Creating Secure Tunnels With ssh
If you manage remote servers or if you have more than one computer you most likely have used the ssh command. A simple description of ssh is that it's a secure version of telnet, but that's like saying a Porsche is a just a better version of a Volkswagen bug.
Amoung other things, the ssh command allows you to setup secure tunnels to remote computers. One example of creating a tunnel that I use often is to use phpmyadmin to look at the database on a remote server without having to have phpmyadmin actually installed on the remote server.
To do this I simply install phpmyadmin on my local system then I use ssh to create a tunnel to the server that I want to interact with. This means I don't have to have phpmyadmin installed remotely and I don't have to maintain multiple phpmyadmin installations if I manage more than one server.
Now of course, mysql is network capable to begin with so it's also possible to just setup phpmyadmin on your local system to talk directly to mysql on the remote server. However, for security reasons you may not want to have mysql listening directly on a public interface: have it listen on localhost but not on the internet.
The essence of this type of tunnel is to start ssh and tell it to listen on a local TCP/IP port and to have it forward any traffic that it sees on that port to a particular port on the remote side. The normal mysql port is 3306, so what you can do is tell ssh to listen on port 3308 on your local computer and forward that to port 3306 on the remote side.
For example, if the remote server in question was myserver.example.com you could run the following command on your local system to create a tunnel as described above:
ssh -T -N -L 3308:localhost:3306 myserver.example.com
The meat of the command is the -L option, which tells ssh to listen on port 3308 locally and then on the remote side to forward all traffic on that port to localhost:3306. Note that the localhost here is not referring to the local system but rather where to forward things to on the remote side, in this case to localhost on the remote side.
The -T command disables allocation of a tty and the -N command disables the running of a command (eg your login shell) on the remote side. This means that this instance of ssh won't act like a terminal, it's just for port forwarding.
You can test the tunnel using the command line interface to mysql on your local system. You may need to specify the host name or address in the command:
$ mysql -P 3308 -u USERNAME -pPASSWORD DATABASE # OR $ mysql -h localhost -P 3308 -u USERNAME -pPASSWORD DATABASE # OR $ mysql -h 127.0.0.1 -P 3308 -u USERNAME -pPASSWORD DATABASE
This type of tunneling capability only represents some of what you can do with ssh tunneling. For example, suppose myserver.example.com were actually a firewall that protected, amoung others, the system private.local. The system private.local is accessible from myserver.example.com but not from the internet directly. So, now you could run:
ssh -T -N -L 3308:private.local:3306 myserver.example.com
Here, ssh listens on port 3308 on the local system and it forwards that data to port 3306 on private.host, but it does that via the server myserver.example.com. In other words the local traffic on port 3308 gets transferred first to the remote system which then transfers it to port 3306 on private.host. Of course, if private.local's mysql server is only listening on its local interface this won't work, you'll need something more involved.
Another type of tunneling you can do is to reverse the tunnel: rather than using -L you can specify -R so that the listen side of the tunnel is on the remote side rather than on the local side. For example, suppose phpmyadmin was installed on myserver.example.com and you wanted to allow somebody using that phpmyadmin installation to connect to the mysql instance running on your local system. Just substitute -R for -L in the first ssh command above:
ssh -T -N -R 3308:localhost:3306 myserver.example.com
Here the remote ssh listens on port 3308 of myserver.example.com and then forwards traffic on that connection to port 3306 on your local system. Note that by default ssh is only listening on the localhost interface of the remote system so if the remote phpmyadmin install is secure your local system will also be secure. Remember that you still run this ssh command from your local system, you don't run it from the server (and unless your system is routable you probably couldn't successfully execute it on the remote system anyway).
To test the connection, on the remote system execute the command line mysql client using the same commands as we used above. This should connect to the database on your local computer. Again the configuration of phpmyadmin is left as an exercise.
Mitch Frazier is an Associate Editor for Linux Journal.
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Firefox 46.0 Released
- Ubuntu Online Summit
- Devuan Beta Release
- The Qt Company's Qt Start-Up
- May 2016 Issue of Linux Journal
- The US Government and Open-Source Software
- The Death of RoboVM
- Open-Source Project Secretly Funded by CIA
- New Container Image Standard Promises More Portable Apps
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide