Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

WinSCP & 3 layers of security
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

WinSCP & 3 layers of security

FlorinMarianFlorinMarian Member, Host Rep
edited February 2022 in Help

Hi, guys!

Recently I've got employed as SyS Admin on a company who owns multiple Dedicated Servers hosting each of them few virtual machines.

Their intrusion prevention system have 3 layers of security and I understood how to manage them with PuTTY but no idea how to deal with WinSCP or another similar software.

So, their infrastructure is structured like this:

  • Machine1 has port 22 open for everyone
  • Machine2 has port 22 open only for Machine1 (Machine2 has internal IP only)
  • Machine2 is gateway for whole infrastructure, can access port 22 for public IPs of physical servers and also can access each KVM instance from every host using their internal IP (172.x.x.x)

I would like to get some ideas about how could I resolve internal IPs from Machine2 because for public IPs I've succeed to use WinSCP feature called tunnel.

Thank you!

Comments

  • yoursunnyyoursunny Member, IPv6 Advocate
    edited February 2022

    Change your laptop / workstation to Ubuntu MATE, and everything will be simpler.

    Ubuntu solution: for each target that needs a gateway, write the following in ~/.ssh/config:

    Host target
  User sunny
  ProxyCommand ssh gateway nc %h %p

    If gateway itself needs another gateway2, just write another entry like this:

    Host gateway
  User sunny
  ProxyCommand ssh gateway2 nc %h %p

    It can nest until you run out of file descriptors or ephemeral port numbers.

    This applies to both ssh command and typing sftp://target into file browser.

    Thanked by 2FlorinMarian bulbasaur
  • DursDurs Member

    close with ufw all traffic.
    First rufe ufw allow IP......

    I am just a beginner.

    Thanked by 1pedagang
  • jmgcaguiclajmgcaguicla Member
    edited February 2022

    If you don't have access to the internal network (which is most likely for a reason and why you were not given direct access to it), you need to use jump hosts and port forwarding to reach the walled-off infra.

    On recent OpenSSH versions you have the -J flag to specify ad-hoc jump hosts, say you need to access RDP on machine3 which can only be reached via machine2 which in turn can only be access via machine1, you can do:

    ssh -J user@machine1 -J user@machine2 user@machine3 -L 127.0.0.1:10000:machine3:3389

    Now you can RDP to machine3 via 127.0.0.1:10000, this should allow you to access any TCP (you can also tunnel UDP with some nc/socat tricks but that's another topic) service served by a node on the internal infra.

    Thanked by 2FlorinMarian TimboJones
Sign In or Register to comment.