dynamic rule to >> > forward your connection into the privet machine. >> > >> > -- >> > Rabin >> > >> > >> > On Sun, Jul 20, 2014 at 12:16 PM, Erez D wrote: >> >> >> >> On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan >> >> wrote: >> >> > Didn't check it, but login in with a user who has /bin/true might do >> >> > the >> >> > trick. >> >> you are correct, it works. >> >> however it is still a security risk, as this means the client may >> >> listen on unused port ... >> >> >> >> > >> >> > Kaplan >> >> > >> >> > >> >> > On Sun, Jul 20, 2014 at 12:03 PM, Erez D wrote: >> >> >> >> >> >> On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan >> >> >> wrote: >> >> >> > ssh itself ? >> >> >> > >> >> >> > http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ >> >> >> nice, however this requires me to give access to my server, which i >> >> >> do >> >> >> not want ... >> >> >> (or, can i give people permission to ssh to my server only for >> >> >> reverse >> >> >> tunnels and no shell ?) >> >> >> >> >> >> > >> >> >> > Kaplan >> >> >> > >> >> >> > >> >> >> > On Sun, Jul 20, 2014 at 11:36 AM, Erez D >> >> >> > wrote: >> >> >> >> >> >> >> >> hello >> >> >> >> >> >> >> >> i have a linux machine with a private ip connected to the >> >> >> >> internet >> >> >> >> i have a public ip and need to ssh to the linux box >> >> >> >> >> >> >> >> any tools for that ? >> >> >> >> >> >> >> >> ___ >> >> >> >> Linux-il mailing list >> >> >> >> Linux-il@cs.huji.ac.il >> >> >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> >> >> > >> >> >> > >> >> > >> >> > >> >> >> >> ___ >> >> Linux-il mailing list >> >> Linux-il@cs.huji.ac.il >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> > >> > >> >> ___ >> Linux-il mailing list >> Linux-il@cs.huji.ac.il >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
Re:all You can have something running on the machine you want to SSH to that updates the machine with a fixed IP what its' IP is and have a firewall rule or some other way to redirect specific traffic like for instance traffic to TCP:2 from that machine to the IP that it was updated to be 2014-07-20 14:33 GMT+03:00 Erez D : > On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David > wrote: > > If you just want an ssh connection you can simply redirect connection > > attempts to some port on the > > Internet-accessible machine to port 22 on the private-ip one - using > > whatever tool that fits you best - > > iptables, xinetd, redir, probably many others. > > -- > > Didi > > i do not understand what do you mean > > > > > > 2014-07-20 13:31 GMT+03:00 Erez D : > >> > >> looks a little complicated - extra ssh server, firewall with port > knocking > >> all this for a ssh connection ... > >> > >> On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe > >> wrote: > >> > you can add a port-knocking tool like fwknop to add a dynamic rule to > >> > forward your connection into the privet machine. > >> > > >> > -- > >> > Rabin > >> > > >> > > >> > On Sun, Jul 20, 2014 at 12:16 PM, Erez D wrote: > >> >> > >> >> On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan > >> >> wrote: > >> >> > Didn't check it, but login in with a user who has /bin/true might > do > >> >> > the > >> >> > trick. > >> >> you are correct, it works. > >> >> however it is still a security risk, as this means the client may > >> >> listen on unused port ... > >> >> > >> >> > > >> >> > Kaplan > >> >> > > >> >> > > >> >> > On Sun, Jul 20, 2014 at 12:03 PM, Erez D > wrote: > >> >> >> > >> >> >> On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan < > kaplanl...@gmail.com> > >> >> >> wrote: > >> >> >> > ssh itself ? > >> >> >> > > >> >> >> > http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ > >> >> >> nice, however this requires me to give access to my server, which > i > >> >> >> do > >> >> >> not want ... > >> >> >> (or, can i give people permission to ssh to my server only for > >> >> >> reverse > >> >> >> tunnels and no shell ?) > >> >> >> > >> >> >> > > >> >> >> > Kaplan > >> >> >> > > >> >> >> > > >> >> >> > On Sun, Jul 20, 2014 at 11:36 AM, Erez D > >> >> >> > wrote: > >> >> >> >> > >> >> >> >> hello > >> >> >> >> > >> >> >> >> i have a linux machine with a private ip connected to the > >> >> >> >> internet > >> >> >> >> i have a public ip and need to ssh to the linux box > >> >> >> >> > >> >> >> >> any tools for that ? > >> >> >> >> > >> >> >> >> ___ > >> >> >> >> Linux-il mailing list > >> >> >> >> Linux-il@cs.huji.ac.il > >> >> >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > >> >> >> > > >> >> >> > > >> >> > > >> >> > > >> >> > >> >> ___ > >> >> Linux-il mailing list > >> >> Linux-il@cs.huji.ac.il > >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > >> > > >> > > >> > >> ___ > >> Linux-il mailing list > >> Linux-il@cs.huji.ac.il > >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > > > > > ___ > Linux-il mailing list > Linux-il@cs.huji.ac.il > http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On Sun, Jul 20, 2014 at 3:36 PM, E.S. Rosenberg wrote: > You can have something running on the machine you want to SSH to that > updates the machine with a fixed IP what its' IP is and have a firewall rule > or some other way to redirect specific traffic like for instance traffic to > TCP:2 from that machine to the IP that it was updated to be > still do not understand what you mean, and how it will let me connect to a machine with a private ip > > 2014-07-20 14:33 GMT+03:00 Erez D : > >> On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David >> wrote: >> > If you just want an ssh connection you can simply redirect connection >> > attempts to some port on the >> > Internet-accessible machine to port 22 on the private-ip one - using >> > whatever tool that fits you best - >> > iptables, xinetd, redir, probably many others. >> > -- >> > Didi >> >> i do not understand what do you mean >> > >> > >> > 2014-07-20 13:31 GMT+03:00 Erez D : >> >> >> >> looks a little complicated - extra ssh server, firewall with port >> >> knocking >> >> all this for a ssh connection ... >> >> >> >> On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe >> >> wrote: >> >> > you can add a port-knocking tool like fwknop to add a dynamic rule to >> >> > forward your connection into the privet machine. >> >> > >> >> > -- >> >> > Rabin >> >> > >> >> > >> >> > On Sun, Jul 20, 2014 at 12:16 PM, Erez D wrote: >> >> >> >> >> >> On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan >> >> >> wrote: >> >> >> > Didn't check it, but login in with a user who has /bin/true might >> >> >> > do >> >> >> > the >> >> >> > trick. >> >> >> you are correct, it works. >> >> >> however it is still a security risk, as this means the client may >> >> >> listen on unused port ... >> >> >> >> >> >> > >> >> >> > Kaplan >> >> >> > >> >> >> > >> >> >> > On Sun, Jul 20, 2014 at 12:03 PM, Erez D >> >> >> > wrote: >> >> >> >> >> >> >> >> On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan >> >> >> >> >> >> >> >> wrote: >> >> >> >> > ssh itself ? >> >> >> >> > >> >> >> >> > http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ >> >> >> >> nice, however this requires me to give access to my server, which >> >> >> >> i >> >> >> >> do >> >> >> >> not want ... >> >> >> >> (or, can i give people permission to ssh to my server only for >> >> >> >> reverse >> >> >> >> tunnels and no shell ?) >> >> >> >> >> >> >> >> > >> >> >> >> > Kaplan >> >> >> >> > >> >> >> >> > >> >> >> >> > On Sun, Jul 20, 2014 at 11:36 AM, Erez D >> >> >> >> > wrote: >> >> >> >> >> >> >> >> >> >> hello >> >> >> >> >> >> >> >> >> >> i have a linux machine with a private ip connected to the >> >> >> >> >> internet >> >> >> >> >> i have a public ip and need to ssh to the linux box >> >> >> >> >> >> >> >> >> >> any tools for that ? >> >> >> >> >> >> >> >> >> >> ___ >> >> >> >> >> Linux-il mailing list >> >> >> >> >> Linux-il@cs.huji.ac.il >> >> >> >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> >> >> >> > >> >> >> >> > >> >> >> > >> >> >> > >> >> >> >> >> >> ___ >> >> >> Linux-il mailing list >> >> >> Linux-il@cs.huji.ac.il >> >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> >> > >> >> > >> >> >> >> ___ >> >> Linux-il mailing list >> >> Linux-il@cs.huji.ac.il >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> > >> > >> >> ___ >> Linux-il mailing list >> Linux-il@cs.huji.ac.il >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
I think we need to reset here for a minute... Is your goal to connect to a machine with a IP on a private range where there exists a gateway machine or router with a (known) public IP? In that case the solution is very simple: port-forwarding However I would not do that without also running fail2ban and maybe also fwknop so that evil SSH traffic would have a harder time at getting at my server. Or is your goal to connect to a machine reachable via a dynamic IP and you have a machine with a fixed IP that you can route via? In that case solutions are more complex, most of the solutions above related to that scenario I think. So please clear up for us what your exact goal is. Regards, Eliyahu - אליהו 2014-07-20 18:46 GMT+03:00 Erez D : > On Sun, Jul 20, 2014 at 3:36 PM, E.S. Rosenberg wrote: > > You can have something running on the machine you want to SSH to that > > updates the machine with a fixed IP what its' IP is and have a firewall > rule > > or some other way to redirect specific traffic like for instance traffic > to > > TCP:2 from that machine to the IP that it was updated to be > > > still do not understand what you mean, and how it will let me connect > to a machine with a private ip > > > > 2014-07-20 14:33 GMT+03:00 Erez D : > > > >> On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David > >> wrote: > >> > If you just want an ssh connection you can simply redirect connection > >> > attempts to some port on the > >> > Internet-accessible machine to port 22 on the private-ip one - using > >> > whatever tool that fits you best - > >> > iptables, xinetd, redir, probably many others. > >> > -- > >> > Didi > >> > >> i do not understand what do you mean > >> > > >> > > >> > 2014-07-20 13:31 GMT+03:00 Erez D : > >> >> > >> >> looks a little complicated - extra ssh server, firewall with port > >> >> knocking > >> >> all this for a ssh connection ... > >> >> > >> >> On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe > > >> >> wrote: > >> >> > you can add a port-knocking tool like fwknop to add a dynamic rule > to > >> >> > forward your connection into the privet machine. > >> >> > > >> >> > -- > >> >> > Rabin > >> >> > > >> >> > > >> >> > On Sun, Jul 20, 2014 at 12:16 PM, Erez D > wrote: > >> >> >> > >> >> >> On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan < > kaplanl...@gmail.com> > >> >> >> wrote: > >> >> >> > Didn't check it, but login in with a user who has /bin/true > might > >> >> >> > do > >> >> >> > the > >> >> >> > trick. > >> >> >> you are correct, it works. > >> >> >> however it is still a security risk, as this means the client may > >> >> >> listen on unused port ... > >> >> >> > >> >> >> > > >> >> >> > Kaplan > >> >> >> > > >> >> >> > > >> >> >> > On Sun, Jul 20, 2014 at 12:03 PM, Erez D > >> >> >> > wrote: > >> >> >> >> > >> >> >> >> On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan > >> >> >> >> > >> >> >> >> wrote: > >> >> >> >> > ssh itself ? > >> >> >> >> > > >> >> >> >> > http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ > >> >> >> >> nice, however this requires me to give access to my server, > which > >> >> >> >> i > >> >> >> >> do > >> >> >> >> not want ... > >> >> >> >> (or, can i give people permission to ssh to my server only for > >> >> >> >> reverse > >> >> >> >> tunnels and no shell ?) > >> >> >> >> > >> >> >> >> > > >> >> >> >> > Kaplan > >> >> >> >> > > >> >> >> >> > > >> >> >> >> > On Sun, Jul 20, 2014 at 11:36 AM, Erez D > > >> >> >> >> > wrote: > >> >> >> >> >> > >> >> >> >> >> hello > >> >> >> >> >> > >> >> >> >> >> i have a linux machine with a private ip connected to the > >> >> >> >> >> internet > >> >> >> >> >> i have a public ip and need to ssh to the linux box > >> >> >> >> >> > >> >> >> >> >> any tools for that ? > >> >> >> >> >> > >> >> >> >> >> ___ > >> >> >> >> >> Linux-il mailing list > >> >> >> >> >> Linux-il@cs.huji.ac.il > >> >> >> >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > >> >> >> >> > > >> >> >> >> > > >> >> >> > > >> >> >> > > >> >> >> > >> >> >> ___ > >> >> >> Linux-il mailing list > >> >> >> Linux-il@cs.huji.ac.il > >> >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > >> >> > > >> >> > > >> >> > >> >> ___ > >> >> Linux-il mailing list > >> >> Linux-il@cs.huji.ac.il > >> >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > >> > > >> > > >> > >> ___ > >> Linux-il mailing list > >> Linux-il@cs.huji.ac.il > >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il > > > > > ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
