Solved I can't go ssh through the forwarded port

kerogaz

kerogaz

I have a port forwarded from the server to a local network computer using rinetd (server-ip 40013 10.44.5.11 3389)-forwarding from port 40013 of the server to port 3389 of the local computer. Using the RDP client (like remmina etc) I can get to the local computer, but using the SSH client (like Putty, Thermius, etc.) I can't.Using ssh I can go only to the server port that is defined in sshd.conf
 
kerogaz said:
but using the SSH client (like Putty, Thermius, etc.) I can't.Using ssh I can go only to the server port that is defined in sshd.conf
Click to expand...
If you used a different port (2222 for example) to forward to dest:22 you will need to tell the SSH client to connect to the different port. By default it will connect to port 22.
Code: 
     -p port
             Port to connect to on the remote host.  This can be specified on
             a per-host basis in the configuration file.
ssh(1)

Same with PuTTY, next to the "Hostname (or IP address)" input box, there's a box to input the port (which defaults to 22 for SSH).
 
SirDice said:
If you used a different port (2222 for example) to forward to dest:22 you will need to tell the SSH client to connect to the different port. By default it will connect to port 22.
Code: 
     -p port
             Port to connect to on the remote host.  This can be specified on
             a per-host basis in the configuration file.
ssh(1)

Same with PuTTY, next to the "Hostname (or IP address)" input box, there's a box to input the port (which defaults to 22 for SSH).
Click to expand...
I need to access a computer on a local network via ssh from the Internet.
In the putty I assigned the server IP and port 40013 which is forwarded to port 3389 of the local computer. Doesn't work.I think because sshd connects only the port that assigned in its config
 
There is a standard port number usage defined by the RFC 1340.
But the port itself does not define the protocol that will be used on it. The fact that port 40013 is being forwarded to 3389 on the local computer means that any connection made to this port on the server will be forwarded to port 3389 on the local machine. However, this does not transform the service on the other end into something that SSH can understand.

RDP (Remote Desktop Protocol) and SSH (Secure Shell) are completely different protocols.
rinetd only forwards connections without modifying the protocol. So, if you connect an RDP client to port 40013, it works because the other end is running a RDP server.
However, if you try to access this port using an SSH client, the server on the other end (running RDP) won’t know how to interpret the connection because it is not a SSH server.
 
Why don't you simply redirect the port using a firewall?

With PF it'll be something like:
Code: 
rdr on $ext_if proto tcp from any to any port 2222 -> 1.2.3.4 port 22
That will forward external connections to port 2222 to an internal host (1.2.3.4) port 22.
 
Yes, I know that these are different protocols.I gave an example with RDP to show that the required port and forwarding are actually working. I need to access a local network computer via NAT using ssh from the Internet. :) For example, a user is sitting at home and needs to go through the remote server via ssh to a computer of LAN to work with the application package Gamess there.
 
SirDice said:
Why don't you simply redirect the port using a firewall?

With PF it'll be something like:
Code: 
rdr on $ext_if proto tcp from any to any port 2222 -> 1.2.3.4 port 22
That will forward external connections to port 2222 to an internal host (1.2.3.4) port 22.
Click to expand...
I use IPFW
 
Similar solution, just a different syntax.

docs.freebsd.org

Chapter 33. Firewalls

FreeBSD has three firewalls built into the base system: PF, IPFW, and IPFILTER. This chapter covers how to define packet filtering rules, the differences between the firewalls built into FreeBSD and how to use them
docs.freebsd.org docs.freebsd.org
 
with ssh you don't need port forwardings, just use the router as a jumphost:
ssh -J <user>@<hostname/ip of the publicly accessible system> <user>@<local hostname/ip of the client you want to access>

you can also define a jumphost for your whole local network in ~/.ssh/config, e.g.:
Code: 
Host *.localdomain.lan 192.168.0.*
    proxyjump=<user>@<public IP/hostname of your router>
 
sko said:
with ssh you don't need port forwardings, just use the router as a jumphost:
ssh -J <user>@<hostname/ip of the publicly accessible system> <user>@<local hostname/ip of the client you want to access>

you can also define a jumphost for your whole local network in ~/.ssh/config, e.g.:
Code: 
Host *.localdomain.lan 192.168.0.*
    proxyjump=<user>@<public IP/hostname of your router>
Click to expand...
ssh -J pal@server_ip:11954 pal@10.44.5.11:11954

channel 0: open failed: connect failed: Name does not resolve
stdio forwarding failed
Connection closed by UNKNOWN port 65535
 
kerogaz said:
ssh -J pal@server_ip:11954 pal@10.44.5.11:11954

channel 0: open failed: connect failed: Name does not resolve
stdio forwarding failed
Connection closed by UNKNOWN port 65535
Click to expand...

your destination syntax is wrong.
user@host:port only works for the jumphost specified via -J, but the port of the destination host has to be either specified via -p or you have to give a full URI in the form of ssh://user@host:port. It's usually best to use the same notation for all hosts, so if you have to specify a port, use the URI form for all hosts. (see the second paragraph of the DESCRIPTION in ssh(1))
i.e.: ssh -J ssh://pal@server_ip:11954 ssh://pal@10.44.5.11:11954
You can omit the username if it's identical to your username on the client you are connecting from.

Also: why yet another non-standard port? If it is because of some "security through obscurity"-practice: Don't do that. Just use ssh-keys for login and disable password-based logins altogether. Then use something like blacklistd(8) or security/sshguard to feed all bots that still try to login via password (and/or with non-existent usernames) to a blacklist for PF or ipfw to reduce overall noise. Quite often the same botnets that are used to perform login attempts on ssh are also used to carry out other attacks, so using that free intel is a low hanging fruit one should harvest.
 
Syntaxis dont works!!!
ssh -J ssh://pal@xxx.xxx.xxx.xxx:11954 ssh://pal/10.44.5.11:11954
usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address]
[-c cipher_spec] [-D [bind_address:]port] [-E log_file]
[-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
[-J destination] [-L address] [-l login_name] [-m mac_spec]
[-O ctl_cmd] [-o option] [-P tag] [-p port] [-R address]
[-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
destination [command [argument ...]]
ssh [-Q query_option]
 
sorry, there was a typo - of course you need an '@' between username and IP. (that being said: NEVER copy & paste any commands from the internet without understanding them...)
 
You must log in or register to reply here.
Back
Top