Many times I'll be at a site where I need remote support from someone who
is blocked on the outside by a company firewall. Few people realize that
if you can get out to the world through a firewall, then it is relatively
easy to open a hole so that the world can come into you.
In its crudest form, this is called "poking a hole in the firewall." I'll call it an SSH back door. To use it, you'll need a machine on the Internet that you can use as an intermediary.
In our example, we'll call our machine blackbox.example.com. The machine behind the company firewall is called ginger. Finally, the machine that technical support is on will be called tech. Figure 4 explains how this is set up.
Figure 4. Poking a hole in the firewall
Here's how to proceed:
In its crudest form, this is called "poking a hole in the firewall." I'll call it an SSH back door. To use it, you'll need a machine on the Internet that you can use as an intermediary.
In our example, we'll call our machine blackbox.example.com. The machine behind the company firewall is called ginger. Finally, the machine that technical support is on will be called tech. Figure 4 explains how this is set up.
Figure 4. Poking a hole in the firewall
Here's how to proceed:
- Check that what you're doing is allowed, but make sure you ask the
right people. Most people will cringe that you're opening the
firewall, but what they don't understand is that it is completely
encrypted. Furthermore, someone would need to hack your outside
machine before getting into your company. Instead, you may belong to
the school of "ask-for-forgiveness-instead-of-permission." Either way,
use your judgment and don't blame me if this doesn't go your way.
- SSH from ginger to blackbox.example.com with the
-R
flag. I'll assume that you're the root user on ginger and that tech will need the root user ID to help you with the system. With the-R
flag, you'll forward instructions of port 2222 on blackbox to port 22 on ginger. This is how you set up an SSH tunnel. Note that only SSH traffic can come into ginger: You're not putting ginger out on the Internet naked. You can do this with the following syntax:
~# ssh -R 2222:localhost:22 thedude@blackbox.example.com
Once you are into blackbox, you just need to stay logged in. I usually enter a command like:
thedude@blackbox:~$ while [ 1 ]; do date; sleep 300; done
to keep the machine busy. And minimize the window.
- Now instruct your friends at tech to SSH as thedude into blackbox
without using any special SSH flags. You'll have to give them your
password:
root@tech:~# ssh thedude@blackbox.example.com
.
- Once tech is on the blackbox, they can SSH to ginger using the
following command:
thedude@blackbox:~$: ssh -p 2222 root@localhost
- Tech will then be prompted for a password. They should enter the root
password of ginger.
- Now you and support from tech can work together and solve the problem. You may even want to use screen together! (See Trick 4.)
0 comments:
Post a Comment