Shulou(Shulou.com)06/01 Report--

Preface

As we all know, there is a firewall between the internal and external networks of a company, and the existence of the firewall ensures the security within the enterprise. Like some plaintext transmission protocol telnet or some protocol icmp that is not so secure, the data of these protocols is extremely insecure and is explicitly prohibited in firewall rules. sometimes due to business needs, we need to transmit some traffic like telnet in the external network and internal network, and we do not have the right to require relevant departments to modify firewall policies at will. At this time, the SSH protocol can help you break through the firewall and successfully complete the data transmission.

How ssh works

SSH automatically encrypts and decrypts network data between all SSH clients and servers. However, SSH can also forward the network data of other TCP ports through SSH links, and automatically provides corresponding encryption and decryption services. This process is also called "tunneling" because SSH provides a secure channel for other TCP links to transmit. For example, TCP applications such as Telnet,SMTP,LDAP can benefit from it, avoiding the transmission of user names, passwords and private information in clear text. At the same time, if the firewall in the work environment restricts the use of some network ports, but allows SSH connections, you can also use SSH to communicate by forwarding TCP ports.

Ssh local forwarding

1. Application scenarios

Suppose someone from the company goes on a business trip, but there is an urgent need to connect with the company's intranet and transmit some data. We know this situation. We do not have the authority to open the company's firewall, at this time, we use the ssh local forwarding function, through the ssh to get through the firewall to communicate with the company's intranet.

2. Schematic diagram

Illustration: Host A uses Host B as a springboard, first opens a "tunnel" between itself and the local area network through the ssh protocol, and then uses Host B as the telnet client end to establish a telnet connection with Host C, and finally realizes the telnet traffic between Host An and the target host Host C. On the periphery, there is a ssh protocol to "escort" these telnet traffic, and we no longer have to worry about our own data being intercepted.

3. Implement ssh local forwarding

1) preparation phase

Prepare 3 virtual machines, either the CentOS series or the RHEL series. In order to successfully implement the experiment, we manually turn off the firewall (iptables-F) and SELinux (setenforce 0). Of course, this is only for the needs of the experiment, which is not allowed in the production scenario. Then make sure that all Host C hosts have telnet server services, while Host B has ssh server capabilities. Use rpm-Q to see if the service is installed.

2) establish a connection

First: test whether HostA can use telnet to establish a connection to Host C, and if so, use firewall rules on Host C to disable HostA access (iptables-An INPUT-s HostA_ip-j REJECT).

Establish the ssh tunnel, realize the breakthrough of the firewall and enter the LAN.

In the figure above, the tunnel is established using the command ssh-L. 4000 means that we randomly specify the open port to ensure that the port is not used by any service. 172.18.253.159 indicates the address of the target host (Host C); 23 indicates that the corresponding service port of the target host is to be connected, and if it is a telnet service, it is 23jiSMTP listening at 25. -N means that the remote shell is not open and is waiting, and-f means that it is enabled in the background. 172.18.18.13 represents the address of the "springboard", in this case, the IP address of Host B.

In the above example, we used ssh-tn to see that we actually established a connection not to the directory host, but to Host B, which means that the tunnel has been established. Second: we went to check the connection of the Host C machine and found that no host had established a connection with itself.

Finally: realize the transmission of telnet traffic. In the Host A host which uses telnet to connect to the target host Host B, the following figure shows that the telnet link has been connected, and then connect to the target host Host C, use ss-tn to check, you will find that it is not Host An and its own telnet connection, but the "jumper" Host B.

After establishing the telnet connection, let's take a look at the connection on Host A. Ss-tn

After receiving the telnet traffic from Host A, Host B acts as a telnet client to connect to the telnet service gas end of Host C. At this point, local forwarding based on SSH is implemented.

Ssh remote port forwarding

1. Application scenarios

The application scenario of ssh port-based forwarding is generally like this: when we want to access some external sites within the enterprise, but there is a firewall to disable the port of access to the site, such as port 80 of the httpd service, so we cannot access external websites. At this point, we can use the method of ssh port forwarding to access external sites.

2. Schematic diagram

In the figure above, Host A cannot access the Host C site because of the firewall, so we can find an external host Host B and use Host B as the proxy server. In this way, Host A breaks through the firewall through the ssh protocol to access the proxy server. The proxy server sends the access request of Host A to the Host C server to obtain the corresponding information (for example, web page information), and then sends it back to the client Host A.

3. Examples

1) preparation phase

Prepare three hosts, HostA, HostB, Host C, using HostA client, Host C as server, and HostB as proxy server agent. The requirement of the experiment is to turn off the firewall of Host B and the SELinux function of all hosts.

2) implementation of the scheme

Simulating a firewall, we set firewall rules on Host C to reject any request from Host A:

Try to crawl Host C's web page on host Host A:

[root@vinsent] # curl http://172.18.18.13curl: (7) Failed connect to 172.18.252.50 Failed connect to 80; Connection refused # rejected [root@vinsent ~] #

Then establish a ssh connection on Host A.

At this time, it is still not possible for you to use Host A to access, we need to do proxy configuration on Host B. So that the data can be forwarded.

[root@vinsent] # curl-- socks5 127.0.0.1 I love linux... # successfully crawled to the web page

Ssh remote forwarding

1. Schematic diagram

The principle is roughly the same as ssh local forwarding, so we will not put the experimental process here, but the roles of the server side and client side of ssh have changed, because, within an enterprise, we want to access a certain port from inside to outside, and the firewall has no restrictions, but it is very difficult to access it from outside to inside. Ssh remote forwarding is through, the host inside the local area network acts as the ssh client to establish a connection with the host outside the LAN, thus opening the external and internal channels. At this time, some people may have doubts, isn't it still progress? In fact, the firewall also has a link memory function, through the out of the channel back, the firewall will not do restrictions.

2. Data process

First, Host B accesses external host Host An as a ssh client (where Host An acts as a ssh server) to establish a tunnel, and then Host An acts as a telnet client to send telnet traffic to Host B. After receiving the data from Host A, Host B unencapsulates it and then acts as a telnet client to establish a connection with Host C so that the data can be safely transferred to the target host.

3. Implement the command

Execute on Host B: ssh-R 9527:ip_HostC:23-Nf ip_HostA to establish a tunnel, port 9527 is open on HostA

Execute on Host A: telnet 127.0.0.1 9527

Summary

This article introduces in detail the "ingenious" methods to break through the firewall based on SSH, including ssh port forwarding, local forwarding and remote forwarding, all of which have their own usage scenarios. However, this paper also has many shortcomings, there are many places are not detailed enough, in the ssh port forwarding and local forwarding experiments, the principle is more, the experimental steps are less, but also forgive me. Welcome to read ~ ~

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.