ssh port forwarding exploit 1

[LinuXelite]

Hello

I need to encrypt a connection to a mysql server. The server runs Linux and the client is multi-plateform. So I use a tunnel. I have two solutions:

- Stunnel
- SSH port forwarding

stunnel required openssl and a manual configuration from the client. I don't want that.

SSH port forwarding works because I call plink.exe from a cmdshell and its transparent for the user.

Howerver, here is my problem:

I have an dummy account on the linux server with no shell access.
SSH encript mysql connection

If a user decide to "hack" the sofware and change this:
ssh -f -L 1234:foobar:3306 foobar.com sleep 30
to this
ssh -f -L 1234:localhost:25 foobar.com sleep 30

The user can use my SMTP server to avoid my firewall and send spam mail from my server.

I need a policy to limit SSHD port forwarding.

I can't find anything on google/mans page. I am wrong or this is not a good solution for public tunnel?

I'm open to another solution. I use Delphi/Kylix as a main programming language and SSH is the most convenient way to do this (except for the security concern).

Frank,

 

[ericbrunson]

Who is going to "hack" your software? If they can hack that, then you've got bigger problems than people sending spam.

 

[LinuXelite]

Its very easy to hack a software.

Anyway you dont need to hack the software but create another tunnel with ssh. It seems very easy to me.

 

[thedaver]

So somebody presumably gets root access to route a low port or you allow someone to run ssh to re-reroute a high port, then I'm afraid, as eric points out, that's poor system administration.

Put root access on the initial port forwarding script, run it as a daemon, and enjoy. You could also xinetd the call to port 1234 to force the exec of your favorite script.

http://www.surfinbox.com/hosting/

 

[LinuXelite]

When I said "port 25" it was only an example. A bad example but and example.

Lets say that I have a mysql server, and a squid server.

Mysql 3306 squid 3128

I want to block port forwarding on squid, but I need port forwarding on MySQL. Now that you are a better admin than me, tell me what would you do? Well may be SSH don't allow this restriction.

 

[thedaver]

This isn't a pissing contest and I cannot judge and do not care who is "better" than whom. That said, you have many options.

Use an xinetd configuration to monitor port 1234 and launch your chmod 0500 script to open up the passthrough.

Use the chmod 0500 script and have it launched at bootup or on a schedule by cron if that suits your needs.

The point is that once the port is bound by root, it cannot be stepped on by a casual user.

You should also consider building a VPN using OpenVPN

http://openvpn.sf.net/

and avoid this whole morass.

http://www.surfinbox.com/hosting/

 

[LinuXelite]

Well this is a solution. Thanks for the advice.

OpenVPN is the best solution, but I need a solution for my customer. They don't know how to build a VPN. I need something that can be setup automaticly when my software start in the background.

I'll check what iptables can do for me. And there is also the parameters permitonly=hostort...

Ok thanks a lot for your expertise and advice!

Frank,