Tuesday, September 20, 2011

OpenSSH and how to get around port 25 filters on local networks...

OpenSSH is a very capable tool and I'm using it for years. And even though I don't consider myself a beginner user, but racá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r an advanced one, every now and cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n I learn something new about this great tool. Here are two links to such sites that I found to be very interesting:
  1. SSH Can Do That? Productivity Tips for Working with Remote Servers
  2. 9 Awesome SSH Tricks
Be sure to also read comments cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re because cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are useful too.

What I'm going to describe is how I'm using ssh tunneling capabilities to send email via remote server when local network blocks port 25 outside of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local network. Blocking port 25 is quite a frequent scenario, and useful security practice, to prevent, or at least lower cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 quantity of, outgoing spam from local network. Probably it was massively introduced during Slammer worm or somewhere around that time. Anyway, for an easier understanding here is a figure that tries to illustrate this particular scenario:

Network topology
In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 given figure I'm using laptop computer and what I want to do is to send an email message using MY HOME MAIL SERVER as outgoing mail server. But, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 exit router (or firewall) on LAN1 where I'm attached blocks any access to port 25 anywhere outside of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 LAN1. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same time, it allows outgoing ssh connections.

The general idea is to redirect mail client to connect to a localhost on port 25 and using ssh transfer this conection to remote mail host' local port 25. Note that, in order for this scenario to work you are not allowed to run local mail server, or, you have to redirect local mail client. The next premise is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 remote server allows ssh access. If it doesn't, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you have to find a host that allows. I'll deal with that scenario later, let us first go through this simpler scenario first.

To create tunnel that will transfer local connection to remote host run cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following command as root user:

ssh -L 25:127.0.0.1:25 MY_HOME_MAIL_SERVER

What this command does is that it binds to a local port 25 (protocol tcp) and anything that connects to that address is forwarded to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r side where it connects to IP address 127.0.0.1 and port 25, i.e. to a local instance of mail server on MY HOME MAIL SERVER. You need to run this command as a root because of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 local bind to privileged port (25).

One more thing you need to do is to trick your mail client to connect to localhost instead to MY_HOME_MAIL_SERVER. How to do this depends on how you configured your mail client. In case you entered symbolic name of MY_HOME_MAIL_SERVER into mail client cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you can change it to 127.0.0.1, or better, change /etc/hosts and put cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following line:

127.0.0.1           MY_HOME_MAIL_SERVER

Don't forget to remove this line once you are finished. Ocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365rwise, when you remove ssh tunnel you want be able to send mail any more!

Let me try to visualise what you did. Some time later I'll draw a figure, but now let me try with a words. With ssh you created a pipe that goes from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 laptop to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MY_HOME_MAIL_SERVER. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 start of that pipe, on laptop, it is listening to port 25 at local addres. At cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 end, this pipe whatever comes, simply hands to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 localhost and port 25, i.e. to a mail process running on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 MY_HOME_MAIL_SERVER.

Finally, I what if you don't have ssh access to a MY_HOME_MAIL_SERVER? Well, in that case you have to find some computer to which you can ssh, and which can connect to port 25 of MY_HOME_MAIL_SERVER. Note that it can be any server on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Internet. To make things work now, you use almost cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same ssh command, but with a little different arguments:

ssh -L 25:MY_HOME_MAIL_SERVER:25 YOUR_SSH_SERVER

Note that MY_HOME_MAIL_SERVER is IP adress or DNS name of your mail server, while YOUR_SSH_SERVER is IP address or DNS name of a server you use as a middle hop.

And that's it. :) Actually, very simple. But, personally I'm not satisfied with visualization so I'll improve it when I find more time and inspiration. :)

No comments:

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)

Blog Archive