How to Use SSH Port Forwarding for Secure Connections: Tips and Tricks

Updated on December 23, 2022
How to Use SSH Port Forwarding for Secure Connections: Tips and Tricks

SSH tunnelling, or SSH port forwarding, is a process through which network communication can be tunneled through application ports from the local host to the remote system or vice versa. Using SSH port forwarding, two systems can safely exchange data despite geographical distance or firewall restrictions.

Types of SSH Port Forwarding

Local port forwarding

The SSH client on your local host can communicate with a remote server by using port forwarding to connect through the SSH server. This method is utilized when the target server is inaccessible to the local host (for instance, as a result of firewall blocking), but is reachable via the SSH server. From within a private network, local port forwarding can be used to gain access to a server that is normally inaccessible due to the firewall’s restrictions.

Remote port forwarding

Connecting an SSH client to a remote host requires a technology called as remote port forwarding or reverse SSH tunnelling. To gain access to a server on a private network from a public network, a less popular technique is to employ remote port forwarding. Hackers frequently employ this tactic to breach protected networks.

Dynamic port forwarding

Through the use of dynamic port forwarding, all incoming and outgoing network traffic is redirected through SSH on a predefined port. The SSH client then forwards all incoming connections to the server, allowing for secure SSH server communication between any two hosts. 

When the local client software is set up to forward all traffic to the given port, it is also the process for setting up a SOCKS proxy server, which sends network traffic to be encased in an SSH tunnel. If you’re already inside of a private network, you can utilize dynamic port forwarding to connect to any remote server.

How does SSH Port forwarding work?

In order to authenticate the user and encrypt the data being communicated over the SSH connection, SSH requires the exchange of public keys between the client and the server.

Modern computers typically have SSH client software installed. OpenSSH is a free and open-source command-line SSH implementation that was first created for the OpenBSD operating system. It has since been ported to Linux and macOS, among other Unix-based systems. 

Following things are important to initiate an SSH session:

  1. SSH config file permissions and access the remote server via a user’s login credentials.
  2. The Ip address or domain name of the computer you want to access remotely. In order to connect to this distant host, an instance of the SSH server application, sshd, must be running on the local machine.
  3. Availability of a locally installed SSH client. The ssh command is typically used to launch SSH. While PuTTY for Windows provides a graphical user interface for SSH, knowing the command-line version is a skill that can be used with virtually any modern operating system. The OpenSSH change port techniques are kind of confusing but compared to that, PuTTY is a better option. 

Tips and Tricks for Using SSH Port Forwarding for Secure Connections 

1. Limit SSH access for users

The usage of SSH logins should be restricted to just those who require remote access, resulting in an additional level of privacy. By doing so, you can reduce the risk associated with a user having a weak password.

Follow these steps to limit SSH access:

  • Locate /etc/ssh/sshd_config
  • Type: AllowUsers [user1] [user2] 

(in place User1 and User 2, you have to enter Usernames of the people you want to give access to and make sure every user name is separated by a space).

2. Use only SSH Protocol 2

Follow these steps to turn on Protocol 2:

  • Go to /etc/ssh/sshd_config file. 
  • Locate this command in the file: #Protocol 2, 1 
  • Now, clear this command and type this: Protocol 2
  • After that enter this: /etc/init.d/sshd restart  

Both TCP and UDP are supported by SSH. The security of Protocol 1 has decreased with time. Using Protocol 2 will strengthen your security measures. If you want your server to meet PCI standards and ensure ssh best practices, you must turn off protocol 1.

The service will be restarted and the command will be saved. 

3. Use a Different Port

The ability to hide from casual scans by hackers is a major perk of switching from a SSH standard port to a non-standard port. Since SSH accepts connections on port 22, that’s where most attackers will look. Your SSH server is less vulnerable to attacks if it is more difficult to scan.

Pick any available port that isn’t already in use by another service. Although 222 and 2222 are easy to remember, hackers who are watching port 22 will also try them.

Follow these steps to change and secure secure SSH portt:

Go to /etc/ssh/sshd_config file

Add these command: 

  1. #Run SSH on a non standard port
  2. Port 2025 #Change me
  3. /etc/init.d/sshd restart

Add these commands one by one in a different line. You may have to tweak your firewall and  router’s configurations as well after changing the port. In case you are connected to a VPN server then you can simply change your port by going into the settings of AstrillVPN app and going to the Port menu. 

4. Deactivate Empty Passwords

If you want to beef up SSH security, you should deactivate remote logins from accounts that have empty or blank passwords. Locate /etc/ssh/sshd_config file, open it and type this: 

PermitEmptyPasswords no

5. Use Robust Usernames and Passwords

Log attempts by hackers who are trying to guess your username and password are possible if you have SSH operating and accessible from the web. SSH is often targeted by hackers who do port scans looking for the default port (22), in the hopes of locating machines they may attack. Passwords that are both secure and difficult to guess are crucial to fighting against cyberattacks.

6. Create a VPN over SSH

With Astrill, you can forward the traffic that would normally arrive at a VPN’s IP and port combination to a device you have connected to the same port.

Using this method, requests can be sent to your services from anywhere on the Internet, regardless of the originating IP address or geographic location of the requesting device.

There is a method through which you can create VPN tunnel on your SSH but rather than trying that complex way, it’s better that you save yourself from hassle and use AstrillVPN

To setup AstrillVPN Port forwarding for SSH, follow this process:

  1. Launch the Astrill app on your PC, and select OpenVPN mode from the menu.
  2. Open the Astrill app and select the Settings > Port Forward… menu to activate port forwarding.
  3. Establish a connection to the VPN server denoted by the star icon.
  4. Set that port in your SSH Client on your PC.

7. Two-factor authentication must be Enabled

SSH supports Two-Factor Authentication via a passphrase and an SSH key. Using a hardware token or an app like Google Authenticator has the benefit of being generated by a separate, physical device.Two-factor authentication should be set up on your SSH servers for added security. Each user login must correlate to a defined 2FA user, making this one of the primary safeguards you can add to your SSH servers to prevent unwanted access.

8. Tunnel SSH Traffic over Tor Network

Using the torsocks command, the anonymous Tor Network can tunnel SSH communications. If you use the following command, your ssh traffic will be routed over the Tor network:

localhost:~$ torsocks ssh myuntracableuser@remoteserver

If you want to know more about Tor network, then you can check out our detailed guide on Tor, it will surely be helpful for you. 

9. Restrict Direct Root Logins

Direct root login through SSH is a security risk. A hacker may access your system if they brute-forced your root password. This is especially worrisome because, as root, they would be able to do far more harm than a regular user.

Follow these steps to restrict direct logins to Root:

  1. Open your SSH client config file.
  2. Locate the command line: #PermitRootLogin
    Change this command to: PermitRootLogin no
  3. Now type: /etc/init.d/sshd restart

The service will restart and your settings will be saved, meaning that root logins will now be restricted. 

10. Use iptables to prevent SSH Brute-force Attacks

Every SSH users is aware of the fact that many brute force attempts occur every hour. Move SSH off port 22 to reduce log noise. Change Port ## in sshd config file, this is the easiest fix to stop attackers. 

However, to make it more safer, you can use iptables. It will prevent connections from sources that exceed a given threshold from being accepted by the port. OSSEC is a tool that can be used for this purpose, as it not only prevents unauthorized SSH connections but also performs a number of other host-based intrusion detection tasks (HIDS).


Is port 22 a SSH?

Yes, Port 22 is the default SSH port that almost every SSH user opts for. It is secured through password authentication. 

Is SSH TCP or UDP or both?

SSH has both TCP and UDP configurations and you can choose any of them as per your need. UDP is faster protocol than TCP, so many users opt for it. 

Is SSH faster than FTP?

No, SSH is not faster than FTP because of the encryptions and the pass key exchange, the data transfer becomes slow. FTP is faster than SSH. 

Was this article helpful?
Thanks for your feedback!

About The Author

Arsalan Rathore

Arsalan Rathore is a tech geek who loves to pen down his thoughts and views on cybersecurity, technology innovation, entertainment, and social issues. He likes sharing his thoughts about the emerging tech trends in the market and also loves discussing online privacy issues.

No comments were posted yet

Leave a Reply

Your email address will not be published.

Reload Image