Configure an SSH SOCKS5 Proxy as a Jump Point

2 hours
  • 8 Learning Objectives

About this Hands-on Lab

For this lab, we need to configure an SSH SOCKS5 proxy as a jump point. There are several key things we need to do. First, we need to allow traffic only on port 61613 and only from one IP address. SSH must run on port 61613. Next, we must verify the configuration is valid. Another thing to pay attention to is that the client can use the server as a SOCKS5 proxy.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Generate a Private/Public Key Pair

This is necessary to use for authentication against the server on the client.

ssh-keygen
Configure the JumpPointServer

Change the SSH Port from 22 to 61613, PermitRootLogin to no, and PubkeyAuthentication to yes.

sudo vim /etc/ssh/sshd_config
Port 61613
PermitRootLogin no
PubkeyAuthentication yes
ESC
:wq
ENTER
On the JumpPointServer Inform SELinux of the Change of Ports and Configure firewalld to Allow Port 61613 for SSH

Inform SELinux of the Change of Ports

sudo semanage port -a -t ssh_port_t -p tcp 61613

Configure firewalld to Allow Port 61613 for the SSH Service

sudo vim /usr/lib/firewalld/services/ssh.xml
<port protocol="tcp" port="61613"/>
ESC
:wq
ENTER

Reload firewalld

sudo firewall-cmd --reload

Copy the Public Key from the Client to /home/cloud_user/authorized_keys

Restart SSHD

sudo systemctl restart sshd

Log Back into the JumpPointServer

On the JumpPointServer Generate a Key Pair for the ContainerServer
ssh-keygen

Copy the Public Key from JumpPointServer to the Following Location on the ContainerServer

/home/cloud_user/authorized_keys
Configure the ContainerServer

Change the SSH Port from 22 to 61613, PermitRootLogin to no, PubkeyAuthentication to yes.

sudo vim /etc/ssh/sshd_config
Port 61613
PermitRootLogin no
PubkeyAuthentication yes
ESC
:wq
ENTER
On the ContainerServer Inform SELinux of the Change of Ports, Configure firewalld to Allow Port 61613 for SSH

Inform SELinux of the Change of Ports

sudo semanage port -a -t ssh_port_t -p tcp 61613

Configure firewalld to Allow Port 61613 for SSH Service

sudo vim /usr/lib/firewalld/services/ssh.xml
<port protocol="tcp" port="61613"/>
ESC
:wq
ENTER

Reload firewalld

sudo firewall-cmd --reload

Log Back Into the ContainerServer from the JumpPointServer

Allow Access Only from the JumpPointServer
sudo firewall-cmd --permanent --zone=public --add-rich-rule='
            rule family="ipv4"
            source address="<IP or NETWORK>"
            port protocol="tcp" port="<PORT_NUMBER>" accept'
sudo firewall-cmd --reload 

Restart SSHD

sudo systemctl restart sshd

Close Off SSH for Others

sudo firewall-cmd --permanent --remove-service=ssh
Optional – Open a SOCKS5 Proxy from Our Client to the JumpPointServer
ssh -D 1337 -q -C -N -f cloud_user@IP

Configure Our Browser Proxy Settings to Make Use of the SSH Tunnel

PORT: 1337
ADDRESS: localhost or 127.0.0.1

On Firefox This Can Be Configured under Network Settings

Additional Resources

Lab Conditions:

Container_Server

  • sshd server is running on port 22
  • Password-based login
  • firewalld is up and running
  • EPEL repos are not enabled
  • Web server is up and running on port 80

JumpPointServer

  • sshd server is running on port 22
  • Password-based login
  • firewalld is up and running
  • EPEL repos are not enabled

Additional Lab Requirements

  • EPEL repo link: https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

Lab Overall Objectives

Generate a Private/Public Key Pair

  • This is needed to use for authentication against the JumpPointServer on the client.

ContainerServer

  • Change SSH port from 22 to 61613
  • Adapt firewalld rules
  • Change SSH firewalld service port
  • Inform SELinux of the change
  • Change to allow only key-based login
  • Allow only JumpPointServer to attempt to connect via SSH on port 61613
  • Do not ban everybody else from accessing the Apache web server on port 80

Jump_Point_Server

  • Change SSH configuration to accept only key-based login
  • Change SSH port from 22 to 61613
  • Adapt firewalld rules
  • Change SSH firewalld service port
  • Inform SELinux of the change

Optional

  • Open a SOCKS5 proxy from the client to the JumpPointServer

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Get Started
Who’s going to be learning?

How many seats do you need?

  • $499 USD per seat per year
  • Billed Annually
  • Renews in 12 months

Ready to accelerate learning?

For over 25 licenses, a member of our sales team will walk you through a custom tailored solution for your business.


$2,495.00

Checkout
Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!