Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

timamartin
New Contributor

Created on ā€Ž05-04-2018 05:33 AM

Allow user to SSH from home to his PC

How can I allow a user to SSH to his UNIX box from home? Can I set it up so when his home address (and only HIS home address) SSH to my external address he will forward right to his machine?

Labels:
1006
0 Kudos
6 REPLIES 6
DrWolfgangBeneicke1
New Contributor III

Created on ā€Ž05-12-2018 02:20 AM

hi,

I suggest to use an identity based policy in which you use the VIP. Just add a user group (with just one user) to the source field (formerly: source address field) in the policy.

Only if your user has got a fixed public address you might use it to identify your user.

Details:

 

1- VIP: external addr: free public address, mapped to addr: private ssh_server_IP, external/mapped to port: tcp/22

2- policy: either

src addr: any AND usergroup: this_user

OR

src addr: fixed home office address

 

dest addr: VIP, service: SSH

976
0 Kudos
DeepKuma2
Contributor

Created on ā€Ž05-13-2018 08:56 PM

I suggest using an identity-based policy in which you use the VIP with customized SSH port on the public network.
This article will help you.

http://cookbook.fortinet.com/port-forwarding/

 

Regards,

Deepak Kumar

Deepak Kumar First Option General Trading LLC Dubai
Deepak Kumar First Option General Trading LLC Dubai
976
0 Kudos
rmoussa
Contributor

Created on ā€Ž09-04-2018 05:37 AM

Hi,

You can use VIP with customized SSH port. Since your publishing to the internet customizing ssh port is important to avoid attackers.

Regards

------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
Rony MoussaFortinet NSE Certified: Level 8
976
0 Kudos
GuilTOUR3
New Contributor

Created on ā€Ž09-13-2018 07:44 AM

I suggest using VPN SSL to be able to connect to a protected server, behind a FGT.
Tunnel mode (with FCT) or web portal mode is possible.
976
thedude78
New Contributor

Created on ā€Ž09-14-2018 06:49 AM

Generally it is very difficult to create a rule for someones home IP address as they change from time to time.  It can be done but be prepared for users to complain every time they get a new IP and the Policies no longer work. From a security perspective direct SSH access from "any" can open you up to a lot of potential issues, brute force attacks etc.  Not something I would recommend.  Changing the service to a non-standard port is also not recommended because the service can be fingerprinted and identified by tools like NMAP, and other port scanners.

Using SSL VPN  for remote access to internal resources is the answer, in my opinion. 



------------------------------
Dan
Network / Security Analyst

------------------------------
976
0 Kudos
odd
New Contributor

Created on ā€Ž09-17-2018 12:02 AM

If it's a public server, VIP + policy SSH with source ip (home).

If it's a private server. Client IPsec or client SSL VPN w native - or FortiClient.

In the policy SSH as service. Add IPS and AV in the policy since this is a home user = no ctrl over home environment.



IPsec VPN with FortiClient - Fortinet Cookbook

Fortinet Cookbook remove preview
IPsec VPN with FortiClient - Fortinet Cookbook
In this example, you will allow remote users to access the corporate network using an IPsec VPN that they connect to using FortiClient for Mac OS X, Windows, or Android. The remote users Internet traffic will also be routed through the FortiGate (split tunneling will not be enabled).
View this on Fortinet Cookbook >


SSL VPN using web and tunnel mode - Fortinet Cookbook

Fortinet Cookbook remove preview
SSL VPN using web and tunnel mode - Fortinet Cookbook
In this example, you will allow remote users to access the corporate network using an SSL VPN, connecting either by web mode using a web browser or tunnel mode using FortiClient. Web mode allows users to access network resources, such as the Internal Segmentation Firewall (ISFW) used in this example.
View this on Fortinet Cookbook >







------------------------------
Odd [LastName] [Designation]
IT Security Specialist / Senior IT Consultant
[CompanyName]
[City] [State]
[Phone]
------------------------------
976
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the ā€œNominate to Knowledge Baseā€ button to recommend a forum post to become a knowledge article.

Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.