Tunnelling over SSH

If you follow this tutorial, you will learn to tunnel most port-specific applications via SSH. Not everything is tunnellable via SSH (e.g., SMB), as noted later in this document.

For the purposes of this tutorial, the term "server" refers to the system running CopSSH, and is the system offerring the service to be used by other systems. The other systems that access the server are referred to as "clients." My documentation is going to assume you are using PuTTY and CopSSH. If you are using other applications, you will need to use different syntax, but the information should be the same.

• copSSH is an SSH implementation that uses Cygwin's SSH code, but configures everything for you. It works well, is regularly maintained, includes SCP built-in, and is simple to use. This is SSH implmentation I recommend for most people. It takes up only 18MB of space. To me, the biggest downside to CopSSH is that you have to rely on the developer to update his binaries with the newest version of SSH, so there is often a delay in getting what is current.
• Cygwin has a nice SSH implementation, but it is more difficlut to download and configure than CopSSH. Here and here and are great links to get you set up (the first one is all you really need, although the second one shows how to configure ssd to use SSH2 only, which is nice). If you follow Kevin's directions (the first link, also archived here in case it closes), don't try to get fancy and remove anything from the default Cygwin installation (step 3). You may end up removing something you really need. You do not need Vim, so save some space and skip that step. When installed according to these instructions, Cygwin's installation takes up 88MB (less if you don't install Vim). I have also archived the Lifehacker page in .mht format.
• The OpenSSH win32 project shut down, so I don't recommend it. The same goes for SSH Windows.
• SSH.com has a commercial product that is reported to be nice, but why use it when CopSSH is free?

So, download and install the newest version of copSSH on the server. By default, CopSSH does not configure any users to be able to use SSH, so you need to "Activate a user" via the Start menu icon. You can create a special SSH account beforehand (via lusrmgr.msc) activate it, or activate other pre-existing users. That's it; you are now ready to use SSH. Or, install Cygwin's SSH. Your choice.

It should be noted that you can change a lot of the SSH settings, just as you would normally configure them in OpenSSH or Cygwin's SSH implementation. Application settings (e.g., port number, encryption ciphers, etc.) are found in etc/sshd_config (ssh_config contains client configuration, sshd_config contains server configuration)., user settings (e.g., home directory, shell) are found in etc\PASSWD, etc. I recommend getting the man pages to the Cygnwin product so you can learn to configure CopSSH, if you are all that interested (or you can go to the BSD man pages, here is the one on sshd_config). I go ahead and modify sshd to allow only SSH2 for the service (Protocol), change the default port # (Port), limit the number of startups (MaxStartups), and use AllowUsers and DenyUsers parameters to limit logon, as well as default to Blowfish encryption for the client, but that's just me (just remove the # comment and change the setting). For ease of documentation, I am going to assume you use the default port of 22, but again, you can use any port you want. It should also be noted that CopSSH includes a built-in scp service, so if you want to use secure copy (scp) or secure FTP (sFTP), you are good to go.

The clients will typically not need any firewall modification unless the firewall monitors/blocks outgoing communication. If your firewall behaves this way, you will need to open TCP port 22, or add an application exclusion for putty.exe.

1. Open PuTTY, which opens the Session screen. Here you should type in the host name (the system running CopSSH). verify port 22 and SSH are configured, and save your session with something descriptive.
   
2. Configure the Window settings as you like. I make mine 25x80 with a scrollback buffer of 2000 lines. Under Appearance, I enable cursor blinking. Under Behavior, you can delineate the PuTTY title bar (e.g., Test Tunnel).
   
3. Configure the Connection settings as you like (I leave the defaults). Under Data, you can specify the name of the account you activated, if you like (leaving this blank will cause you to get prompted for a user name).
   
4. Configure the SSH settings as you like. I like to enforce SSH-2, and put Blowfish encryption at the top.
   
5. Now comes the actual Tunnel configuration, which is the most important part of all of this. Under Source port, type in the port number on the client running PuTTY to which you will point the application (this must be an unused port). Under Destination, type in the IP of the server running CopSSH, a colon, followed by the port of the application you wish to access (e.g., 192.168.1.99:23). Then click Add, and you get something like the picture below.
• Source Port: For applications where Windows lets you specify the port number (like telnet, web, etc.), you merely enter any unused port number. That's right, just make one up, being sure it is unused. PuTTY knows to attempt this communication on localhost (127.0.0.1). However, for applications where Windows does not let you specify the port number, you need to install a loopback adapter, give it an IP, and point to that address (see the SMB example below).
• Destination Port: Again, the IP is the IP for the server running CopSSH. The port number is the true port used by the application you wish to use (e.g., 23 for telnet). In this example, PuTTY establishes a tunnel on the local system where everything directed at 127.0.0.1 on port 20000 will be sent to 192.168.1.99 to port 23. Since this is a tunnel, ALL of this communication occurs over the SSH port of 22.
  
6. Go back to the Session screen, click on the session name you entered in step 1, and click Save. You now have a fully configured SSH session.

On the client, open PuTTY, look at the Session screen, select your named session, and click Open (or just double click your session name). You will be prompted for a user name if you did not configure it in PuTTY (step 3), as well as a password. These are the credentials for the account you activated in CopSSH. Once authenticated, you get a BASH shell to the configured home directory. Your tunnel is now active. You can minimize this window, since it is unused until you want to close the session.

Now you need to communicate through the tunnel to the server running CopSSH. This is done by using the application in question and pointing it to the IP and port confinugured as the Source in PuTTY. In the telnet example, I would open up a CMD windows and type "telnet 127.0.0.1 20000" and it would connect me to 192.168.1.99 via telnet port 23, all tunnelled over port 22. If you were tunnelling web traffic, you would browse to http://10.0.0.1:80. You get the idea. For applications where you cannot specify a nonstandard port number (e.g., SMB or NetBT), you have to use the loopback NIC; see the example below on how to do this.

Once you have finished using the tunnel, be sure to close PuTTy. You can tunnel most applications and ports. Simply create the tunnel, do your work, then close the tunnel by closing PuTTY. Thus, by using the example above, you can tunnel telnet, web traffic, etc., merely by pointing the application at 127.0.0.1:{port}.

In a pure Windows 2000 or higher environment, there is no need to use NetBT; it is simply another protocol to worry about securing. Thus, a lot of people turn it off (via NIC properties, TCP/IP properties, Advanced, WINS, "Disable NetBIOS over TCP/IP"). UNIX, of course, can use whatever port number it wants for SMB, but Windows must use port 445 (okay, you can probably hack this in the registry, but it would be unwise). This poses a problem for tunnelling.

Remember, the Source port in PuTTY, which points to localhost (127.0.0.1), has be be unused. However, on a Windows system, this means that port 445 (and possibly 139) is/are in use whenever the Server service is running. Sure, you could stop the Server service, but this is often undesireable. To get around this problem, we install a dummy loopback NIC. This is very simple, and documented by Microsoft here. You may also need to install hotfix KB884020, but this does not seem necessary if you keep your system patched properly, since you need TCPIP.SYS to be version 5.1.2600.2505 or higher, and this file gets updated by several post-SP2 hotfixes other than KB884020.

So, you've installed the dummy loopback adapter. You need to configure it with the bare minimum services so that it is using as few ports as possible. This means that you should only enable TCP/IP; everything else should be unchecked.

Configure TCP/IP properties with an IP of 10.0.0.1 with a subnet mask of 255.255.255.0. You don't need a gateway or any DNS servers. You could use any IP address you want, but I recommend using a private IP not in the same subnet as any other NIC, and the 10.x.x.x subnets are perfect for that since most home routers use 192.168.x.x.

Under Advanced, DNS, uncheck the "Register this connection's address in DNS" box.

Under Advanced, WINS, select the "Disable NetBIOS over TCP/IP" radio button. Your loopback adapter is now configured for tunnelling. If you use a firewall, you can safely disable it for this NIC, but it does not really matter, since you won't have any incoming traffic to this NIC.

Now it is time to configure PuTTY on the client for an SMB tunnel. But wait, you cannot tunnel SMB. Why? I have no freakin' idea. In theory, since you did not enable "File And Printer Sharing" on the loopback NIC, ports 445 and 139 should be unused. However, port 445 is evidently in use, even though it does not show up in a port scan. All I know is that you have to tunnel NetBT because SMB simply will not work while you have the Server service enabled. This means you have to enable NetBT on the all your non-loopback adapters through which you want to use SSH (the loopback NIC should still have NetBT disabled). Again, you do not need to open port 139 on your firewall, since everything gets tunneled via port 22. In fact, I recommend firewalling off all NetBIOS-related ports (137, 138, and 139) unless you need them for legacy support. You can also firewall off port 445. Have at it, it's your computer.

So, open up PuTTY on the client and configure it as listed above. However, when it gets the tunnel configuration, enter 10.0.0.1:139 as the Source port, and the Destination of {IP of the system running CopSSH}:139. I know, the Source port field looks too short to type all of it, but it will work, trust me. Click Add, and it looks like so:
.

Save the session, then start it. You can now access the NetBT via 10.0.0.1 on the client. Just substitute 10.0.0.1 for the IP or name of the server for any given command. For example, you can connect to a network drive from a CMD window like so:
net use * \\10.0.0.1\c$ /user:administrator /persistent:no

Last, it should be noted that the SSH service (running on the server) defaults to port 22. This default port is well known, and (bad) people on the internet will scan for it. You should consider changing the port number in ssd_config to something uncommon, like 12345 (or whatever), or leaving the default port at 22 and doing some address translation on your router (as documented here). Security through obscurity. Of course, both of these changes would require you to configure the client to use the new port as well, but that is easily done (on all the PuTTy screenshots, replace port 22 with your new port). I also like to use the following options in sshd_condig: Protocol 2, PermitRootLogin no, StrictModes yes, AllowUsers, and DenyUsers. Here and here are a good guides to securing SSH further. Another excellent idea is to disable user/password authentication and to use key-based logins, as documented here.

• Geek to Live: Set up a personal, home SSH server (Cygwin)
• Installing the Cygwin SSH daemon
• Tunnelling Windows services
• HowTo: Find SSH Hackers IP’s in a jiffy
• How to tunnel Samba via ssh from Windows XP without having to disable local NetBIOS
• How to install OpenSSH sshd server and sftp server on a Windows 2000 or Windows XP. This site also has links to instructions on how to tunnel VNC, IP applications, etc., similar to what is offerred on this page.
• Sharing (tunneling) Samba/CIFS/SMB file systems over SSH

• FileZilla, a freeware FTP and sFTP client.
• SSH.com's evaluation version of their scp program.
• WinSCP is a GUI SCP (secure copy) program so you don't need to tunnel FTP