Can I setup the secure tunnelling component with a port other than 22? If so, how?

0

Pretty much that, due to security reasons I would rather not allow ssh via port 22, but I don't know how to configure it in aws and/or my devices.

asked 2 months ago157 views
1 Answer
1
Accepted Answer

Hi Fernanda. Secure tunneling doesn't require port 22 to be open. The aim of the feature is to provide access without opening additional ports.

profile pictureAWS
EXPERT
Greg_B
answered 2 months ago
  • Are you sure? It only works when I leave port 22 open, and reading from the aws blog they do in fact use port 22 (https://aws.amazon.com/blogs/iot/introducing-secure-tunneling-for-aws-iot-device-management-a-new-secure-way-to-troubleshoot-iot-devices/). When I check while using ssh via tunneling, it also displays that it is using port 22:

    :~ $ echo "SSH_CLIENT"
    127.0.0.1 60550 22
    

    I also noticed when configurating the tunnel, that when selecting manual, if I don't write SSH it throws this error:

    2024-08-02T19:37:57.397Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-08-02 19:37:57.393 [pool-3-thread-6] SubscribeResponseHandler - Secure Tunneling Process: 2024-08-02T19:37:57.388Z [ERROR] {SecureTunnelingFeature.cpp}: Requested unsupported service. service=12345. {scriptName=services.aws.greengrass.SecureTunneling.lifecycle.run.script, serviceName=aws.greengrass.SecureTunneling, currentState=RUNNING}
    2024-08-02T19:37:57.397Z [INFO] (Copier) aws.greengrass.SecureTunneling: stdout. [ERROR] 2024-08-02 19:37:57.393 [pool-3-thread-6] SubscribeResponseHandler - Secure Tunneling Process: 2024-08-02T19:37:57.388Z [ERROR] {Config.cpp}: *** AWS IOT DEVICE CLIENT FATAL ERROR: port is missing or invalid ***. 
    

    So I thought maybe there is a specific format to declare that I want to use a port different to 22

  • That blog is just using port 22 for the local connection to localproxy on the device. As does the secure tunneling component (and AWS IoT Device Client). However, port 22 isn't used for the device-cloud communications. For example, I can run Greengrass in an EC2 instance and make a secure tunneling connection without opening port 22 in the security group.

  • Example TCP connections on a Greengrass device in EC2, with secure tunneling active:

    tcp    ESTAB   0       0             10.0.0.174:39988         54.163.234.121:8883            
    tcp    ESTAB   0       0             10.0.0.174:55300          209.54.182.39:https           
    tcp    ESTAB   0       0             127.0.0.1:ssh                127.0.0.1:37194           
    tcp    ESTAB   0       0             10.0.0.174:37570         34.202.204.245:https           
    tcp    ESTAB   0       0             127.0.0.1:37194              127.0.0.1:ssh
    
  • I understand that port 22 in not communicated to the cloud, but my intention is to not to use port 22 for anything, including the local connection. Given that I can configure my device to allow ssh in another port, I would prefer to do that.

  • Device Client at this moment does not have the capability to use a different post for secure tunneling feature. You can cut a feature request or you can contribute to the repository and update the code by yourself. Local proxy does provides support for it. If you wish, you can also use local proxy for secure tunneling feature. https://github.com/aws-samples/aws-iot-securetunneling-localproxy

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions