Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Users
Port forwarding and access restriction
michael.goffioul at lincor
Jan 29, 2010, 3:06 AM
Post #1 of 4 (2921 views)
Permalink
Hi,

When creating a local port forwarding with SSH (using the -L command flag), is
it possible to limit the number of clients that will be able to connect to the
local port?

Let's say I do:

ssh -L 0.0.0.0:36725:localhost:7777 user@hostname

Can I limit the number of accepted clients on port 36725?

Thanks.
Michael.


--
Michael Goffioul
Software Engineer

Lincor Solutions Ltd.
Unit 6
Cork Technology Park, Model Farm Road, Cork

Tel: +353 21 4941618
Fax: +353 21 4342400
E-mail: michael.goffioul@lincor.com
Web: http://www.lincor.com
Re: Port forwarding and access restriction [ In reply to ]
domi at komarr
Feb 1, 2010, 5:08 AM
Post #2 of 4 (2833 views)
Permalink
On Friday 29 January 2010 12:06:25 Michael Goffioul wrote:
> Hi,
>
> When creating a local port forwarding with SSH (using the -L command flag),
> is it possible to limit the number of clients that will be able to connect
> to the local port?
>
> Let's say I do:
>
> ssh -L 0.0.0.0:36725:localhost:7777 user@hostname
>
> Can I limit the number of accepted clients on port 36725?

Not with ssh, but you can achieve the same result with iptables:

iptables -A INPUT -p tcp --syn --dport 36725 -m connlimit \
--connlimit-above 2 -j REJECT

HTH

Dominique
--
http://config-model.wiki.sourceforge.net/ -o- http://search.cpan.org/~ddumont/
http://www.ohloh.net/accounts/ddumont
Re: Port forwarding and access restriction [ In reply to ]
michael.goffioul at lincor
Feb 1, 2010, 12:10 PM
Post #3 of 4 (2830 views)
Permalink
Hi Izak,

Thanks for your answer, but I think I didn't make myself clear enough
(or I simply didn't understand your answer, which is still possible...).
I don't want to restrict access to SSH logins, I want to restrict access
to a local port forwarding. Here's the complete story.

I have a server A that can SSH to a computer B. On B, I have a VNC
service running that I want to make available to a 3rd-party user. To do
that, I create a SSH tunnel from A to B, forwarding the port 36725 on A
to the port 5900 on B, making the local port on A accessible from the
outside world:

ssh -L *:36725:localhost:5900 user@B

Now the user uses a VNC client to connect to A:36725. What I'd like to
know is whether I can impose access restriction on A:36725, for instance
by limiting the number of accepted connections.

In your answer, you mention settings in sshd_config. These are for the
SSH daemon, right? Do these also apply to the SSH client that is doing
port forwarding?

Thanks.
Michael.
Max Jaxon a écrit :
> Hi Michael,
>
>
> Limit User Logins
>
> SSH logins can be limited to only certain users who need remote
> access. If you have many user accounts on the system then it makes
> sense to limit remote access to only those that really need it thus
> limiting the impact of a casual user having a weak password. Add an
> AllowUsers line followed by a space separated list of usernames to
> /etc/ssh/sshd_config. For example:
>
> AllowUsers alice bob
> and then restart the Daemon
>
>
> Kind Regards,
>
>
> Izak
>
>
>
>
>
> On Fri, Jan 29, 2010 at 12:06 PM, Michael Goffioul
> <michael.goffioul@lincor.com <mailto:michael.goffioul@lincor.com>> wrote:
>
> Hi,
>
> When creating a local port forwarding with SSH (using the -L
> command flag), is
> it possible to limit the number of clients that will be able to
> connect to the
> local port?
>
> Let's say I do:
>
> ssh -L 0.0.0.0:36725:localhost:7777 user@hostname
>
> Can I limit the number of accepted clients on port 36725?
>
> Thanks.
> Michael.
>
>
> --
> Michael Goffioul
> Software Engineer
>
> Lincor Solutions Ltd.
> Unit 6
> Cork Technology Park, Model Farm Road, Cork
>
> Tel: +353 21 4941618
> Fax: +353 21 4342400
> E-mail: michael.goffioul@lincor.com
> <mailto:michael.goffioul@lincor.com>
> Web: http://www.lincor.com
>
>
>
>
> --
> Met vriendelijke groet/ Kind Regards,
>
> Izak Schipper MCSE Security+,CWNA,CCNA,C|PTS,C|EH,CISSP
>
> Infrastructure Security Specialist
>
> Tel: +31 (0) 6 3850 63 26
>
Re: Port forwarding and access restriction [ In reply to ]
code at pizzashack
Feb 2, 2010, 2:20 PM
Post #4 of 4 (2825 views)
Permalink
On Mon, Feb 01, 2010 at 08:10:36PM +0000, Michael Goffioul wrote:
> Now the user uses a VNC client to connect to A:36725. What I'd like
> to know is whether I can impose access restriction on A:36725, for
> instance by limiting the number of accepted connections.

As someone else already mentioned, you can't do this with OpenSSH.
You can, however, do it with some sort of firewall software. They
posted instructions for using Linux's kernel-based firewall software;
if you're not using Linux, there should be a similar thing available
for your OS (though if it's a commercial OS, you will likely need
commercial software).

> In your answer, you mention settings in sshd_config. These are for
> the SSH daemon, right?

Yes, sshd_config controls the ssh daemon.

> Do these also apply to the SSH client that is doing port forwarding?

No; or more exactly, only to the extent that the SSH server exerts
control over connecting clients (but generally no).

--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal