Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Port forwarding question - SSH tunnelling?

Options
  • 28-10-2015 11:06am
    #1
    Tom Dunne
    Registered Users Posts: 23,212 ✭✭✭✭


    I'm behind a firewall in work, but port 22 is open, so I can ssh to servers in the cloud. One of those servers has a MySQL database on it, but port 3306 is blocked here in work.

    Can I create an SSH tunnel going out through port 22 to port 3306 on the remote server?

    All the examples I have seen use other ports such as 9000 and the like, all of which are blocked.


Comments

  • Options
    #2
    testaccount123
    Registered Users Posts: 1,023 ✭✭✭testaccount123


    Yes, its trivial to do. I use Bitvise to do it.

    https://www.bitvise.com/port-forwarding


  • Options
    #3
    liamo
    Registered Users Posts: 1,193 ✭✭✭liamo


    I would advise caution - just because you can doesn't mean you should.

    If you have a legitimate and justifiable requirement for this access then you should request it.

    A firewall is there for a reason and there may be consequences to being discovered circumventing security controls.
    In a lot of places bypassing company security would warrant immediate dismissal.


  • Options
    #4
    Khannie
    Moderators, Technology & Internet Moderators Posts: 37,485 Mod ✭✭✭✭Khannie


    ssh -L 3306:remoteserver:3306 remoteserver

    then connect to port 3306 on localhost = port 3306 on remote server.


  • Options
    #5
    Khannie
    Moderators, Technology & Internet Moderators Posts: 37,485 Mod ✭✭✭✭Khannie


    liamo wrote: »
    I would advise caution - just because you can doesn't mean you should.

    If you have a legitimate and justifiable requirement for this access then you should request it.

    A firewall is there for a reason and there may be consequences to being discovered circumventing security controls.
    In a lot of places bypassing company security would warrant immediate dismissal.

    I've thought about this a bit....In my previous company (I'm the boss in my current one :)) I would have routinely done stuff like OP is asking for because it's a pain in the arse to go to IT and ask them for access to things like that, plus it might only be a one time requirement.

    Access to a MySQL database is really not something that's going to get you fired.


  • Options
    #6
    syklops
    Closed Accounts Posts: 18,969 ✭✭✭✭syklops


    Khannie wrote: »
    I've thought about this a bit....In my previous company (I'm the boss in my current one :)) I would have routinely done stuff like OP is asking for because it's a pain in the arse to go to IT and ask them for access to things like that, plus it might only be a one time requirement.

    Access to a MySQL database is really not something that's going to get you fired.

    Especially when they have port 22 open. If they had everything locked down, then trying to bypass it would be a big no-no. Even using a port like 53 which is regularly left open outbound would be a grey area because 53 is for DNS. All the OP wants to do is connect outbound to an SSH server. IT have zero visibility of what he tunnels through it.

    OP, there a tool called sshuttle which acts like a poor mans VPN over SSH/22. There was a hak5 video on it some time back. I'll try to find it for you.


  • Advertisement
  • Options
    #7
    azzeretti
    Registered Users Posts: 1,477 ✭✭✭azzeretti


    syklops wrote: »
    Even using a port like 53 which is regularly left open outbound would be a grey area because 53 is for DNS. All the OP wants to do is connect outbound to an SSH server. IT have zero visibility of what he tunnels .

    I think, in general, that you'll find that any IT department that allows DNS outbound to any DNS server will be fairly relaxed about other outbound traffic, so tunnelling shouldn't be an issue!


  • Options
    #8
    syklops
    Closed Accounts Posts: 18,969 ✭✭✭✭syklops


    azzeretti wrote: »
    I think, in general, that you'll find that any IT department that allows DNS outbound to any DNS server will be fairly relaxed about other outbound traffic, so tunnelling shouldn't be an issue!

    Well its often an oversight. They enable outbound 53 TCP and UDP when they meant it to just be outbound on UDP. I've seen it dozens of times. Either way, I think the point is made. If the OP has the wherewithal to run his own server and want/need to connect to its DB, one would think he is aware of what the company culture is with regard to what constitutes proxy bypass or not.


  • Options
    #9
    djmarkus
    Registered Users Posts: 1,606 ✭✭✭djmarkus


    Just to put your mind at ease, there is no possible way that your employer could find out that you're port forwarding over SSH as every packet is encrypted.

    The way for your employer to stop this is to close port 22, even then you could start an ssh server on port 80.


  • Options
    #10
    rom
    Registered Users Posts: 5,135 ✭✭✭rom


    If ssh is locked down you can always run ssh on port 443 and use proxychains for a double hop.

    ssh blah to setup a socks proxy
    proxychains ssh to use the socks proxy for your ssh connection.


  • Options
    #11
    syklops
    Closed Accounts Posts: 18,969 ✭✭✭✭syklops


    rom wrote: »
    If ssh is locked down you can always run ssh on port 443 and use proxychains for a double hop.

    ssh blah to setup a socks proxy
    proxychains ssh to use the socks proxy for your ssh connection.

    The OP already said SSH is open. its MySQL thats locked down.


  • Advertisement
  • Options
    #12
    moc moc a moc
    Registered Users Posts: 1,299 ✭✭✭moc moc a moc


    djmarkus wrote: »
    Just to put your mind at ease, there is no possible way that your employer could find out that you're port forwarding over SSH as every packet is encrypted.

    The way for your employer to stop this is to close port 22, even then you could start an ssh server on port 80.

    It appears you are not aware that modern firewalls can intercept and decrypt SSH sessions.


  • Options
    #13
    h57xiucj2z946q
    Closed Accounts Posts: 2,267 ✭✭✭h57xiucj2z946q


    moc moc a moc wrote: »
    It appears you are not aware that modern firewalls can intercept and decrypt SSH sessions.

    This is why you verify the public key first time you connect, and are on alert if it changes on subsequent connections. Alot of SSH clients will warn you of this.

    One possible counter measure is to use 'VerifyHostKeyDNS' option. http://www.openssh.com/txt/rfc4255.txt, but untimatetly if this is a concern, keep an eye on the public key when connecting.


  • Options
    #14
    matrim
    Registered Users Posts: 7,515 ✭✭✭matrim


    djmarkus wrote: »
    Just to put your mind at ease, there is no possible way that your employer could find out that you're port forwarding over SSH as every packet is encrypted.

    Not entirely true. There are statistical methods that can tell normal ssh traffic from port forwarded traffic but it's very very unlikely that an employer would be implementing those.


  • Options
    #15
    Khannie
    Moderators, Technology & Internet Moderators Posts: 37,485 Mod ✭✭✭✭Khannie


    moc moc a moc wrote: »
    It appears you are not aware that modern firewalls can intercept and decrypt SSH sessions.

    Just so we're all clear: There's no magic way of decrypting SSH. If you agree to the wrong fingerprint, that's your fault.


  • Options
    #16
    azzeretti
    Registered Users Posts: 1,477 ✭✭✭azzeretti


    Khannie wrote: »
    Just so we're all clear: There's no magic way of decrypting SSH. If you agree to the wrong fingerprint, that's your fault.

    Could have said the same about Juniper VPN connections last week ;


Advertisement