Security policy blues
When your company's security policy starts to make your life uncomfortable, some will say they are doing a good job, while others will complain. I would rather side with the latter.
I have been using a server accessible from the Internet for years. A few weeks ago, a message warned me to update the validity of the firewall rule. Unfortunately, that task appears to be above my pay grade. More unfortunate is that the people who that warning message told me specifically to talk to if I happened not to be able to fix it myself claim they cannot do that and that I should talk to somebody else. That pleased me not.
I am sure I could waste a couple of days going back and forth and get this fixed, but it would be helpful for a short time as I am retiring soon. Alternatively, I considered other more fun solutions that required me to talk with no one else. I have developed some sort of an allergy to people telling me, "That is not my job," when I request something.
If you do not have access to a server from outside the company's network, a possible solution is to use a Virtual Private Network (VPN) if that is a solution your company offers employees. I have been using that, but unfortunately, not all the networks I am using are VPN-friendly. Last week, I was waiting for my car to be serviced, and I found I could not connect to the VPN, so I could not work with my server. Luckily, I used my cellphone's Internet access to be able to work. However, I do pay for that data connection, not my company.
So today, I used some time to create a temporary solution. I will use a reverse SSH tunnel using an intermediate server accessible on the Internet. The idea is simple: I make an outgoing SSH connection from my work server to an intermediate server. That connection is kept open, but no terminal is associated with it, nor is data transferred. Its only purpose is to create a reverse tunnel from one port on the intermediate server to the SSH port on my server.
When I want to connect to my server, I will initiate an SSH connection to a particular port in the intermediate server (connected by a reverse tunnel with the SSH server on my server) and connect without a problem.
As with every simple plan, there are always some wrinkles. It all worked perfectly from the intermediate server but only if the connection attempt was done on the loopback device, as soon as I was trying to access the tunnel from the Internet, it won't work. I tried several solutions that were not successful until I put the server's IP on the reverse tunnel setup:
ssh -g -R $server_ip:$particular_port:localhost:22 user@intermediate.server -N -f -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3"
The "-g" alone or using "0.0.0.0" as the server's IP field did not help. The reverse tunnel was created but only listened on the loopback device, not the LAN interface.
Comments