1

I'd like to reach my local webserver http://192.168.0.186:3000 when I am not at home. I don't want to publish it on the internet, because I don't think it is safe when you are not an expert in maintenance and security. I once did it with an Apache server using dyndns, and on the same day the logs were full of hacker attempts. I realized that something is wrong, when I got a message from the operating system that C:/ is full.

What I thought of is using an SSH tunnel. So I assume I need an SSH server running on a local machine. I already have one: 192.168.0.186:22. I use to connect with ssh [email protected] from git bash. I guess I have to open port 22 on the router firewall too, so I will be able to reach the SSH server through the internet.

On the client machines I have Windows 7, Windows 8.1 and Fedora 23 currently. On Windows I'd like to use git bash or something like that instead of putty, if that is possible. I'd like to run everything related to this in background automatically, so starting putty every time I want to connect to the home server is not an option. I can write a simple background service for the clients if needed.

My questions:

  1. How can I setup the SSH server to forward the HTTP requests to the local webserver?
  2. How can I setup the browser to use the SSH server to connect to the local webserver?
  3. In order to make this more secure should I create a new Linux user on 192.168.0.186 with limited permissions dedicated to this responsibility?
Improve this question

1 Answer 1

Reset to default
1

Look at SSH forwarding Look at local port forwarding on ssh.

ssh -L 3000:internalip:3000 ext.home.ip.addr

This will open a local port 3000 that maps to your server on 3000. You access it by going to http://localhost:3000 on the machine that initiated the ssh connection

You will also need to do port forwarding on your router to map the external IP address to the internal IP address for port 22, and, presumably, publish this using dynamic DNS. Unfortunately this has the net effect of opening up SSH to the world and is undesireable. It also does not help you on putty boxes (but you can do something similar with putty)

If I were doing this though, I'd be setting up an OpenVPN system on my home router, and then using OpenVPN to connect external systems to the LAN - this protects port 22 traffic, and does not require the use of SSH. Its also a lot easier to automate, and there are OpenVPN clients for most OS's.

Improve this answer
9
  • I thought that opening SSH to the internet is not that risky than opening a HTTP server. Actually I use the internet provider's modem for routing. It does not support dyndns and openvpn. I am sure I can solve the dyndns part on the server. Can you elaborate your answer about openvpn? Is it possible to install the VPN server on my local server instead of the modem, or how does this work? Can you provide with some tutorials? All I found about VPN is how to use it as a proxy for web browsing, which does not help in my case. Commented Feb 23, 2016 at 3:31
  • Another interesting thing here, that I don't want to connect to the entire home network. I just want to access a single server machine. So VPN might be an exaggeration. Commented Feb 23, 2016 at 3:40
  • @inf3rno - Yes, you can install OpenVPN just on your target PC (and port forwarding on your router to get to it). Have a look at openvpn.net/index.php/open-source/documentation/… - You simply set up an OpenVPN server on the machine (google "how to set up an OpenVPN Server on XXXXX" where XXXXX is the OS), and then make sure you port map the port you configured it on in your router. Commented Feb 23, 2016 at 3:53
  • I don't think it is a given that having ssh open to the world is automatically less secure than having openvpn open to the world. The security of either is largely dependent on how you set it up. Commented Feb 23, 2016 at 4:16
  • 2
    @paul - I disagree Ignoring that SSH is a lot harder to properly secure - and the direct consequence and likelyhood of a successful brute force attack of SSH, I'll leave you with venafi.com/blog/post/… - and also compare cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/… with cvedetails.com/vulnerability-list/vendor_id-3278/… Commented Feb 23, 2016 at 5:45

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.