What is SSH port forwarding?

Mobile 2024-01-09 02:21:26 views: null

Hello, this is the Network Technology Alliance site.

SSH (Secure Shell) is a protocol for establishing secure connections in insecure networks. It provides secure access to remote computers by encrypting communications. SSH is not only a remote login tool, but also provides a series of powerful functions, one of which is SSH port forwarding.

The basic principle of SSH is to authenticate through public and private keys to ensure confidentiality and integrity during the communication process. Users can connect to remote servers via SSH and execute commands, transfer files, etc. in a secure environment.

The role of SSH is not limited to simple remote login. It can also provide encrypted tunnels to protect data as it travels between different networks. This feature lays the foundation for SSH port forwarding.

SSH basics

SSH is built on a client-server model. When a user connects to a remote server via SSH, a secure communication channel is established between the client and server. This channel is encrypted to prevent sensitive information from being stolen or tampered with.

The working principle mainly includes:

  • Connection establishment phase: The user establishes a connection with the remote server by providing correct authentication information (usually a username and password, or using a key pair).
  • Key agreement: Both parties negotiate a key for encrypted communication.
  • Communication process: All data transmitted through the SSH channel is encrypted and decrypted to ensure data security.

SSH uses public and private key authentication methods, which is more secure than the traditional username and password method. In this process, the user generates a pair of public and private keys and uploads the public key to the server. When a user attempts to connect, the server verifies that the user has the public key corresponding to the private key.

Encrypted communications ensure data is not stolen or tampered with during transmission. This is crucial for the secure transmission of sensitive information, especially in operations such as remote login and file transfer.

Based on SSH, SSH port forwarding provides a more flexible way to manage network connections. We will delve into the different types of SSH port forwarding and their applications in the next chapter.

SSH port forwarding

SSH port forwarding is a technology that uses the SSH protocol to securely transmit communication data of other protocols. Through SSH port forwarding, users can establish an encrypted channel between two devices to transmit various network traffic securely. It allows users to map local ports to remote servers, or remote ports to local machines.

SSH port forwarding is mainly divided into the following three types:

  • local port forwarding
  • Remote port forwarding
  • Dynamic port forwarding

Local Port Forwarding

Local port forwarding maps the local computer's port to a remote server. When local services need to be accessed in a remote network, this can be achieved through local port forwarding. For example, map local Web services to a remote server so that local Web applications can be accessed through the remote server.

Local port forwarding allows the local computer's port to be mapped to a remote server to achieve secure data transmission. Its basic syntax is as follows:

ssh -L [本地端口]:[目标地址]:[目标端口] [远程服务器]

For example, if you want to map the local computer's port 80 to the remote server's port 8080, you can use the following command:

ssh -L 80:localhost:8080 user@remote-server

Assume that there is a web server on the internal network with port 8080, but due to firewall restrictions, direct access from the outside is not possible. With local port forwarding, we can securely access the internal web service:

  1. Enable local port forwarding:
ssh -L 8080:localhost:8080 user@internal-server
  1. Accessing in a local browser http://localhost:8080actually accesses the web service of the internal network.

Local port forwarding enables internal services to be exposed to external networks via the local computer while ensuring communications are encrypted and secure. In actual work, this technology can be used to access internal web applications, databases and other services.

Remote Port Forwarding

Remote port forwarding maps the port on the remote server to the local computer. This way, services on the remote server can be accessed through the local computer. For example, map the port of a remote database server to the local one so that local applications can access the remote database.

Remote port forwarding allows ports on a remote server to be mapped to the local computer. In this way, services on remote servers can be accessed securely. Its basic syntax is as follows:

ssh -R [远程端口]:[目标地址]:[目标端口] [远程服务器]

For example, if you wish to map the database port 3306 on the remote server to the local computer's port 3306, you can use the following command:

ssh -R 3306:localhost:3306 user@remote-server

Assume that there is a database service on the local computer, listening on local port 3306. Through remote port forwarding, we can map the local database service to the remote server so that it can be accessed through the remote server:

  1. Start remote port forwarding:
ssh -R 3306:localhost:3306 user@remote-server
  1. Accessing through on the remote server localhost:3306actually accesses the database service on the local computer.

Remote port forwarding allows remote servers to access services on the local computer, which is very useful in scenarios that require remote servers to actively connect to local services. For example, you can execute a scheduled task on a remote server to connect and obtain data on the local computer periodically.

Dynamic Port Forwarding

Dynamic port forwarding allows users to create a dynamic port on their local machine to route all traffic through an SSH tunnel to a remote server. This way, the local computer can act as a proxy server, securely forwarding all traffic to the remote network. Dynamic port forwarding is often used to implement secure proxy services through which users can access remote network resources without directly connecting to the remote network.

Dynamic port forwarding allows users to create a dynamic port on their local machine to route all traffic through an SSH tunnel to a remote server. This dynamic port can be used by applications on the local computer as a proxy server, forwarding all network requests to the remote server through this proxy service.

The syntax for dynamic port forwarding is as follows:

ssh -D [本地动态端口] [远程服务器]

For example, if you want to create a proxy service with a dynamic port of 1080:

ssh -D 1080 user@remote-server

Let's say we are on an untrusted public network and we want to access the internet through a secure channel while hiding our true IP address. With dynamic port forwarding, we can create a local proxy service that sends all traffic through an SSH tunnel to the remote server, which then sends it to the Internet.

  1. Enable dynamic port forwarding:
ssh -D 1080 user@remote-server
  1. Set up a proxy in your local browser or application, using localhost:1080as the proxy server address.

In this way, all network traffic is transmitted securely to the remote server through the SSH channel, thus achieving a secure proxy service. Dynamic port forwarding is useful in scenarios where access to the internet over a secure channel is required, especially when using untrusted networks.

security considerations

SSH port forwarding is a powerful tool, but there are some security considerations when using it.

  • Key Management : Ensure the security of SSH keys. Using a key pair for authentication is a more secure method, but leakage of the private key can lead to security breaches. Properly manage key pairs, replace keys regularly, and limit access to private keys.
  • Firewall settings : Properly configure firewall rules to restrict access to port forwarding. Only allow connections from trusted sources and limit port ranges to reduce the risk of potential attacks.
  • Restrict destination addresses : Restrict destination addresses in port forwarding rules to ensure only specific destinations can be accessed. This helps reduce potential misuse and unauthorized access.
  • Logging : Enable the logging function of the SSH server, and check and analyze logs in a timely manner to discover potential security issues. Monitor port forwarding activities and respond to abnormal situations in a timely manner.
  • Enhanced authentication : Use two-factor authentication to enhance the security of user authentication. Use password encryption to avoid using weak passwords and increase security.
  • Regularly review rules : Regularly review SSH port forwarding rules to ensure that only necessary rules are activated. Reduce the potential attack surface by removing rules that are no longer needed.

SSH port use case

In actual work, SSH port forwarding is widely used in different scenarios, such as:

  • Spring board: Jump to the internal network through an intermediate server.
  • Access internal services: Securely access internal web applications, databases and other services in restricted networks.
  • Secure proxy: Establish a secure proxy service in an untrusted network.

Port forwarding for TCP and UDP

SSH port forwarding mainly supports TCP traffic, but may need to handle UDP traffic in some scenarios. To handle UDP traffic, -wthe tunnel mode can be set to "tunnel" using the option. This allows SSH to handle UDP traffic so that UDP traffic can also be transmitted over the secure channel.

ssh -w 0:0 -L [本地端口]:[目标地址]:[目标端口] [远程服务器]

Multi-level nested port forwarding

SSH port forwarding supports multi-layer nesting, in this way, multiple secure channels can be established at different levels. For example, by nesting two port forwards between the local computer and the remote server, you can map a service on the local computer to a different port on the remote server.

ssh -L [本地端口1]:localhost:[目标端口1] user@remote-server1
ssh -L [本地端口2]:localhost:[目标端口2] user@localhost -p [本地端口1]

In this way, services on the local computer will be mapped to different ports on the remote server through two-layer port forwarding.

In the advanced topic of SSH port forwarding, by handling UDP traffic and multiple layers of nesting, it can be more flexible to meet the needs of complex network architectures.

10. Summary

Through this article, we introduce the basic concepts, principles and applications of SSH port forwarding in detail. From local port forwarding, remote port forwarding to dynamic port forwarding, we cover the different types of port forwarding and how they work in practice.

Security considerations, use cases, and advanced topics further demonstrate the importance and flexibility of SSH port forwarding. Whether used for simple internal network access or establishing a secure proxy service in an untrusted network, SSH port forwarding provides a reliable solution for network security.

Hope this article helps you!

Guess you like

Origin blog.csdn.net/weixin_43025343/article/details/135415982
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com