Posts Tagged ‘ SSH ’

SSH Port Forwarding

SSH port forwarding, or TCP/IP connection tunneling, is a process whereby a TCP/IP connection that would otherwise be insecure is tunneled through a secure SSH link, thus protecting the tunneled connection from network attacks.

In other words, port forwarding, or tunneling, is a way to forward insecure TCP traffic through SSH Secure Shell.

There are two kinds of port forwarding:

1. Local port forwarding and

2. Remote port forwarding

They are also called outgoing and incoming tunnels, respectively.


Local port forwarding :


[You can use SSHHOST and RHOST as same or different]

Remote port forwarding :


Example for local port forwarding:

Aim : Access a service (in this example SSH port tcp/22, but it could be anything like a web server on tcp/80) on machine “YY.YY.YY.YY”

From your shell type:

ssh root@XX.XX.XX.XX -L 10000:YY.YY.YY.YY:22

Then, from your local machine, you should be able to connect to YY.YY.YY.YY by

ssh root@localhost -p 10000

Example for Remote Port Forwarding:

Aim : Access a service in your home machine from your office (in this example SSH port tcp/22, but it could be anything like a web server on tcp/80)

From your machine at home type following:

ssh root@server1SSHHOST.COM -R 10000:

Then SSH to the server “server1SSHHOST.COM” from your machine at office and type following.

ssh root@localhost -p 10000

Note : Don’t forget to open necessary ports on any firewall either at home or work.

SSH many users to one Home with full access

Home : /home/onehome
Default user and group is “onehome”

Step : 1

Add users to “onehome’s” directory

useradd -d /home/onehome -s /bin/bash user1
useradd -d /home/onehome -s /bin/bash user2

Step : 2

Add new users to onhome’s group

useradd -G onehome user1
useradd -G onehome user2

Step : 3

Set full permission to new users on onehome’s home directory.

setfacl -R -m u:user1:rwx /home/onehome
setfacl -R -m u:user2:rwx /home/onehome

Limit SSH per IP and user

You can limit ssh using /etc/hosts.deny and /etc/hosts.allow (tcpwrappers). This article will not go into that. Instead this will deal with the AllowUsers feature in SSH that will limit access per user, and if desired per ip.

To enable this edit /etc/ssh/sshd_config (default location on centos servers, this may be different for you).

At the very bottom you can add

AllowUsers root

This will limit access to only user root. All other login attempts will fail. This will stop the chance of a brute force attach getting into your server as any user but root. You can also add an IP address like this:

AllowUsers root@

Now only user root from the IP address can access SSH.

To all multiple users place them on the same line.

AllowUsers root@ admin@ john

This above setting will allow user root from user admin from and user john from anywhere.

You must restart SSH for the changes to take place. On centos servers that is /etc/init.d/sshd restart


There is also the AllowGroups function. For instance you can set AllowGroups Wheel which will allow only root and any one added into the wheel group for su

Additional SSH Security

Generally I’d also set PermitRootLogin to without-password which will allow root login only with an SSH key or to no to stop SSH as root.

SSH login delay problem

while trying to login to ssh it will take 2-3 minutes to login.

Hereby I am enclosing the steps to fix the problem

The problem was due to the enabled parameter “UseDns” in the sshd_config. We can fix the problem by disabling this parameter

i.e UseDNS no

And restart the ssh service