Secure Shell is an indispensable tool for anyone who needs to open a terminal session on a remote host. However, SSH does more than allow remote login sessions, especially for security professionals and network engineers. SSH can secure pipelines using public key cryptography to allow any type of network traffic, but SSH is also an important cybersecurity tool used by both security professionals and hackers.
SSH tunneling, also known as SSH port forwarding, is how SSH tunnels network traffic through application ports from the local host (the physically present computer) to a remote system or vice versa. SSH port forwarding allows two communicating systems to exchange data securely over the Internet and through firewalls.
If hackers manage to gain access to a host running SSH on an organization’s internal network, they can use SSH on that host as a secure pipeline to exploit private network services, so understanding how SSH access can be used for good – and for bad.
How does SSH work?
The simplest use case for SSH is to connect to a remote host for a terminal emulation session. In this case, a user has SSH client software to securely connect to another host running an SSH server. SSH depends on the exchange of public keys between client and server to enable user authentication and encryption of data transmitted over the SSH connection.
SSH client software is almost always available on modern computers. OpenSSH is an open source command-line implementation of SSH that was originally developed for the OpenBSD OS, but is now available on almost all Unix-based operating systems, including Linux and macOS. OpenSSH has been integrated into Windows versions 10 and newer for use in the command line. putty is an open source graphical version of SSH available for Windows.
Starting an SSH session requires the following:
- The domain name or IP address of the remote machine to access. This remote host must have an instance of the SSH server program, sshdfunctioning.
- Access to an SSH client on the local machine. SSH is usually started by entering the shh ordered. Although GUI versions of SSH like PuTTY for Windows can also be used, learning to use the command line version is a skill that can be applied to almost any modern operating system.
- Credentials for a user login with permission to access the remote server.
For example, a terminal session on a remote host called server.example.com with user ID example-user is launched with this SSH command:
ssh [email protected]
This command opens a terminal session to the remote server using port 22, the default port for SSH. SSH servers can also respond to session requests on other ports, for example:
ssh -p 2222 [email protected]
The -p The option flag is used to specify port number 2222 on the remote server, which causes SSH to send traffic to port 2222 instead of the default port 22. This only works if the remote server is configured to listen for requests on this port.
SSH can be used with domain names or IP addresses, so if the host named server.example.com at IP address 192.0.2.127, the following command has the same effect as the command above:
ssh -p 2222 [email protected]
When establishing an SSH connection, the server and client exchange public key information and negotiate a secure session key to encrypt SSH data exchanges. The first time an SSH connection is established with a remote host, the option to authenticate the remote host’s public key is available.
In this example, a typical use case for SSH, the user example-user connects to a terminal session with the host at server.example.com. In most cases for this type of use case, the port used is the default SSH port 22.
SSH tunnels, on the other hand, provide the means to patch data flows between processes running on the local host and the remote host.
SSH tunneling explained
SSH tunneling allows for more interesting types of use cases. The three types of SSH tunnels are:
- Local port forwarding allows connecting from your localhost – running the SSH client – to a destination server via the SSH server. This approach is used when the destination server is not accessible to the localhost – for example, due to firewall filtering – but it is accessible to the SSH server. Local port forwarding is a method of bypassing a firewall from inside a private network to access a particular server that would otherwise be blocked by the firewall.
- Remote Port ForwardingWhere reverse SSH tunnel, is a method of connecting to a destination server from an SSH server, via the SSH client. Less commonly used, remote port forwarding is a method of accessing an internal server from an outside private network that is otherwise inaccessible from the public Internet. This method is used by hackers to exploit systems on private networks.
- Dynamic port forwarding causes all inbound and outbound network traffic to be routed through SSH to a specified port. This allows SSH connections between two hosts, with all connections being passed by the SSH client through an SSH server. It is also the mechanism for configuring a SOCKS proxy server, which forwards network traffic to be wrapped in an SSH tunnel when local client software is configured to forward all traffic to the specified port. Dynamic port forwarding can also be used to completely bypass the network firewall and access any destination server from inside a private network.
On its own, SSH is an important tool for securing data streams, especially when used to connect servers or clients from outside the firewall. However, before experimenting with SSH tunneling, be sure to clear activity with the organization’s IT, network, and security teams.
Local Port Forwarding Tunnel Example
Local port forwarding uses the -L in the SSH command to indicate that a local port will be forwarded through the SSH server to another server or host. In other words, the local host connects to another host running the SSH server and then fixes all network data related to the forwarded port. through the SSH server to the desired destination server or host.
For example, if you are using a computer on a private network and want to access a web server blocked by your organization’s firewall, you can forward local port 8080 to the desired web server with this command:
ssh -L 8080:social.example.org:80 ssh-server.example.com
In this example, the -L The option indicates that the SSH server to ssh-server.example.com must forward port 8080 on the localhost to port 80 on the desired – but restricted – server, social.example.org.
In this example, running the SSH command with the specified ports means you should be able to access the restricted server using a URL in your web browser — http://localhost:8080/ — which points to the specified port on the localhost running SSH. SSH passes the HTTP request through the SSH tunnel to access the desired web server.
Remote Port Forwarding Tunnel Example
Remote port forwarding, or reverse tunneling, is commonly used by hackers of all types, including ethical hackers, penetration testers, and malicious hackers. If attackers can exploit a single host inside a private network, they can use that access to potentially exploit any system on the protected network.
To start a reverse tunnel, run the shh order with the -R option on the host inside the private network that you want to use to forward outside network requests to an otherwise restricted host on the private network. Consider the following command, run on a host inside the firewall perimeter:
ssh -R 5900:localhost:5900 somehost.example.net
In this command, localhost is the host inside the private network. The redirected port — 5900 — is the default port for Virtual Network Computing (VNC), which is a desktop remote control system. The system being transferred to is ahost.example.neta host accessible to localhost but also located on the protected network. Normally this host should not be accessible by anyone outside the perimeter of the firewall, but in this case, localhost has been made available on the public Internet. This type of redirect can also be used to exploit privileged access on a host outside the private network that has been granted privileges to access restricted services.
In this example, the VNC client software can be configured to connect to the domain name or public IP address of, localhost on port 5900 to take control of the system desktop ahost.example.net.
In practice, opening a reverse tunnel in this way can be more complicated. Many organizations are aware of this type of exploit – which allows attackers to execute commands remotely on a protected system – and typically deploy protections against it. In any case, it is advisable to check with network and IT personnel to avoid triggering alerts with a reverse tunnel.
Dynamic Port Forwarding Tunnel Example
Dynamic port forwarding with SSH is often used to set up a SOCKS proxy server. In this example, the SSH client is configured to listen on a specific port on the localhost. When receiving traffic on this port, the SSH server encapsulates, or tunnels, application-layer messages in a secure tunnel connecting to the receiving host.
When SOCKS proxies are used, the client software must be configured with the port number on which SSH accepts the traffic to be tunnelled. The default port for SOCKS proxies is 1080, so the SSH command to start a SOCKS proxy — i.e. enable dynamic port forwarding — is:
ssh -D 1080 bastion.example.org
The -D The option is used to enable dynamic port forwarding on the localhost, so all messages received on port 1080 are forwarded to the named host stronghold.example.org. Bastion is a type of host typically positioned outside the perimeter of the firewall – or inside the network’s DMZ – and is used to provide access to external hosts through SSH tunnels.
Learn more about how to allow, restrict, and manage remote system access by configuring SSH tunneling through your firewall.