EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Reverse SSH Tunnel question

Also by EldoS: CallbackRegistry
A component to monitor and control Windows registry access and create virtual registry keys.
#21364
Posted: 09/07/2012 09:48:39
by Mike Jones (Basic support level)
Joined: 09/07/2012
Posts: 4

I have a client that needs to "phone-home" to a server in the cloud, but I want to setup a reverse SSH tunnel after the connection, so that the server can use the tunnel to call back into the client anytime it wants without the client's firewall getting in the way.

Is this possible with SecureBlackBox? And if so, are there any examples for a reverse tunnel?
#21368
Posted: 09/07/2012 11:57:15
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for interest in our products.

Yes SecureBlackBox supports what you need. This functionality is implemented in TElSSHRemotePortForwarding component. The samples are located in

1) \EldoS\SecureBlackbox.VCL\Samples\Delphi\SSHBlackbox\Client\SimplePortForwarding\Remote for VCL;
2) \EldoS\SecureBlackbox.NET\Samples\C#\SSHBlackbox\Client\SimplePortForwarding\Remote for .NET;
3) \secbboxjava\Samples\SSHBlackbox\Client\SimpleForwarding\Remote for Java.
#21686
Posted: 09/24/2012 15:52:57
by Mike Jones (Basic support level)
Joined: 09/07/2012
Posts: 4

Vsevolod,

Thanks for the quick reply. I've finally gotten the time to play with the demo, and I'm struggling with it. Here's my scenario:

I have a client process at 10.1.1.10 that's behind a firewall that will connect via SSH on port 22 to 70.123.222.10 (a fake public IP address representing a server in the cloud). I want 70.123.222.10 to be able to use that SSH connection to tunnel back into 10.1.1.10 on port 5001 via remote port forwarding.

To me, this means I need a listener process on 70.123.222.10:22 to accept a connection from the client process. Meanwhile, I also need a listener process on 10.1.1.10:5001 to accept the tunnelled connection from the server, and of course remote port forwarding to make that second connection succeed. Maybe I'm wrong on this point, so please correct me if I'm wrong.

To accomplish that scenario using the demo tools, my thinking was to do the following:
1) Run the SSHServer demo on 70.123.222.10 on port 22 to listen for incoming connections from the client.
2) Run the SSHServer demo on 10.1.1.10 on port 5001 to listen for the reverse-tunneled connection from the server.
3) Run the RemotePortForward demo on 10.1.1.10 with the following options:
Host: 70.123.222.10 Port: 22
Username/Password: <whatever_I_chose>
Forwarded port: 22
Destination host and port: localhost, port 5001

When I run those 3 steps and press 'Start' on the Remote Port Forward demo, a connection is established from 10.1.1.10 to 70.123.222.10 on port 22. I assume this is the desired outcome so far.

Next, I assume all I have to do is run putty/telnet/ssh from 70.123.222.10 back into the client using the forwarded host/port information, e.g.

telnet localhost 5001

It is this tunneled connection attempt that fails. I get no indication other than "connection refused", which usually means there is nothing listening on that port - as if I'm simply trying to connect to my own computer on a "dead" port rather than on the tunneled connection. I've proven that my 2 SSHServer processes are working because I can issue ordinary telnet seesions directly to them. So I figure I'm not configuring the remote port foward options correctly; or I'm runnnig it on the wrong side; or something else I haven't thought of.

Thanks VERY much in advance for your help.
#21697
Posted: 09/25/2012 02:05:39
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

Here is how remote port forwarding works:

1) A client connects to SSH server and requests remote port forwarding. The server opens requested port and starts listening for incoming connections.
2) Any connection coming in to this server will be forwarded back through the SSH connection to the TCP port you specify.

SSHServer demo doesn't implement remote port forwarding feature. You should use some ready-to-use SSH server for testing purposes and then implement remote port forwarding for server side yourself.
#21699
Posted: 09/25/2012 05:07:40
by Ken Ivanov (EldoS Corp.)

Mike,

Quote
To me, this means I need a listener process on 70.123.222.10:22 to accept a connection from the client process. Meanwhile, I also need a listener process on 10.1.1.10:5001 to accept the tunnelled connection from the server, and of course remote port forwarding to make that second connection succeed. Maybe I'm wrong on this point, so please correct me if I'm wrong.

That is not correct enough. As Vsevolod answered above, all the forwarding-related tasks are encapsulated in SSH protocol, so neither you need to listen on 10.1.1.10:5001 with a separate application, nor you have to open any ports on the client side. An SSH server will normally open the listening server-side port for you, and all the forwarded data will be directed through already established SSH channel.

A bad thing is that the SSH server samples shipped with the distribution do not implement server-side forwarding, leaving this task to the user. A good thing is that we extended the C# sample with the remote forwarding feature for one of our customers recently, and we are happy to send it to you so that you wouldn't have to implement it by yourselves. I'm going to create a Helpdesk ticket for you now and upload the updated sample there (as the forum doesn't accept ZIPs).
#21743
Posted: 09/26/2012 11:33:06
by Mike Jones (Basic support level)
Joined: 09/07/2012
Posts: 4

Vsevolod and Innokentiy,

Thanks very much for the assistance and the port-forwarding SSH Server. It is exactly what I needed. I was able to get it working with the help of my star developer Gina (she made me say that :-)).

Anyway, right now we're using the demo version of your product and will be purchasing a license very soon. We plan to add a new feature to our product which will include an SSH server with port forwarding. My question is just how robust is the example you sent me? For example, can that sample server manage (up to) thousands of simultaneous port-forwarded connections, or is there more work to do? Thanks.
#21744
Posted: 09/26/2012 11:37:19
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
My question is just how robust is the example you sent me? For example, can that sample server manage (up to) thousands of simultaneous port-forwarded connections, or is there more work to do?


We don't recommend to use samples in production because the code is simplified and is not written with *thousands of connections* in mind. You should review the code to fit your project requirements.
#21745
Posted: 09/26/2012 11:59:25
by Ken Ivanov (EldoS Corp.)

Most of the samples lack [for a reason] good error handling. Please review the code to make sure all calls are enveloped into try/catch statements and method return values are checked where they are provided.

Some other aspects of your particular task that you should take special care of:

1. It is desirable to minimize communication between SSH threads and the main application thread, as extensive inter-thread calls slow down protocol speed and make UI respond slowly. The sample has plenty of such calls for logging purposes. If you need to create a trace of SSH protocol flow, using a log file is a far better choice.

2. The sample uses 'one thread per forwarded connection' model, which will result in 1000 threads being created for 1000 forwarded connections. This might result in excessive load on the server. If you need to handle thousands of connections efficiently, this part of the project should also be reviewed and re-designed.
#21748
Posted: 09/27/2012 09:17:06
by Mike Jones (Basic support level)
Joined: 09/07/2012
Posts: 4

Guys,

Thanks for the details on the sample. I didn't mean to imply I wanted to ship the sample code as-is, so I apologize for not asking properly. I guess what I mean to ask is about the port forward capabilities of the SDK - can it handle thousands of simultaneous connections without falling over? Do you have any test metrics that demonstrate the SDK's ability to perform this feature (remote port forwarding) at an "enterprise" level? Thanks.
#21749
Posted: 09/27/2012 09:26:49
by Vsevolod Ievgiienko (EldoS Corp.)

Hello.

Yes SecureBlackbox SDK can handle *thousands of simultaneous connections*, but this will depend on your network-related part implementation. We don't have such test metrics, but SBB is widely used in corporate environments for years.
Also by EldoS: CallbackProcess
A component to control process creation and termination in Windows and .NET applications.

Reply

Statistics

Topic viewed 3954 times

Number of guests: 1, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!