13,420
edits
Changes
no edit summary
# The next step is to establish a <u>tunnel</u>. When you establish a tunnel you make an ssh connection to a remote host and open a new port on the local host. That local host port is then connected to a port on the remote host through the established tunnel. When you send requests to the local port it is forwarded through the tunnel to the remote port.
# In a terminal in your '''centos2''' VM, '''make certain you are NOT logged in as root!'''
# Establish a tunnel using a local port on centos2 of 20808, that connects to the remote port on '''centos1''' of 80, using the following command on '''centos2''':<br /><b><code><span style="color:#3366CC;font-size:1.2em;">ssh -L 20808:centos1:80 userusername@centos1</span></code></b><br><br> '''Note:'''<br>The '''-L''' option (which means Local port) takes one argument:<br><span style="courier"><local-port>:<connect-to-host>:<connect-to-port></span><br><br> The command basically connects your local port of 20808 to the remote port of 80 on '''centos1'''.<br>This means all requests to 20808 on the <u>localhost</u> ('''centos2''') are actually tunnelled through your ssh connection<br>to port 22 on '''centos1''' and then delivered to port 80 on '''centos1''', bypassing the firewall.<br><br>
# Once the tunnel is established use '''netstat''' to verify the port 20808 is listening on '''centos2'''
# Now using the browser on '''centos2''' connect to '''http://localhost:20808'''
# Edit the file '''/etc/ssh/sshd_config''' and look for the option '''PermitRootLogin'''. Un-comment the option (or add the option if it does not appear) and change the option value to '''"no"'''.
# Even better, it is possible to restrict access to just specific users that require it.
# Edit the file '''/etc/ssh/sshd_config''' and add a new option of '''"AllowUsers account"''' using your login account for account.
# In order for these changes to be effective, issue the following command to restart the sshd service:<br /><b><code><span style="color:#3366CC;font-size:1.2em;">service sshd restart</span></code></b>
# Try sshing from your centos1 VM to your centos2 VM. Where you successful? Would it work if you let "AllowUsers account" without a username, or a non-existent username?
# Now any hacking attempt also has to guess an account name as well as the password. If you need to ssh with root access, ssh as a regular user and use '''su -''' to become root.
# Next change the default port number that sshd uses (TCP:22).