Readme and configs edits
This commit is contained in:
		
							
								
								
									
										23
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										23
									
								
								README.md
									
									
									
									
									
								
							| @@ -1,4 +1,5 @@ | ||||
|  | ||||
|  | ||||
| # secure-reverse-ssh-tunnel | ||||
|  | ||||
| This project provides ready-to-use tools to configure a remote host via an ssh tunnel and a jump host. | ||||
| @@ -8,14 +9,14 @@ This project provides ready-to-use tools to configure a remote host via an ssh t | ||||
| ### Premise: | ||||
| - HTE) Host you wish to expose. Currently network restricted (behind a FW or a NAT) | ||||
| - EUD) End user device such as a laptop or mobile device provided with an ssh client. | ||||
| - JH) A host publicly accessible over the internet (or a network accessible to voth HTE and EUD) running Openssh server. | ||||
| - JH) A host publicly accessible over the internet (or a network accessible to both HTE and EUD) running Openssh server. | ||||
|  | ||||
| ### Scenario: | ||||
|  | ||||
| - EUD wants to access a service running on HTE, but HTE can be accessed only from within its own network. | ||||
| - EUD can generate outgoing traffic to the internet or external networks. | ||||
| - HTE can't accept incoming connections from the internet or other networks. | ||||
| - HTE can generate outoing traffic to the internet or external networks. | ||||
| - HTE can generate outgoing traffic to the internet or external networks. | ||||
| - JH is accessible to both HTE and EUD and runs an Openssh server. | ||||
|  | ||||
| Normally, to allow communication between EUD and HTE, you would need to setup a portforward for HTE on its network's edge router. Then have EUD connect to the edge router's Public IP at the forwarded port. | ||||
| @@ -23,8 +24,8 @@ Normally, to allow communication between EUD and HTE, you would need to setup a | ||||
| This might not be feasible or out of HTE's control, thus an ssh reverse tunnel can be used. | ||||
| By using a jump server we can establish a tunnel from HTE to JH and respectively a communication from EUD to JH securely, using SSH and our private keys. | ||||
| At this point EUD can access HTE's service just like any other service running on JH. | ||||
| The Reverse tunnel binds HTE's port to JH's network-interface:port (JumHost's localhost by default, see **GatewayPorts yes**) | ||||
| Every request sent to JH binded port is going to be forarded to HTE's port. | ||||
| The Reverse tunnel binds HTE's port to JH's network-interface:port (JumpHost's localhost by default, see **[GatewayPorts](https://gitlab.com/enkht04/secure-reverse-ssh-tunnel#note)**) | ||||
| Meaning every request sent to JH's binded port is going to be forwarded HTE's port. | ||||
|  | ||||
| **In ssh cli terms:** | ||||
| ```bash | ||||
| @@ -34,7 +35,7 @@ Every request sent to JH binded port is going to be forarded to HTE's port. | ||||
| --- | ||||
| ## Support us | ||||
|  | ||||
| Whether you use this project, have learned something from it, or just like it, please consider supporting it by donate, so we can dedicate more time on open-source projects like this :) | ||||
| Whether you use this project, have learned something from it, or simply like it, please consider supporting it by donation, so we can spend more time on open-source projects like this :) | ||||
|  | ||||
| <a href="https://it.liberapay.com/Unitoo/donate"><img alt="Donate using Liberapay" src="https://liberapay.com/assets/widgets/donate.svg"></a> | ||||
|  | ||||
| @@ -43,7 +44,7 @@ Whether you use this project, have learned something from it, or just like it, p | ||||
| ## Components | ||||
|  | ||||
| - setup-remote-host.sh: This script must be run as root after setup step | ||||
| - authorized_keys: should contains the ssh pubkey for HTE | ||||
| - authorized_keys: should contains the ssh pubkey for JH | ||||
| - config: example host configuration for "EUD" computer | ||||
| - secure-tunnel@.service: SystemD ready to use example service | ||||
| - targets/* : contains multiple targets that need to be used as jump servers | ||||
| @@ -87,7 +88,7 @@ To check if the tunnel is active and the dedicated port is up, ssh into your jum | ||||
| netstat -tupln | grep 20001 | ||||
| ``` | ||||
|  | ||||
| You should see your port associated to autossh process :) | ||||
| You should see autossh's process to your chosen port :) | ||||
|  | ||||
| ### Remote port forwarding | ||||
|  | ||||
| @@ -101,7 +102,7 @@ would result in a bind like this: | ||||
| ```bash | ||||
| 127.0.0.1:${JH_PORT}  LISTEN pid/sshd | ||||
| ``` | ||||
| To expose forwarded ports over every jumphost's IP add the following  to `/etc/ssh/sshd_config` | ||||
| To expose forwarded ports over every jumphost's IP (0.0.0.0) add the following  to `/etc/ssh/sshd_config` | ||||
|  | ||||
| ```bash | ||||
| GatewayPorts yes | ||||
| @@ -109,9 +110,9 @@ GatewayPorts yes | ||||
| ###### Note: | ||||
| Every forwarded port will now be publicly exposed (unless FW rules are in place.) | ||||
|  | ||||
| A better aproach would be:  | ||||
| A better approach would be:  | ||||
| ```bash | ||||
| GatewayPorts userspecified | ||||
| GatewayPorts clientspecified | ||||
| ``` | ||||
| The reverse tunnel above becomes; | ||||
| ```bash | ||||
| @@ -120,7 +121,7 @@ The reverse tunnel above becomes; | ||||
|  | ||||
| ### Local port forward | ||||
|  | ||||
| You could use your Jump Host even to bind to a local port  a web interface of a remote host or something else with: | ||||
| You could use your Jump Host even to bind a local port  to a web interface on a remote host or something else with: | ||||
| ```bash | ||||
| ssh -N -L ${LOCALPORT}:127.0.0.1:${JH_PORT} ${USER}${TARGET} | ||||
| ``` | ||||
|   | ||||
							
								
								
									
										2
									
								
								config
									
									
									
									
									
								
							
							
						
						
									
										2
									
								
								config
									
									
									
									
									
								
							| @@ -3,7 +3,7 @@ Host jumpserver | ||||
|      User root | ||||
|      IdentityFile /home/<USER>/.ssh/<ID> | ||||
|  | ||||
| Host remotehost | ||||
| Host HostToExpose | ||||
|      Hostname localhost | ||||
|      User <REMOTE_USER> | ||||
|      Port 20001 | ||||
|   | ||||
| @@ -5,7 +5,7 @@ After=network.target | ||||
| [Service] | ||||
| Environment="AUTOSSH_GATETIME=0" | ||||
| EnvironmentFile=/etc/default/secure-tunnel@%i | ||||
| ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure" -NR ${JH_PORT}:localhost:22 ${USER}@${TARGET} | ||||
| ExecStart=/usr/bin/autossh -M 0 -o "ServerAliveInterval 30" -o "ServerAliveCountMax 3" -o "ExitOnForwardFailure" -NR ${JH_PORT}:localhost:"${HTE_PORT}" "${USER}"@"${TARGET}" | ||||
| User=autossh | ||||
| Restart=on-failure | ||||
| RestartSec=5s | ||||
|   | ||||
| @@ -13,15 +13,15 @@ function check_if_running_as_root { | ||||
|  | ||||
| check_if_running_as_root | ||||
|  | ||||
| read -p "Did you run this script on the remote host? " -n 1 -r | ||||
| read -p "Are you running this script on the host to expose? " -n 1 -r | ||||
| echo | ||||
| if [[ ! $REPLY =~ ^[Yy]$ ]] | ||||
| then | ||||
|     echo "Please rerun this script on HTE as root user." | ||||
|     echo "Please re-run this script on HTE as root user." | ||||
|     [[ "$0" = "$BASH_SOURCE" ]] && exit 1 || return 1 | ||||
| fi | ||||
|  | ||||
| read -p "Did you setup various targets and adjusted configurations as described in README?" -n 1 -r | ||||
| read -p "Have you setup targets and adjusted configurations as described in README?" -n 1 -r | ||||
| echo | ||||
| if [[ ! $REPLY =~ ^[Yy]$ ]] | ||||
| then | ||||
| @@ -41,10 +41,10 @@ function check_necessary_packages { | ||||
|         apt-get --yes install autossh | ||||
|     elif [[ ! -z $YUM_CMD ]]; then | ||||
|         echo "OK: yum found." | ||||
|         yum install autossh | ||||
|         yum install -y autossh | ||||
|     elif [[ -z $DNF_CMD ]]; then | ||||
|         echo "OK: yum found." | ||||
|         dnf install autossh | ||||
|         echo "OK: dnf found." | ||||
|         dnf install -y autossh | ||||
|     else | ||||
|         echo "No valid package manager found. Exiting." | ||||
|         exit 1; | ||||
| @@ -72,7 +72,7 @@ function adjust_ssh_folder_for { | ||||
|  | ||||
|     echo "NEXT: Setup ${1} home: ${homedir}." | ||||
|  | ||||
|     mkdir -p "${homedir}/.ssh" | ||||
|     mkdir -p "${homedir}/.ssh" && | ||||
|     touch -a "${homedir}/.ssh/authorized_keys" | ||||
|  | ||||
|     if [ ! -s authorized_keys ]; then | ||||
| @@ -80,8 +80,7 @@ function adjust_ssh_folder_for { | ||||
|     fi | ||||
|     cat authorized_keys >> "${homedir}/.ssh/authorized_keys" | ||||
|  | ||||
|     echo "OK: Files and content ready." | ||||
|     echo "NEXT: Setup file and folder permissions." | ||||
|     echo -e "OK: Files and content ready.\nNEXT: Setup file and folder permissions." | ||||
|      | ||||
|     chown -R "$1":"$1" "${homedir}/.ssh" | ||||
|     chmod 700 "${homedir}/.ssh" | ||||
| @@ -97,12 +96,11 @@ function setup_systemd_service_if_available { | ||||
|     if [[ ! -z $SYSTEMCTL_CMD ]]; then | ||||
|         echo "NEXT: Copy targets into /etc/default." | ||||
|  | ||||
|         cp -n targets/* /etc/default/ | ||||
|         cp -n targets/* /etc/default/ && | ||||
|  | ||||
|         echo "OK: Targets copied." | ||||
|         echo "NEXT: Setup systemd service." | ||||
|         echo "OK: Targets copied. \nNEXT: Setup systemd service." | ||||
|  | ||||
|         cp secure-tunnel@.service /etc/systemd/system/ | ||||
|         cp secure-tunnel@.service /etc/systemd/system/ && | ||||
|         systemctl daemon-reload | ||||
|  | ||||
|         echo "OK: Systemd service created." | ||||
|   | ||||
| @@ -1,3 +1,4 @@ | ||||
| USER=autossh | ||||
| TARGET=jumphost | ||||
| JH_PORT=20001 | ||||
| HTE_PORT=22 | ||||
|   | ||||
		Reference in New Issue
	
	Block a user