In the Allow TCP Tunneling for Users textbox, enter the usernames youwould like to permit port forwarding to, such as the administrator account and other admin-level accounts separated b
Trang 1installation has been completed (See Chapter 1 for details on how to install anSSH server.) SSH Communications provides the ability to restrict or permitport forwarding, also known as tunneling, on the SSH server For example, ifport forwarding is not desired, the tunneling settings can restrict access whilestill allowing terminal and/or SFTP access In addition to permitting orrestricting port forwarding, the ability to allow port forwarding for only aspecified set of users and denying everyone else is possible Furthermore, theability to deny port forwarding for a set number of users and allow everyoneelse is possible Lastly, in addition to allowing and denying specific usersand/or groups, the SSH server can restrict port forwarding using ACLs based
on IP addresses and port numbers For example, if port forwarding is notdesired to all internal machines but rather to a selected few, port forwardingACLs can be set to allow only certain IP addresses on certain ports to be acces-sible to port forwarding SSH clients To view the tunnel configuration optionsand configure these options on SSH Communications’ SSH server, perform thefollowing steps:
1 Change directories to /etc/sshd2:
# Local port forwardings to host 10.1.0.25 ports 143 and 25 are
# allowed for all users in group users.
# Note that forwardings using the name of this host will be allowed (if it can be resolved from the DNS)
#
# ForwardACL allow local *%users \i10\.1\.0\.25%(143|25)
#
# Local port forwardings requested exactly to host proxy.company.com
# port 8080 are allowed for users that have ‘s’ as first character
# and belong to the group with group id 10:
#
218 Chapter 6
Trang 2# Remote port forwarding is denied for all users to all hosts:
# ForwardACL deny remote * *
4 Uncomment the AllowTcpForwarding line by deleting the # symbol
5 Uncomment the AllowTcpForwardingForUsers line by deleting the #
AllowTcpForwardingForUsers root, admin, system@Aum-sshserver\.com
Notice that the \ is required before the com A \ is mandatory when
using a symbol
8 Continue to enter values, deny access to the backup, and test accounts
while allowing the RemoteAccess group:
AllowTcpForwarding yes
AllowTcpForwardingForUsers root, admin, system@Aum-sshserver\.com
DenyTcpForwardingForUsers backup, test
ForwardACL allow local.*%users \i192.\.168\.0\.10%(25)
ForwardACL allow local.*%users \i172.\.16\.11\.17%(80|443)
ForwardACL allow local.*%users \i172.\.16\.11\.8%(143)
ForwardACL allow local.*%users \i172.\.16\.11\.72%(3389)
These rules allow all users and groups to only port forward to 192.168.0.10(port 25), 172.16.11.17 (port 80 and 443), 172.16.11.8 (port 143), and 172.16.11.72(port 3389), while denying access to all other servers Notice the syntax used
SSH Port Forwarding 219
Trang 3for the port forwarding ACLs A \i is required before the first octet of the IPaddress, and a \ is required before every following octet The complete syntax
is as follows:
ForwardACL argument users \iIP\.Address\.of\.server%(port|port|port)
DNS names can also be used for ForwardACL statements For example, ifAum.terminalserver.com is the destination server, on port 3389, the followingsyntax can be used:
ForwardACL Allow *%users Aum\.terminalserver\.com%3389
Note that once Allow rules are applied on the SSH server, all other serversand/or devices will not be granted port-forwarding access For example, onlythe servers specifically allowed will be accessible by the SSH clients who areport forwarding All other servers will be denied by default unless otherwisestated (This denial makes any Deny rules redundant, since everything elsebesides the server that has been allowed is denied automatically.) Furthermore,any server port-forwarding filtering overrides any client port-forwardingrules on the SSH clients themselves
Configuration for SSH Communications’
SSH Server (Windows)
SSH Communications provides an SSH server for Windows as well as Unix.Unlike the Unix version, the Windows version is configured and enabledusing a GUI, as described earlier in the “SSH Communications’ SSH server”section of Chapter 2
The SSH server in Figure 6.11, 11.30.11.21, has a routable IP address that can
be accessible from both internal networks and external networks, such as theInternet By default, SSH Communications’ SSH server enables port forward-ing, so there is no special configuration required on the SSH server after instal-lation has been completed (See Chapter 1 for how to install an SSH server.)SSH Communications provides the ability to permit or deny port forwarding,also known as tunneling, on the SSH server For example, if port forwarding isnot desired, tunnel settings can be denied completely while still allowing ter-minal and/or SFTP access In addition to permitting or restricting port for-warding, SSH Communications’ allows port forwarding for only a specifiedset of users and denial for everyone else Furthermore, the ability to deny portforwarding for a set number of users and allow everyone else is possible Toview the tunnel configuration options and configure these options on SSHCommunications’ SSH server, perform the following steps:
220 Chapter 6
Trang 4Figure 6.20 SSH Communications’ Tunneling options.
1 Start ➪ Programs ➪ SSH Secure Shell Server ➪ Configuration
2 Under SSH Server Settings, browse to Tunneling As shown in Figure
6.20, SSH Communications’ Tunneling menu can allow or deny tunnels
3 Check the Allow TCP Tunneling checkbox
4 In the Allow TCP Tunneling for Users textbox, enter the usernames youwould like to permit port forwarding to, such as the administrator
account and other admin-level accounts (separated by a comma)
5 In the Deny TCP Tunneling for Users textbox, enter the usernames you
would like to restrict port forwarding to, such as the guest account and
other nonauthorized accounts (separated by a comma)
6 Select the Apply button
7 Tunneling (port forwarding) restrictions have now been applied As
shown in Figure 6.21, tunneling restrictions and permissions are easy
to apply
The SSH server has now been configured with Terminal, SFTP/SCP, andport forwarding; port forwarding, however, is restricted to the administrator,chandradhar, and prabha accounts and is specifically denied to the guest,IUSR_SSH, and backup accounts
SSH Port Forwarding 221
Trang 5Figure 6.21 SSH Communications’ Tunneling configuration options.
Configuration for VanDyke Software’s VShell SSH Server
VanDyke Software provides an SSH server for Windows called VShell TheWindows version is configured and enabled using a GUI, as described earlier
in the “VShell SSH Server” section of Chapter 2
The SSH server in Figure 6.11, 11.30.11.21, also has a routable IP address thatcan be accessible from both internal networks and external networks, such asthe Internet Port forwarding is also enabled by default on the VShell server, sothere is no special configuration needed on the SSH server after installationhas been completed (see Chapter 1 for installing an SSH server) Similar to SSHCommunications’ SSH server, VShell also provides the ability to restrict orpermit port-forwarding access, but it places the permissions and/or restric-tions on the port-forwarded servers instead of on the users For example, inFigure 6.11, port forwarding would be filtered by allowing the tunneling to themail relay, mail server, Web server, and windows terminal server but thenrestricted to the other IP addresses on the internal network In addition to per-mitting or restricting port forwarding by IP address, the ability to allow portforwarding for a specified hostname, network subnet (netmask), or domaincan also be set For example, if all servers in the 192.168.0.0 network wereallowed to be port forwarded to, the entire network subnet could be set,instead of adding several hundred machines Similarly, if all servers in theinternal network are off limits and have the IP address range of172.16.1.0-172.16.1.254, the entire subnet can be restricted To view the filter-configuration options and configure these options on the VShell SSH server,perform the following steps:
222 Chapter 6
Trang 6Figure 6.22 The VShell filtering options.
1 Start ➪ Programs ➪ VShell ➪ VShell
2 Browse to the Port-Forward Filters section (see Figure 6.22)
In order to configure the port-forwarding options according to Figure 6.11,use the following steps
1 Notice the default rule that allows port forwarding to all machines
Delete this rule by highlighting the rule and selecting Delete
2 Select Add to add filtering entries
3 Select the drop-down box next to Filter Type to view the type options,
including IP address, Hostname, Netmask, and Domain (see Figure 6.23)
Figure 6.23 VShell’s Filter Type options for port-forwarding filters.
SSH Port Forwarding 223
Trang 74 In the Allow section, select the Allow radio button.
5 For the Filter type, select IP address
6 In the IP address field, type 192.168.0.10.
7 In the Port section, select the Port radio button and type 25 in the text
If the entire network were allowed to port forward, except for a few fied servers, both Allow filters and Deny filters would be required For exam-ple, if the internal network had an IP range of 172.16.1.1-172.16.1.254 and theonly server restricted was 172.16.1.100, the VShell port-forwarding filteringwould need to look like Figure 6.25, where the 172.16.1.0 network is permittedand the 172.16.1.100 server is specifically denied
speci-Figure 6.24 VShell’s filtering rules for port-forwarding according to speci-Figure 6.11.
224 Chapter 6
Trang 8Figure 6.25 Access to the internal network, except for one server.
Make sure the Deny filter comes before the Allow filter, since filters are readfrom top to bottom and are executed immediately once there is a match
Advantages to SSH Port Forwarding
The strong benefits of port forwarding involve its advanced usage, with little
to no added complexity While many organizations spend thousands of lars and architectural resources to deploy IPSec VPNs, restrictions on theIPSec, such as NAT-enabled networks, often limit the type of access thatremote users may utilize While SSH port forwarding also has its limitations,the use of port forwarding, combined with its ease of use, its low overhead forsetup, and its simplicity, makes port forwarding a very attractive remote-access solution
dol-You also probably notice that unlike other client/server architectures, most
of the configuration of port forwarding is required on the SSH client, not onthe SSH server Most, if not all, SSH2 servers have SSH port forwardingenabled by default This allows any client to take full advantage of the featuresafter a basic default install of any SSH server No special configuration oroptions are required after the initial installation of the SSH server is com-pleted; however, additional configuration options can be enabled on certainSSH servers after installation As stated before, the SSH client requires most, ifnot all, the configuration attention In order to forward ports from the client to
a remote server or vice-versa, the options need to be configured on the SSH
SSH Port Forwarding 225
Trang 9client and enabled before the SSH connection has been established While thiseffort is relatively low and usually required only once, many new users are notaccustomed to the fact that no server-side configuration is required, only client-side configuration The concept, while being relatively simple, confuses manynew SSH users, thinking that in addition to client-side configuration, some mag-ical tricks need to be configured on the SSH server also, which could not be far-ther from the truth Once the port-forwarding configuration has been enabled
on the SSH client, the port-forwarding tunnels should be fully functional.The use of different SSH clients with port forwarding are also described inthis chapter While many of the SSH clients provide similar, if not the same, fea-tures as one another, there are some subtle differences that should be reviewed
in order to select the best SSH client for your situation or organization
While providing different functionality and usage, both local and remoteport forwarding offer benefits to the entire SSH architecture The fact that mostTCP ports can be tunneled over an encrypted SSH session gives port forward-ing and SSH a whole new identification Instead of SSH being a solution foronly encrypted Telnet, SSH now becomes a viable solution for any insecureTCP ports, especially mail protocols, such as POP3, IMAP, SMTP, intranet pro-tocols, such as HTTP, and remote-management protocols, such as VNC, Win-dows Terminal server, X11, and pcAnywhere Also, the most popular usage ofSSH, which is encrypted terminal access, becomes a completely secondary fea-ture SSH is often deployed only for its port-forwarding capabilities, ignoringany terminal or SFTP access it may provide Lastly, with its completely flexiblearchitecture, combined with its fully encrypted communication, SSH port for-warding provides the ability to access almost any machine over any hostile oruntrusted network with the full assurance of the safety and security of theremote session The fact that the SSH session is fully encrypted, provides two-factor authentication options, and still grants virtually full access to thedesired remote server or network makes SSH more flexible than other stan-dard encryption applications
Summary
This chapter discusses some of the networking basics of one of the more erful features of SSH Details on the port-forwarding architecture from both anSSH-client and an SSH-server perspective are introduced and demonstrated.From the initial discussion in the early sections of this chapter, you learn thatnot only does port forwarding allow SSH to secure weak protocols, such asmail protocols, file transfer protocols, and remote management protocols, butthat it also provides the same functionality that end-users are accustomed to.Both remote and local port forwarding give SSH and SSH users an abundance
pow-226 Chapter 6
Trang 10of flexibility in current network architectures, due to their ability to adapt andco-exist with existing technologies, devices, and applications.
Once a framework is established regarding what port forwarding is, thechapter focuses on how to use it The chapter discusses the configurationdetails of port-forwarding options on three SSH clients: OpenSSH, SSH Com-munications’, and SecureCRT Also, the chapter discusses the configurationdetails of three SSH servers: OpenSSH, SSH Communications’, and VShell.Now that you know what port forwarding is and how to use it, how to opti-mize it with its basic and advanced features can be addressed In the nextchapter, the focus shifts from the theory, setup, and basic installation of portforwarding on clients and servers to the advanced uses of port forwarding,such as remote-access solutions Many of the concepts discussed in this chap-ter are fully utilized in the next one, but with an added demonstration of theirfull flexibility and optimal usage When deploying a remote-access solutionfor an organization or a backup VPN solution for a particular department/entity, it is important to understand the many uses of resources, such as portforwarding
SSH Port Forwarding 227
Trang 12Remote access solutions in various organizations need to meet strict ments in order to satisfy the needs of their end-users, which can range fromroad warriors working from hotel rooms to technical administrators workingfrom home While remote access solutions need to be available, functional, andflexible, security concerns often get overlooked For example, how manyremote users in your network use the following items to get access to companyresources?
require-■■ SMTP and POP/IMAP to retrieve e-mail
■■ Dialup modems when inside Network Address Translated (NAT’d)
Local Area Networks
■■ SMB or NFS for remote file access
■■ PPTP, VNC, or pcAnywhere for remote management
If your organization does have several people who do access internalresources with any of these items, especially with the second option, you prob-ably could use SSH as a partial or full remote access solution I cannot discussthe topic of remote access solutions without bringing up IPSec as the standardremote access solution While IPSec might be the favorable solution for manyremote access architectures, it might have limitations that may not make it thebest solution for you For example, its cost requirements, its setbacks in NAT’d
Secure Remote Access
C H A P T E R
7
Trang 13networks, and its significantly larger deployment requirements might notmake it the optimal solution for you.
Following up from the previous chapter, in this chapter I examine theadvanced usage of port forwarding in the context of remote access, specifically:
■■ Secure e-mail with SSH
■■ Secure File Transfer (SMBand NFS) with SSH
■■ Secure management (pcAnywhere, VNC, Terminal Services) with SSH
■■ Secure VPN with SSH (PPP over SSH)
Secure E-mail with SSH
The use of common e-mail protocols, such as SMTP, POP3, and IMAP, greatlyincreases the security exposures in an organization’s e-mail architecture Nev-ertheless, while there may be the availability of SSL-enabled POP3 and IMAP,the use of SMTP still allows outgoing e-mail exchanges to go over clear-text.While the use of clear-text protocols for any type of application, includinge-mail, management, and file transfer, is just a bad idea, the use of clear-textprotocols on the Internet is an even worse idea The use of SSH can help miti-gate some of the issues with clear-text e-mail protocols by using port forward-ing with an SSH server to tunnel the SMTP and POP3/IMAP protocols overthe Internet inside an SSH tunnel This not only prevents unauthorized usersfrom sniffing and reading other people’s e-mail but also offers the ability toenforce two-factor authentication with the SSH connection, thus increasing theoverall security of the e-mail architecture
In this section, I demonstrate how to implement an SSH architecture withport forwarding to support secure e-mail The architecture I will be using isshown in Figure 7.1
Figure 7.1 shows an SSH server, listening on port 22 (SSH), and a mail-relayserver, listening on port 25 (SMTP), in the Internet DMZ off the perimeter fire-wall The corporate e-mail server is located inside the internal network, which
is listening on port 110 (POP3)
The first example will assume that the SSH server is a Unix machine ning OpenSSH, that the SSH client is SecureCRT running on a Windows plat-form for the road warriors, and that the e-mail client is Outlook Express Themail relay and the e-mail servers can be any application, since no changes arerequired on either of these devices
e-mail architecture My example is a random selection from the different SSH applications I have discussed thus far
230 Chapter 7
Trang 15Setting Up the SSH Server
Since I am using the OpenSSH on a Unix, no special changes are required Theservice will automatically port forward all connections to and from the SSHserver That being said, some specific rules need to be on the adjacent firewall
to ensure that port-forwarding communications will be allowed First, the wall’s external interface (the interface that faces the Internet) must allow con-nections from the outside Internet to the SSH server, specifically port 22 on IPaddress 11.30.11.21 Second, on the firewall’s DMZ interface (the interface thatconnects to the SSH server and mail relay), connections from the SSH servermust be allowed to the internal mail server, specifically allowing IP address11.30.11.21 on any source port to port 110 on IP address 172.16.1.100 Lastly,connections from the SSH server to the mail relay inside the DMZ networkneed to be allowed, specifically from 11.30.11.21 on any source port to port 25
fire-on IP address 11.30.11.22
After the SSH server has been completely installed and the firewall rules are
in place, the SSH server is ready for the secure e-mail architecture
Setting Up the SSH Client
Once the SSH server has been set up, the SSH client on the road-warrior laptopsshould be configured Using SecureCRT 4.0 or above, configure as follows:
1 Select Start ➪ Programs ➪ SecureCRT ➪ SecureCRT
2 Choose File ➪ Quick Connect
3 Select SSH2 as the Protocol field
4 Enter 11.30.11.21 for the Hostname field.
5 Enter 22 to the Port field
6 Enter the correct username, such as Kusum, in the Username field
7 Make sure the “Save session” box is checked
8 Select “Connect” and log in to the SSH server with the appropriatepassword
9 After the session has been established, disconnect the session, File ➪Disconnect
10 Select File ➪ Connect and highlight the 11.30.11.21 option
11 Right-click 11.30.11.21 and the select properties
12 Highlight the Port Forwarding section
232 Chapter 7
Trang 16Now that the setup is complete, you can add the local port-forwardingoptions:
13 Select Add to display the Port Forwarding options
14 Enter Mail Relay for the Name field.
15 In the Local subsection, make sure “Manually select local IP address on
which to allow connections” is unchecked
16 In the Local subsection, enter 25 for the Port field.
17 In the Remote subsection, make sure “Destination host is different fromthe SSH server” is checked
18 Enter 11.30.11.22 for the Hostname field.
19 In the Remote subsection, enter port 25 for the Port field.
20 Do not enter anything for the Application subsection
21 Select OK
Now that the Mail Relay local port-forwarding option is set up, the MailServer local port-forwarding option can be set:
22 Select Add to display the Port Forwarding options
23 Enter Mail Server for the Name field.
24 In the Local subsection, make sure “Manually select local IP address on
which to allow connections” is unchecked
25 In the Local subsection, enter 110 for the Port field.
26 In the Remote subsection, make sure “Destination host is different fromthe SSH server” is checked
a Enter 11.30.11.22 for the Hostname field.
27 In the Remote subsection, enter port 110 for the Port field.
28 In the Application subsection, enter the path for Outlook Express Oncethe SSH session has been established, this option will open Outlook
Express automatically, requiring no interaction from the end-user
While this option may seem trivial, requiring one fewer step for novice
end-users is significant This option virtually allows one-step execution
for secure e-mail
a “c:\Program Files\Outlook Express\msimn.exe”
29 Select OK
The result should look like Figure 7.2
Secure Remote Access 233
Trang 17Figure 7.2 Local port-forwarding settings.
After the SSH client has been completely installed, the e-mail client is readyfor the secure e-mail architecture
Setting Up the E-mail Client
Once the SSH client has been set up, the e-mail client on the road-warrior tops should be configured Using Microsoft Outlook Express 4.0 or above, con-figure as follows:
lap-1 Start ➪ Programs ➪ Outlook Express
2 Select Tools from the menu bar and select Accounts
3 Select the Mail tab
4 Select the Add button and choose mail option
5 For Display name, enter the name you would like to have displayed foryour e-mail account, such as Mohandas Gandhi Select Next
6 For E-mail address, enter your e-mail address given to you by youre-mail administrator, such as gandhi@bharat.com Select Next
7 The next screen should be the E-mail Server Names There are foursteps to complete here:
a If you are using POP3, select POP3 for your incoming mail server (ifyou are using IMAP, make sure IMAP is selected for your incomingserver)
234 Chapter 7
Trang 18b For the Incoming mail server, enter 127.0.0.1 Remember, you have
already set up your our port-forwarding steps in the prior section
Once the SSH session has been established, local ports will listen on
port 25 and 110 When Outlook Express attempts to connect to
127.0.0.1 on 110, it will be redirected by the SSH client to the e-mail
server of the SSH tunnel
c For the Outgoing mail server, enter 127.0.0.1
d Select Next
8 Enter your account name given to you by your e-mail administrator,
such as Gandhi
9 Enter your password, if you would like; however, I recommend you
leave this blank and allow the application to prompt you for
authenti-cation every time you log in Select Next
10 Click Finish The e-mail client for secure e-mail has been completed
11 To verify, highlight 127.0.0.1 in the account field and choose the ties button on the right Figures 7.3, 7.4, and 7.5 show how the General,
Proper-Servers, and Advanced tabs should look on your e-mail client
Figure 7.3 General tab of Outlook Express.
Secure Remote Access 235
Trang 19Figure 7.4 Servers tab of Outlook Express.
Figure 7.5 Advanced tab of Outlook Express.
Once you have verified your setting, select OK and Close You have pleted the e-mail client setup for SSH
com-236 Chapter 7
Trang 20Figure 7.6 Connection to the SSH server.
Executing Secure E-mail
At this point, you have completed the necessary steps for secure e-mail Youhave configured your SSH server and appropriate firewall rules, configuredyour SSH client for port forwarding, and configured your e-mail client to useyour loopback address
In order to start using the secure e-mail architecture, open SecureCRT andconnect to the SSH server, as shown in Figure 7.6
To verify the port-forwarding tunnels, type netstat –an on the command
line, and both port 25 and port 110 should be listening on the IP address0.0.0.0, as shown in Figure 7.7
Figure 7.7 Local port-forwarding connections listening on ports 25 and 110.
Secure Remote Access 237