![]()
Namely the sshd configuration (controlled by /etc/ssh/sshd_config) should employ a "default deny" stance for allowing SSH tunnels. SSH tunneling can open up your system to many security problems if some thought and sane defaults are not put in place. Another thing to note: while the examples shown use localhost tunnels can also be bound to public interfaces providing another avenue of abuse. ![]() By providing a channel that can effectively bypass normal firewall protections it is easy for an unscrupulous user to setup back-channels that are not monitored. While tunnels can be useful as evidenced in how Aspera uses them it should be apparent that they also pose security problems. The concepts are the same but relevant depending on access to the system. There is a corresponding -Roption to setup sockets on the remote host as well. It should also be noted the -L option is what sets up the local socket. The service that needs to use the tunnel can now make connections to the local socket (on port 50000). $ ssh -L 50000:localhost:40001 will know the tunnel works by using netstat and filtering out for port 50000 on the side that created the tunnel:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |