@@PaulTurnerChannel Hi Paul, thanks a lot for this video it is really explanatory and interactive ! I'd like to ask you why at 3:10 the target server is localhost in the ssh command "-L2001:localhost:143 user1@HostB". Is localhost another name for HostB ? And why did not you just write HostB instead ? I'm confused about this.
Thank you, very well explained! Salute to your great efforts in making this Animation, it really helped me to understand Port Forwarding in a better way and easily.
a big thank you! Your explanation is perfectly clear and the visualization is very nice and descriptive as well. Don't hesitate to upload more videos like this :)
The explanation you give in your video has helped me a lot. The option for remote redirecting has helped me so that an application mounted on goddady can access a webservice of my local commercial management system without exposing the service to the internet or having a fixed IP address from my ISP or vpn.
I found this video while in PWK training to get OSCP certified and this video helped me a lot to understand local and remote port forwarding. Keep up the good work and thank you for making these excellent videos.
You're very able to explain complex things in a simple way and that, together with clear graphics, makes for very good tutorials. Aside: As you stated, there not a lot of 'bona fide' applications for remote port forwarding, which is exactly what we're experimenting with in the Offensive Security labs :) VERY interesting stuff and it's very insightful to get ideas here on a "blue team" approach to how to mitigate such possible abuse of SSH. Obviously, in our training we use it to bypass firewall rules because a lot of firewalls just do open/closed of ports without inspecting the contents of the packets that pass through to see if it matches the expected protocol associated with that port number.
Hands-down best explanation available. The graphics are super helpful, every other explanation I have seen out there is just a bunch of written explanation or video of command line actions. Thank you!! Question: in the local forwarding scenario, how might an Admin restrict the jump from HostB to HostD i.e. how would they keep the connection to HostB?
QQ, thanks for the kind feedback. Sorry for the slow response. I've been traveling and on intermittent connections. I'll reply to your question in a bit once I'm connected for long enough to do so.
QQ, you can use the PermitOpen option in the sshd_config or authorized_keys. You specify with host:port. You can include multiple by separating them with spaces. If possible, you should limit it to a single user or group (e.g., by including in one or more authorized_keys filed or using Match in sshd_config). I hope this helps. Thanks again for reaching out.
Hi. Thanks for the detailed explanation with example. Exactly what I was looking for. I have a question about security concern. The remote attacker in your example (hostC) would have to know the time when the tunnel is set up, on what port and the ip of hostA right? So breaking in isnt really possible without the hostA cooperation with hostC?
Osinskkia, great question. The assumption is that the operator on HostA sets up the tunnel (with the port) and leaves it open (for an extended period of time) for another application on HostC to use. Since the port is left open, the attacker could perform a port scan, find the open port and then probe it to see what operations were possible, ultimately potentially gaining access to HostD.
Is it possible to just do a plain-jane ssh (i.e. no port forwarding) from HostA to HostD via HostB? Would the command line be "ssh HostD user1@HostB"? The situation I have is that I would like to open an ssh connection from HostA to HostD, but the firewall is only open from HostA to HostB. Thanks!!
Alim, I apologize for the slow response. Typically, if there is a bona fide reason to communicate between HostA and HostD, the best solution is to get the firewall opened between those two hosts. I realize that is not the answer you’re looking for but I did need to point that out. The next most often used method is to get the firewall opened between HostA and HostC and use HostC as a jump server to HostD (open an SSH session from HostA to HostC and subsequently open an SSH session from HostC to HostD). You could use HostB and HostC as jump servers between HostA and HostD but that gets tedious. Frankly, part of my goal in publishing this video on SSH port forwarding was to illuminate the security issues that arise when it is used. It can seem like a good idea to leverage port forwarding but it can come back to bite your organization when a port forwarding configuration gets exploited by an attacker. I’m sorry to be a bummer in my response but I’d be doing you a disservice if I didn’t point out the pitfalls. I hope you’re able to find a solution based on your technical and organizational constraints. Don’t hesitate to respond with a comment or question if I haven’t considered everything you were asking about. Thanks for the question.
Thank you very much for this eyeopener presentation, I really appreciate help on this situation: I have a local machine hosting ubuntu server on which I deploy EMR (mysql-apache-php), and I would like to consider the best secure practice to allow ssh traffic from and to my EMR through my wireless router with minimal risk compromising my patient's data, I will need to have patient portal on the web which opens up a lot of scary possibilities but it is essential to have and needed, I am using open source solutions for my EMR and I am on the budget for my solo practice.
Hi, PhotoZen. Why do you need to use SSH? It would seem you would use TLS to secure connections to your patient portal. Are you looking to use SSH for administration of the Ubuntu box, for data transfer, or something else?
Thanks for your comment, Sreeni. I use PowerPoint to create the graphics and presentations I do. Over the years, Microsoft has provided increasingly more powerful tools in PowerPoint, which is helpful.
Hi, X. Good question. I haven’t created anything on dynamic port forwarding and haven’t looked for something. If I get through my backlog of other videos that I want to do, I’ll have a look at doing something. Good luck!
But i have one question about 1:50 minute. How HostB knows that he should forward this connection and on which port on HostB this operation is performed? I assume that we do not explicitly set port on hostB to do that.. Could you shed some light on my doubts? Regards and one more time.. this is really briliant video.
Robert, this is frankly a question I have to confess I never considered. There is no configuration setting for an outbound port forwarding port in the OpenSSH server configuration file (sshd_config)--so, as you say, you cannot explicitly set this port. I would assume that the server opens a dynamic port to establish the connection with HostD and that it does not use a set port but have never tested to confirm that. I really appreciate the question and the feedback. I'm glad you liked the video.
Thanks for this excellent video Paul. I had one doubt : At 4:25 , how can the app client access the app server from Host B in case of remote port forwarding ? Supposing the app server is a web server, what can a person on Host B put on the browser search bar to access the app server ? If anyone else knows, please let me know.
Hi, Gibraan. Thanks for your question. If a user is running a browser on HostB, they will enter “127.0.0.1:2001” in the browser address bar to access the app server (web server) on HostA. I hope that answers your question.
Paul - excellent video, can you explain if router, firewall, proxy server, DMZ, honeypots, IDS, IPS, switches, internal servers are part to LAN? Thanks in advance.
This might be slightly off topic but what I meant was like when there is a secure internal LAN for a office (example), and there are network devices that act as protection and defense from attackers and monitor incoming and outgoing traffic such as Router, firewall, proxy server, DMZ, honeypots, IDS, IPS, switches - are these devices considered to be inside the so called LAN circle or are the just for defense purposes.
This is an interesting question, Val. It likely depends on who you're asking, as different people may have their own definitions of "LAN". My perspective is that they are part of the LAN. Some of the components you list above are at the outer boundary of the LAN but must be connected to the LAN to perform their operations. All of them must be considered in the architecture of the LAN, and the security architecture. With all of this being said, I would caution about getting too wrapped up in whether they are "part of the LAN" or not. I would recommend focusing how they affect security, operations, and reliability. Those are things you can measure. I hope that helps.
Hi, Luis. In the video diagrams (and in general), port 22 is the port for the SSH server (HostB). You can definitely reassign this to a different, though I don’t think 443 is a good idea for a variety of reasons (conflicting with and HTTPS server on the same box, confusing users, etc.). You might consider using 443 instead of 2001 that I’ve used on HostA in the diagrams but you might again run into conflicts with an HTTPS server on HostA. Not sure if I’ve answered your question. Ask again if I have not.
Very good explanation. Thanks. You said in 1:55 that "the server also gets instructions that it should take and forward that connection". Question: Do you mean some settings in sshd_config? Could you elaborate on that? Thanks for your time.
Hi, Gerardo. Thanks for your question. When the client makes the connection, it tells the server the destination address and port it would like to connect to. If the server is configured to accept these instructions (e.g., not prohibited by the AllowTcpForwarding or GatewayPorts parameter in sshd_config), it will forward the connection for the client.
Exceptionally good explainer about SSH Port Forwarding. Thank you!
I'm glad the video was helpful, Naura. I really appreciate you taking the time to comment.
@@PaulTurnerChannel Hi Paul, thanks a lot for this video it is really explanatory and interactive ! I'd like to ask you why at 3:10 the target server is localhost in the ssh command "-L2001:localhost:143 user1@HostB". Is localhost another name for HostB ? And why did not you just write HostB instead ? I'm confused about this.
this is better than 3 books in my postgraduate courses...
Wow, Francesco. Thanks for the kind compliment. I’m glad it was helpful.
Thank you, very well explained! Salute to your great efforts in making this Animation, it really helped me to understand Port Forwarding in a better way and easily.
Thank you very much for the kind feedback, Dheerendra. I'm glad to hear it was helpful.
a big thank you! Your explanation is perfectly clear and the visualization is very nice and descriptive as well. Don't hesitate to upload more videos like this :)
Glad it was helpful, Sepp. I'm hoping to get time to work on more videos but that darn day job keeps getting in the way :-)
This is the first presentation that really helped me to understand the different behaviors of the ssh commands, many thanks for this. 👍👍👍
I’m really glad it helped, Ed. Thanks for the feedback.
The explanation you give in your video has helped me a lot.
The option for remote redirecting has helped me so that an application mounted on goddady can access a webservice of my local commercial management system without exposing the service to the internet or having a fixed IP address from my ISP or vpn.
I’m glad it was helpful, Julio. Thank you for the feedback.
I found this video while in PWK training to get OSCP certified and this video helped me a lot to understand local and remote port forwarding. Keep up the good work and thank you for making these excellent videos.
You put a big smile on my face, Georges. Thanks for the feedback. I'm hoping to get a break from the relentless day job to get some more videos done.
You're very able to explain complex things in a simple way and that, together with clear graphics, makes for very good tutorials.
Aside: As you stated, there not a lot of 'bona fide' applications for remote port forwarding, which is exactly what we're experimenting with in the Offensive Security labs :) VERY interesting stuff and it's very insightful to get ideas here on a "blue team" approach to how to mitigate such possible abuse of SSH. Obviously, in our training we use it to bypass firewall rules because a lot of firewalls just do open/closed of ports without inspecting the contents of the packets that pass through to see if it matches the expected protocol associated with that port number.
Thank you so much for the great visualization with clear explanation!
Thank you for the feedback, Srinivas. I really appreciate it.
Helpful commentary and descriptions - nicely presented and useful. Great job.🤓
Thanks for the kind feedback, Don. I appreciate it.
Great Explanation! Really helped me understand the concepts well.
I’m very glad to hear it was helpful and appreciate you taking the time to say so. Thank you.
Your explanation is really really great! Thank you so much.
I really appreciate your feedback, Robert. Thanks.
Really great video Paul, very clear. Thanks for this.
Thanks a bunch for the feedback, Adam
Great explanation, thank you.
What a great illustrative explanation!
Thank you very much for the feedback.
This was great :)
I'm with the other who thank you for this M Turner. Particularly appreciated the nifty graphics :)
Thank you very much for the comment about the graphics. It is fun to explore how to make a concept clear through graphics.
super cool explanation. Thanks
Thanks for the feedback, Debashish. I’m glad you liked it.
Very well explained. Thank you !
I appreciate the feedback, Mayank!
Excellent explanation and video quality
Thank you, Diego. I appreciate the feedback.
Excellent video
Thank you, BigData. Glad you liked it.
Hands-down best explanation available. The graphics are super helpful, every other explanation I have seen out there is just a bunch of written explanation or video of command line actions.
Thank you!!
Question: in the local forwarding scenario, how might an Admin restrict the jump from HostB to HostD i.e. how would they keep the connection to HostB?
QQ, thanks for the kind feedback. Sorry for the slow response. I've been traveling and on intermittent connections. I'll reply to your question in a bit once I'm connected for long enough to do so.
QQ, you can use the PermitOpen option in the sshd_config or authorized_keys. You specify with host:port. You can include multiple by separating them with spaces. If possible, you should limit it to a single user or group (e.g., by including in one or more authorized_keys filed or using Match in sshd_config). I hope this helps. Thanks again for reaching out.
I have to agree with BigDataKid. This is an excellent video! You should make more videos on complex UNIX stuff. You nailed this one. :)
Thank you, Jesus. I'll see what I can do to cover other topics. Best wishes.
very nice and crisp
Thank for your the very nice and crisp feedback, Soumendra :-)
yes, that is a really good explaination
I’m glad you liked it, LOL (love the screen name). Thanks for taking the time to comment.
The best explanation, subscribing for sure. Thank you!
Glad you like the video, Bagdat. I hope to create more soon.
Excellent explanation with scenario
Thank you very much for the feedback, Biman.
Nicely explained
Thank you. I appreciate the feedback.
Thanks
helped me alot !
Thanks for the feedback, Ertugrul.
who was the 1 person that disliked this video? This is an excellent video
Thanks for the kind words, Rafael.
awesome thank you !!!
Sorry for the slow response. Thank you very much for your kind comment.
Hi. Thanks for the detailed explanation with example. Exactly what I was looking for. I have a question about security concern. The remote attacker in your example (hostC) would have to know the time when the tunnel is set up, on what port and the ip of hostA right? So breaking in isnt really possible without the hostA cooperation with hostC?
Osinskkia, great question. The assumption is that the operator on HostA sets up the tunnel (with the port) and leaves it open (for an extended period of time) for another application on HostC to use. Since the port is left open, the attacker could perform a port scan, find the open port and then probe it to see what operations were possible, ultimately potentially gaining access to HostD.
Is it possible to just do a plain-jane ssh (i.e. no port forwarding) from HostA to HostD via HostB? Would the command line be "ssh HostD user1@HostB"? The situation I have is that I would like to open an ssh connection from HostA to HostD, but the firewall is only open from HostA to HostB. Thanks!!
Alim, I apologize for the slow response. Typically, if there is a bona fide reason to communicate between HostA and HostD, the best solution is to get the firewall opened between those two hosts. I realize that is not the answer you’re looking for but I did need to point that out. The next most often used method is to get the firewall opened between HostA and HostC and use HostC as a jump server to HostD (open an SSH session from HostA to HostC and subsequently open an SSH session from HostC to HostD). You could use HostB and HostC as jump servers between HostA and HostD but that gets tedious. Frankly, part of my goal in publishing this video on SSH port forwarding was to illuminate the security issues that arise when it is used. It can seem like a good idea to leverage port forwarding but it can come back to bite your organization when a port forwarding configuration gets exploited by an attacker. I’m sorry to be a bummer in my response but I’d be doing you a disservice if I didn’t point out the pitfalls. I hope you’re able to find a solution based on your technical and organizational constraints. Don’t hesitate to respond with a comment or question if I haven’t considered everything you were asking about. Thanks for the question.
Crazy, I was not aware of it at all
I’m glad you found this video informative, Miriyala. Thanks for taking the time to provide your feedback.
Thank you very much for this eyeopener presentation, I really appreciate help on this situation: I have a local machine hosting ubuntu server on which I deploy EMR (mysql-apache-php), and I would like to consider the best secure practice to allow ssh traffic from and to my EMR through my wireless router with minimal risk compromising my patient's data, I will need to have patient portal on the web which opens up a lot of scary possibilities but it is essential to have and needed, I am using open source solutions for my EMR and I am on the budget for my solo practice.
Hi, PhotoZen. Why do you need to use SSH? It would seem you would use TLS to secure connections to your patient portal. Are you looking to use SSH for administration of the Ubuntu box, for data transfer, or something else?
@@PaulTurnerChannel yes , I will be responsible for data transfer for billing purposes
excellent video. one Q what was the editor used to create the animation ? thanks
Thanks for your comment, Sreeni. I use PowerPoint to create the graphics and presentations I do. Over the years, Microsoft has provided increasingly more powerful tools in PowerPoint, which is helpful.
Thanks, very great explanation I am searching it for a long time. is there any tutorial for ssh dynamic forwarding like this?
Hi, X. Good question. I haven’t created anything on dynamic port forwarding and haven’t looked for something. If I get through my backlog of other videos that I want to do, I’ll have a look at doing something. Good luck!
Tank you! Tank you! Tank you! Tank you! Tank you! Tank you! Tank you! Tank you! very much!!
You put a big smile on my face. I appreciate you providing your feedback so enthusiastically. I'm glad it was helpful.
But i have one question about 1:50 minute. How HostB knows that he should forward this connection and on which port on HostB this operation is performed? I assume that we do not explicitly set port on hostB to do that.. Could you shed some light on my doubts? Regards and one more time.. this is really briliant video.
Robert, this is frankly a question I have to confess I never considered. There is no configuration setting for an outbound port forwarding port in the OpenSSH server configuration file (sshd_config)--so, as you say, you cannot explicitly set this port. I would assume that the server opens a dynamic port to establish the connection with HostD and that it does not use a set port but have never tested to confirm that. I really appreciate the question and the feedback. I'm glad you liked the video.
Thanks for this excellent video Paul.
I had one doubt : At 4:25 , how can the app client access the app server from Host B in case of remote port forwarding ?
Supposing the app server is a web server, what can a person on Host B put on the browser search bar to access the app server ?
If anyone else knows, please let me know.
Hi, Gibraan. Thanks for your question. If a user is running a browser on HostB, they will enter “127.0.0.1:2001” in the browser address bar to access the app server (web server) on HostA. I hope that answers your question.
@@PaulTurnerChannel Thanks for taking out the time and responding to my doubt.
Paul - excellent video, can you explain if router, firewall, proxy server, DMZ, honeypots, IDS, IPS, switches, internal servers are part to LAN? Thanks in advance.
Sorry, Val. I'm not sure I understand your question. Can you clarify? Thanks for you feedback.
This might be slightly off topic but what I meant was like when there is a secure internal LAN for a office (example), and there are network devices that act as protection and defense from attackers and monitor incoming and outgoing traffic such as Router, firewall, proxy server, DMZ, honeypots, IDS, IPS, switches - are these devices considered to be inside the so called LAN circle or are the just for defense purposes.
This is an interesting question, Val. It likely depends on who you're asking, as different people may have their own definitions of "LAN". My perspective is that they are part of the LAN. Some of the components you list above are at the outer boundary of the LAN but must be connected to the LAN to perform their operations. All of them must be considered in the architecture of the LAN, and the security architecture. With all of this being said, I would caution about getting too wrapped up in whether they are "part of the LAN" or not. I would recommend focusing how they affect security, operations, and reliability. Those are things you can measure. I hope that helps.
Great, thanks for the tip as well.
excellent tutorial, could you also change the port from port 22 to 443?
Hi, Luis. In the video diagrams (and in general), port 22 is the port for the SSH server (HostB). You can definitely reassign this to a different, though I don’t think 443 is a good idea for a variety of reasons (conflicting with and HTTPS server on the same box, confusing users, etc.). You might consider using 443 instead of 2001 that I’ve used on HostA in the diagrams but you might again run into conflicts with an HTTPS server on HostA. Not sure if I’ve answered your question. Ask again if I have not.
Very good explanation. Thanks.
You said in 1:55 that "the server also gets instructions that it should take and forward that connection".
Question: Do you mean some settings in sshd_config? Could you elaborate on that?
Thanks for your time.
Hi, Gerardo. Thanks for your question. When the client makes the connection, it tells the server the destination address and port it would like to connect to. If the server is configured to accept these instructions (e.g., not prohibited by the AllowTcpForwarding or GatewayPorts parameter in sshd_config), it will forward the connection for the client.
Hello, can you please tell me where I can get SSH No-Login servers from?
Hi. Sorry for the slow response. Can you provide some background on what problem you’re looking to solve?
@s