Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSH Connections Thru The Firewall?

Posted by Cliff on from the poking-holes-in-your-own-security-w/o-getting-burned dept.

iamsure asks: "At my workplace, we have stringent rules on our firewall that filter out particular protocols (telnet/ssh being the one that is difficult for me). I actually work on the Security team, and as such, support such rules, as it helps reduce the number of incidents. However, I would very much like to access my machines from the outside via ssh, without making exceptions on the firewalls. After having tried http-tunnel (whose dual websites have gone offline, same for their server), and after having tried redirection of ports (the firewalls block the protocol, NOT the port), I am rather stumped. How does the rest of the slashdot reading public get through their firewalls? There does seem to be a decent project underway at SocksViaHTTP , however, I was wondering if there are any other projects?"

3 of 35 comments (clear)

  1. A couple of suggestions by jfunk · · Score: 4

    Where I work, SSH is the only connection to our development LAN we can have from the outside. I routinely tunnel connections through SSH, for accessing my ZWiki, and for getting/sending mail. If you're going to work from home (they pay for our cable modems), it *has* to be over SSH. If you need something out in the field, SSH is the only way.

    I can, however, see where you are coming from. So I have a pair of suggestions:

    1. Webmin. This is the only remote admin tool I like. Everything else just sucks and breaks when I manually edit files. You can easily set it up to use SSL, too. If your firewall allows that kind of traffic (likely), you can use that. It has the added bonus of limiting access to parts of the system so that certain users can run specified commands, while superusers can create and run those commands. If you need to up/download files, it does that, too. Don't even try to use the telnet however. Limit your access to the commands page.

    2. Obviously, you are a superuser. You don't want regular users to remotely access your internal systems while you have to. That's fine. Simply let yourself do it, while blocking the regular users. There are two ways I can think of for doing this: a. Set up a box with an SSH port open that only you (and whoever else should have access) have an account on. Make that an intermediate box, which you ssh into, then ssh to the server you're trying to get to. b. If your firewall supports "trusted hosts" (likely, if it can filter by content) and your home system has a static address, allow ssh only from your address.

    If you can't do either of these, then forget it and don't bother giving away the free overtime :-)*

  2. proxy by AliasTheRoot · · Score: 4

    Why not stick a box in the DMZ purely for this kind of requirement. Then allow users with legitimate business reasons for using SSH to have accounts on it.

    Not all that different from an application level proxy really.

  3. Simple - tunnel via https by logicTrAp · · Score: 5

    Funny, I've just been talking to a few people about how silly fascist net admins prohibitting anything but http just causes everything to speak http...
    Web proxies, due to mutual authentication concerns, generally give you a *straight* TCP connection when you go to connect via https. Therefore all you have to do is get ssh to walk the proxy. As it turns out, this is pretty easy and I've written a tool (http://www.snurgle.org/~griffon/ssh-https-tunnel) to do just that. The one catch is that most web proxies will only let you connect via https to port 443 on the remote machine, so you need to be able to run sshd on that port.
    The tool is written in perl. It probably wouldn't be a horrible idea to rewrite it in C, but this one works pretty well, is easy to tweak, and seems fast enough.