SSH Tunnel Setup and Configuration Guide: Page 3


You Can't Detect What You Can't See: Illuminating the Entire Kill Chain

On-Demand Webinar

Posted January 26, 2009

Peter Shaw

(Page 3 of 3)

Why did I not add 1000 to Apache and webmin?

Well first off, webmin is sufficiently high to be well out the road of any running Windows services. For Apache, however, it makes sense to put it on 80, because it then looks like your development web server is local to your client machine, and it makes setting up the proxy really easy.

Still in the tunnels section, target the destination box add a localhost:port entry for each of your services, so for this article SMTP = localhost:25, POP = localhost:110, Squid = localhost:8080, apache = Localhost:80, webmin = localhost:10000. Once this entry is placed in, then click the add button to save it. Continue doing this until you've added all the ports you need.

A good point to note is that you don't have to use localhost, you can use any fully qualified domain name (FQDN) of any machine that’s reachable from the SSH server you're connecting to, technically this means you could run your email off one server, your web development off another and your proxy access on a third, and then just replace the destinations with 'another.remote.machine:port'.

As an example on my setup in the Middle East, I also had a remote VNC tunnel setup to my wife’s PC so that if she ran into difficulties with anything, I could log in and sort it out, the possibilities are endless.

Once you finish adding your ports, go back to the session config entry at the very top of the config list, and click save again. If all has gone according to plan at this point, then you should now be ready to hit the open button and test it.

Once you hit the open button, you should hopefully get a terminal screen asking you to log in. If not, then the first thing to check is that you're connecting to the correct host, with the correct port and SSH protocol. The second thing to check would be your port forward settings, and third, the aforementioned firewall outbound scenario.

All being well, enter your Linux username and password to log in.

If your tunnels are set correctly, then as long as that account remains logged in and connected, all your source ports that you specified on your local machine should point to the destination ports on your server for the lifetime that PuTTY remains open and connected.

You can now proceed to set up your mail client to point to the appropriate POP and SMTP ports, you can set your PC's proxy settings to point to the local squid port, but bypass local addresses so that localhost goes to apache and webmin.

Endless Possibilities

SSH tunnels are a very powerful tool in the right hands and can be used for a great many things. To give you some ideas, I’ve used them for secure VoIP connections, remote monitoring of security cameras, Windows for workgroups/samba access and all manner of strange socket-based connections. It's even possible to point a tunnel to a tunnel to a tunnel, or tunnel hidden traffic inside a local network from one PC to another.

The possibilities are endless.

Some other ideas of possible interest involve using the command line utility such as puttytel, plink and others available on the website. You could set up a shared key system, then use plink for example in a batch file to load and open a tunnel profile and automatically log in. This batch file could then be added to the startup group on your laptop for example, so that every time you switched your laptop on and where connected to the internet, your tunneled services would be automatically available.

I hope this article is of some interest to those who are dabbling with SSH, and once you've used the power SSH can provide, you'll pretty much want to use it for everything.

Happy tunneling!

Page 3 of 3

Previous Page
1 2 3

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.



IT Management Daily
Don't miss an article. Subscribe to our newsletter below.

By submitting your information, you agree that datamation.com may send you Datamation offers via email, phone and text message, as well as email offers about other products and services that Datamation believes may be of interest to you. Datamation will process your information in accordance with the Quinstreet Privacy Policy.