Of course, you could create just a new SSH user on your Linux server, but this user will be able to execute all server commands although they would not be necessary for SSH tunneling. In fact the only thing the user needs is to login and logout again – that’s enough! Therefore we don’t want the user to be able to do anything else for security reasons.

I will show in the following how you can create such a restricted SSH user on a Linux server (tested on Debian Linux) that can be used for SSH tunneling only.

First of all we create a new user (I just call him sshtunnel now) with rbash as shell:

useradd sshtunnel -m -d /home/sshtunnel -s /bin/rbash
passwd sshtunnel

Using rbash instead of bash will restrict the user already as he especially cannot change the directory and cannot set any environment variables. But the user can still execute most of the bash commands.

To prevent him from this, we use a small trick: we set the environment variable PATH for this user to nothing. This way the bash won’t find the commands to execute anymore. That’s easily done by adding this line to the end of the file .profile in the home directory of the user (in our example it is /home/sshtunnel/):

PATH=""

As we want to make sure the user is not able to change this again himself, we remove the write permissions from the user configuration files and from the home directory of the user itself:

chmod 555 /home/sshtunnel/
cd /home/sshtunnel/
chmod 444 .bash_logout .bashrc .profile

Now we’re done: you can setup your SSH tunnel for example with PuTTY just as normal and login with this newly created SSH user. You won’t be able to do anything else than login and logout anymore, but SSH tunneling will work fine!

Did you also need such a restricted SSH user already?

Together with the new connection type I also got a new free router from my local internet provider: an AVM Fritz!Box 7570 VDSL.

First of all I want to say that this is really a great product: it has a build-in VDSL modem, but also VoIP telecommunication ports (analog and ISDN), provides WLAN and even DECT for connecting your mobile phones.

I just had one problem: after this new router was up and running from within my network I could not access our web service operating on port 445 anymore. Thus no outgoing connection on port 445 was possible anymore.

Therefore I went to check the router settings, but could not find any option or at least a note about this port blocking. But searching the web afterwards turned out that I was not the only guy struggling with this issue.

Of course, port 445, the same as also the other mentioned ports 135 and 137, are normally reserved for NetBIOS respectively SMB communications which really would be a security issue if such services would be used outside of a secure local network. But anyway, even if a port number is normally used for a specific service, everybody is free to use it in a different way like us: We are using ports 444 and 445 for operating some internal SSL webpages as the default port 443 is already in use.

As I’m not the only one in my company using this internal SSL webpages and I definitely didn’t want to change our port usage just because of a new router, I needed to find a way to convince my Fritz!Box to allow outgoing connections on port 445.

After doing some research, I finally came up with following solution. Here is a step-by-step guide to get outgoing connections on ports 135, 137 and 445 working with an AVM Fritz!Box:

1. save the settings of your Fritz!Box to a file (menu “System” / “Save Settings”).
2. open this file with a simple text editor.
3. replace all occurrences of filter_netbios = yes; with filter_netbios = no;. (If you have an older Fritz!Box model, the name of this config entry may be a little bit different. In this case just search for “netbios” and you should be able to find it easily.)
4. add a new line NoChecks=yes somewhere on the top of the config file (I added it below the line starting with Language=). Without this line import won’t work, because the Fritz!Box would reject to load a manually changed config file.
5. finally restore the setting by using your changed config file.

That’s it! After your changed config file is loaded, the Fritz!Box will reboot and now outgoing traffic on ports 135, 137  and 445 works fine again.

Of course, I understand that it is useful to block ports with a potential security risk by default, but I absolutely don’t understand why AVM does not provide a way (somewhere in the advanced settings) to change this from within their user interface. A router should never patronize a user: if the user wants to use a specific port for whatever reason, this has to be possible with every router!

Does your router also block some ports without being asked for?