2

I am working on React web app build on my local PC at port 443, and I want to make it accessible via internet for testing purposes. One solution that I came across was SSH remote port forwarding as mentioned in this article. My institute has one server that is publicly available and I can use to port forwarding but I am worried that I might put the institute's server into danger.

My question is what is the risk of doing such a thing? Is there any security I can set up on the institute's server to only giving access to the authenticated user to port forward?

Anders
  • 64,406
  • 24
  • 178
  • 215
Dhaval Lila
  • 123
  • 2

1 Answers1

5

My question is what is the risk of doing such thing

You are exposing an application running on an internal system to the wild internet. If a feature or bug in the application allows for example remote code execution then the attacker will be able to execute this code on your machine and thus inside your local network and thus might reach and attack internal systems in your network which should not be accessible from outside.

... only giving access to the authenticated user to port forward?

My initial interpretation of this question was that you as the one exposing the internal application wants to restrict which external users could connect to this forwarded port. But there is no authentication at this level, i.e. it is simply a TCP port which is reachable from outside for everybody. Any kind of authentication need to be done in your application. Only, this is then done again at your internal systems which means problems before or during authentication might again affect your whole internal network.

Based on your feedback it looks like you switched roles for this part of your question, i.e. no longer being the one which wants to make its application accessible but instead being the administrator who wants to prevents this. In general: if the user has only restricted access via SSH (can execute selected commands) then one can limit also the port forwarding (option no-port-forwarding in OpenSSH). If the user instead has full shell access he can work around such restrictions.

is there any other way around without using third party apps like ngrok?

ngrok is not a simple broad port forwarding but instead allows to publish the application only for selected users by requiring authentication. If this restricted access is used the risk is greatly reduced, i.e. only users which know the URL and have the authentication credentials can connect. Still, if you cannot trust these users to keep these access credentials private and also to not attack your system then you should not do it.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • you slightly misunderstood my second concern what I am trying to say is can I limit user inside my own institute to port forward their local application to the internet? – Dhaval Lila May 25 '18 at 10:45
  • is there any other way around without using third party apps like ngrok ? – Dhaval Lila May 25 '18 at 10:48
  • can you do me one more favour i found below link but i am not able to understand what exacatly is he doing for security ? https://serverfault.com/questions/129781/ssh-port-forwarding-security-risk – Dhaval Lila May 25 '18 at 11:03
  • @DhavalLila: I probably misunderstood you since you unexpectedly switched sides in your question, i.e. from the user who wants to publish its own application to the administrator who wants to prevent such things. I now describe both aspects in my answer. As for ngrok see updated answer. – Steffen Ullrich May 25 '18 at 11:11
  • @DhavalLila: the scenario in the question you point to is completely different from yours. There somebody from outside with SSH access to a bastion host wants to use local port forwarding to access an internal web server from its local machine, i.e. access is limited to applications on this specific machine. Your question instead you want to essentially make an internal server public on the whole internet. – Steffen Ullrich May 25 '18 at 11:21