New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
WinSCP & 3 layers of security
FlorinMarian
Member, Host Rep
Hi, guys!
Recently I've got employed as SyS Admin on a company who owns multiple Dedicated Servers hosting each of them few virtual machines.
Their intrusion prevention system have 3 layers of security and I understood how to manage them with PuTTY but no idea how to deal with WinSCP or another similar software.
So, their infrastructure is structured like this:
- Machine1 has port 22 open for everyone
- Machine2 has port 22 open only for Machine1 (Machine2 has internal IP only)
- Machine2 is gateway for whole infrastructure, can access port 22 for public IPs of physical servers and also can access each KVM instance from every host using their internal IP (172.x.x.x)
I would like to get some ideas about how could I resolve internal IPs from Machine2 because for public IPs I've succeed to use WinSCP feature called tunnel
.
Thank you!
Comments
Change your laptop / workstation to Ubuntu MATE, and everything will be simpler.
Ubuntu solution: for each target that needs a gateway, write the following in
~/.ssh/config
:If
gateway
itself needs anothergateway2
, just write another entry like this:It can nest until you run out of file descriptors or ephemeral port numbers.
This applies to both
ssh
command and typingsftp://target
into file browser.close with ufw all traffic.
First rufe ufw allow IP......
I am just a beginner.
If you don't have access to the internal network (which is most likely for a reason and why you were not given direct access to it), you need to use jump hosts and port forwarding to reach the walled-off infra.
On recent OpenSSH versions you have the
-J
flag to specify ad-hoc jump hosts, say you need to access RDP on machine3 which can only be reached via machine2 which in turn can only be access via machine1, you can do:ssh -J user@machine1 -J user@machine2 user@machine3 -L 127.0.0.1:10000:machine3:3389
Now you can RDP to machine3 via 127.0.0.1:10000, this should allow you to access any TCP (you can also tunnel UDP with some nc/socat tricks but that's another topic) service served by a node on the internal infra.