Unitoo
/
secure-reverse-ssh-tunnel
2
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

Readme and configs edits

This commit is contained in:
murdrum 2020-08-01 00:51:40 +02:00
parent b2a5e62421
commit 99980260c9
5 changed files with 28 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@ -1,4 +1,5 @@
# secure-reverse-ssh-tunnel # secure-reverse-ssh-tunnel
This project provides ready-to-use tools to configure a remote host via an ssh tunnel and a jump host. This project provides ready-to-use tools to configure a remote host via an ssh tunnel and a jump host.
@ -8,14 +9,14 @@ This project provides ready-to-use tools to configure a remote host via an ssh t
### Premise: ### Premise:
- HTE) Host you wish to expose. Currently network restricted (behind a FW or a NAT) - HTE) Host you wish to expose. Currently network restricted (behind a FW or a NAT)
- EUD) End user device such as a laptop or mobile device provided with an ssh client. - EUD) End user device such as a laptop or mobile device provided with an ssh client.
- JH) A host publicly accessible over the internet (or a network accessible to voth HTE and EUD) running Openssh server. - JH) A host publicly accessible over the internet (or a network accessible to both HTE and EUD) running Openssh server.
### Scenario: ### Scenario:
- EUD wants to access a service running on HTE, but HTE can be accessed only from within its own network. - EUD wants to access a service running on HTE, but HTE can be accessed only from within its own network.
- EUD can generate outgoing traffic to the internet or external networks. - EUD can generate outgoing traffic to the internet or external networks.
- HTE can't accept incoming connections from the internet or other networks. - HTE can't accept incoming connections from the internet or other networks.
- HTE can generate outoing traffic to the internet or external networks. - HTE can generate outgoing traffic to the internet or external networks.
- JH is accessible to both HTE and EUD and runs an Openssh server. - JH is accessible to both HTE and EUD and runs an Openssh server.
Normally, to allow communication between EUD and HTE, you would need to setup a portforward for HTE on its network's edge router. Then have EUD connect to the edge router's Public IP at the forwarded port. Normally, to allow communication between EUD and HTE, you would need to setup a portforward for HTE on its network's edge router. Then have EUD connect to the edge router's Public IP at the forwarded port.
@ -23,8 +24,8 @@ Normally, to allow communication between EUD and HTE, you would need to setup a
This might not be feasible or out of HTE's control, thus an ssh reverse tunnel can be used. This might not be feasible or out of HTE's control, thus an ssh reverse tunnel can be used.
By using a jump server we can establish a tunnel from HTE to JH and respectively a communication from EUD to JH securely, using SSH and our private keys. By using a jump server we can establish a tunnel from HTE to JH and respectively a communication from EUD to JH securely, using SSH and our private keys.
At this point EUD can access HTE's service just like any other service running on JH. At this point EUD can access HTE's service just like any other service running on JH.
The Reverse tunnel binds HTE's port to JH's network-interface:port (JumHost's localhost by default, see **GatewayPorts yes**) The Reverse tunnel binds HTE's port to JH's network-interface:port (JumpHost's localhost by default, see **[GatewayPorts](https://gitlab.com/enkht04/secure-reverse-ssh-tunnel#note)**)
Every request sent to JH binded port is going to be forarded to HTE's port. Meaning every request sent to JH's binded port is going to be forwarded HTE's port.
**In ssh cli terms:** **In ssh cli terms:**
```bash ```bash
@ -34,7 +35,7 @@ Every request sent to JH binded port is going to be forarded to HTE's port.
--- ---
## Support us ## Support us
Whether you use this project, have learned something from it, or just like it, please consider supporting it by donate, so we can dedicate more time on open-source projects like this :) Whether you use this project, have learned something from it, or simply like it, please consider supporting it by donation, so we can spend more time on open-source projects like this :)
<a href="https://it.liberapay.com/Unitoo/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a> <a href="https://it.liberapay.com/Unitoo/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a>
@ -43,7 +44,7 @@ Whether you use this project, have learned something from it, or just like it, p
## Components ## Components
- setup-remote-host.sh: This script must be run as root after setup step - setup-remote-host.sh: This script must be run as root after setup step
- authorized_keys: should contains the ssh pubkey for HTE - authorized_keys: should contains the ssh pubkey for JH
- config: example host configuration for "EUD" computer - config: example host configuration for "EUD" computer
- secure-tunnel@.service: SystemD ready to use example service - secure-tunnel@.service: SystemD ready to use example service
- targets/* : contains multiple targets that need to be used as jump servers - targets/* : contains multiple targets that need to be used as jump servers
@ -87,7 +88,7 @@ To check if the tunnel is active and the dedicated port is up, ssh into your jum
netstat -tupln | grep 20001 netstat -tupln | grep 20001
``` ```
You should see your port associated to autossh process :) You should see autossh's process to your chosen port :)
### Remote port forwarding ### Remote port forwarding
@ -101,7 +102,7 @@ would result in a bind like this:
```bash ```bash
127.0.0.1:${JH_PORT} LISTEN pid/sshd 127.0.0.1:${JH_PORT} LISTEN pid/sshd
``` ```
To expose forwarded ports over every jumphost's IP add the following to `/etc/ssh/sshd_config` To expose forwarded ports over every jumphost's IP (0.0.0.0) add the following to `/etc/ssh/sshd_config`
```bash ```bash
GatewayPorts yes GatewayPorts yes
@ -109,9 +110,9 @@ GatewayPorts yes
###### Note: ###### Note:
Every forwarded port will now be publicly exposed (unless FW rules are in place.) Every forwarded port will now be publicly exposed (unless FW rules are in place.)
A better aproach would be: A better approach would be:
```bash ```bash
GatewayPorts userspecified GatewayPorts clientspecified
``` ```
The reverse tunnel above becomes; The reverse tunnel above becomes;
```bash ```bash
@ -120,7 +121,7 @@ The reverse tunnel above becomes;
### Local port forward ### Local port forward
You could use your Jump Host even to bind to a local port a web interface of a remote host or something else with: You could use your Jump Host even to bind a local port to a web interface on a remote host or something else with:
```bash ```bash
ssh -N -L ${LOCALPORT}:127.0.0.1:${JH_PORT} ${USER}${TARGET} ssh -N -L ${LOCALPORT}:127.0.0.1:${JH_PORT} ${USER}${TARGET}
``` ```

4
config
View File

@ -3,9 +3,9 @@ Host jumpserver
User root User root
IdentityFile /home/<USER>/.ssh/<ID> IdentityFile /home/<USER>/.ssh/<ID>
Host remotehost Host HostToExpose
Hostname localhost Hostname localhost
User <REMOTE_USER> User <REMOTE_USER>
Port 20001 Port 20001
IdentityFile /home/<USER>/.ssh/<ID> IdentityFile /home/<USER>/.ssh/<ID>
Proxycommand ssh -W %h:%p jumpserver Proxycommand ssh -W %h:%p jumpserver

2
secure-tunnel@.service
View File

@ -5,7 +5,7 @@ After=network.target
[Service] [Service]
Environment="AUTOSSH_GATETIME=0" Environment="AUTOSSH_GATETIME=0"
EnvironmentFile=/etc/default/secure-tunnel@%i EnvironmentFile=/etc/default/secure-tunnel@%i
ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure" -NR ${JH_PORT}:localhost:22 ${USER}@${TARGET} ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure" -NR ${JH_PORT}:localhost:"${HTE_PORT}" "${USER}"@"${TARGET}"
User=autossh User=autossh
Restart=on-failure Restart=on-failure
RestartSec=5s RestartSec=5s

26
setup-host-to-expose.sh
View File

@ -13,15 +13,15 @@ function check_if_running_as_root {
check_if_running_as_root check_if_running_as_root
read -p "Did you run this script on the remote host? " -n 1 -r read -p "Are you running this script on the host to expose? " -n 1 -r
echo echo
if [[ ! $REPLY =~ ^[Yy]$ ]] if [[ ! $REPLY =~ ^[Yy]$ ]]
then then
echo "Please rerun this script on HTE as root user." echo "Please re-run this script on HTE as root user."
[[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1
fi fi
read -p "Did you setup various targets and adjusted configurations as described in README?" -n 1 -r read -p "Have you setup targets and adjusted configurations as described in README?" -n 1 -r
echo echo
if [[ ! $REPLY =~ ^[Yy]$ ]] if [[ ! $REPLY =~ ^[Yy]$ ]]
then then
@ -41,10 +41,10 @@ function check_necessary_packages {
apt-get --yes install autossh apt-get --yes install autossh
elif [[ ! -z $YUM_CMD ]]; then elif [[ ! -z $YUM_CMD ]]; then
echo "OK: yum found." echo "OK: yum found."
yum install autossh yum install -y autossh
elif [[ -z $DNF_CMD ]]; then elif [[ -z $DNF_CMD ]]; then
echo "OK: yum found." echo "OK: dnf found."
dnf install autossh dnf install -y autossh
else else
echo "No valid package manager found. Exiting." echo "No valid package manager found. Exiting."
exit 1; exit 1;
@ -72,7 +72,7 @@ function adjust_ssh_folder_for {
echo "NEXT: Setup ${1} home: ${homedir}." echo "NEXT: Setup ${1} home: ${homedir}."
mkdir -p "${homedir}/.ssh" mkdir -p "${homedir}/.ssh" &&
touch -a "${homedir}/.ssh/authorized_keys" touch -a "${homedir}/.ssh/authorized_keys"
if [ ! -s authorized_keys ]; then if [ ! -s authorized_keys ]; then
@ -80,9 +80,8 @@ function adjust_ssh_folder_for {
fi fi
cat authorized_keys >> "${homedir}/.ssh/authorized_keys" cat authorized_keys >> "${homedir}/.ssh/authorized_keys"
echo "OK: Files and content ready." echo -e "OK: Files and content ready.\nNEXT: Setup file and folder permissions."
echo "NEXT: Setup file and folder permissions."
chown -R "$1":"$1" "${homedir}/.ssh" chown -R "$1":"$1" "${homedir}/.ssh"
chmod 700 "${homedir}/.ssh" chmod 700 "${homedir}/.ssh"
chmod 600 "${homedir}/.ssh/authorized_keys" chmod 600 "${homedir}/.ssh/authorized_keys"
@ -97,12 +96,11 @@ function setup_systemd_service_if_available {
if [[ ! -z $SYSTEMCTL_CMD ]]; then if [[ ! -z $SYSTEMCTL_CMD ]]; then
echo "NEXT: Copy targets into /etc/default." echo "NEXT: Copy targets into /etc/default."
cp -n targets/* /etc/default/ cp -n targets/* /etc/default/ &&
echo "OK: Targets copied." echo "OK: Targets copied. \nNEXT: Setup systemd service."
echo "NEXT: Setup systemd service."
cp secure-tunnel@.service /etc/systemd/system/ cp secure-tunnel@.service /etc/systemd/system/ &&
systemctl daemon-reload systemctl daemon-reload
echo "OK: Systemd service created." echo "OK: Systemd service created."

1
targets/secure-tunnel@example
View File

@ -1,3 +1,4 @@
USER=autossh USER=autossh
TARGET=jumphost TARGET=jumphost
JH_PORT=20001 JH_PORT=20001
HTE_PORT=22