{
	"id": "28f32401-a8c5-42ea-8448-9d60eb3d9559",
	"created_at": "2026-04-06T00:22:35.548583Z",
	"updated_at": "2026-04-10T13:12:42.747853Z",
	"deleted_at": null,
	"sha1_hash": "6aaf398119a1533cb768b610f44fb07d0233bbae",
	"title": "What is an SSH Tunnel \u0026 SSH Tunneling?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 554730,
	"plain_text": "What is an SSH Tunnel \u0026 SSH Tunneling?\r\nBy Admin\r\nPublished: 2019-09-24 · Archived: 2026-04-05 22:36:55 UTC\r\nThis page explains SSH tunneling (also called SSH port forwarding), how it can be used to get into an internal\r\ncorporate network from the Internet, and how to prevent SSH tunnels at a firewall. SSH tunneling is a powerful\r\ntool, but it can also be abused. Controlling tunneling is particularly important when moving services to Amazon\r\nAWS or other cloud computing services.\r\nWhat is an SSH tunnel?\r\nSSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection. It can be\r\nused to add encryption to legacy applications. It can also be used to implement VPNs (Virtual Private Networks)\r\nand access intranet services across firewalls.\r\nSSH is a standard for secure remote logins and file transfers over untrusted networks. It also provides a way to\r\nsecure the data traffic of any given application using port forwarding, basically tunneling any TCP/IP port over\r\nSSH. This means that the application data traffic is directed to flow inside an encrypted SSH connection so that it\r\ncannot be eavesdropped or intercepted while it is in transit. SSH tunneling enables adding network security to\r\nlegacy applications that do not natively support encryption.\r\nThe figure presents a simplified overview of SSH tunneling. The secure connection over the untrusted network is\r\nestablished between an SSH client and an SSH server. This SSH connection is encrypted, protects confidentiality\r\nand integrity, and authenticates communicating parties.\r\nThe SSH connection is used by the application to connect to the application server. With tunneling enabled, the\r\napplication contacts to a port on the local host that the SSH client listens on. The SSH client then forwards the\r\napplication over its encrypted tunnel to the server. The server then connects to the actual application server -\r\nusually on the same machine or in the same data center as the SSH server. The application communication is thus\r\nsecured, without having to modify the application or end user workflows.\r\nhttps://www.ssh.com/ssh/tunneling\r\nPage 1 of 4\n\nWho uses SSH tunneling?\r\nThe downside is that any user who is able to log into a server can enable port forwarding. This is widely exploited\r\nby internal IT people to log into their home machines or servers in a cloud, forwarding a port from the server back\r\ninto the enterprise intranet to their work machine or suitable server.\r\nHackers and malware can similarly use it to leave a backdoor into the internal network. It can also be used for\r\nhiding attackers's tracks by bouncing an attack through multiple devices that permit uncontrolled tunneling.\r\nTo see how to configure an SSH tunnel, see this example. Tunneling is often used together with SSH keys and\r\npublic key authentication to fully automate the process.\r\nBenefits of SSH tunneling for enterprises\r\nSSH tunnels are widely used in many corporate environments that employ mainframe systems as their application\r\nbackends. In those environments the applications themselves may have very limited native support for security.\r\nBy utilizing tunneling, compliance with SOX, HIPAA, PCI-DSS and other standards can be achieved without\r\nhaving to modify applications.\r\nIn many cases these applications and application servers are such that making code changes to them may be\r\nimpractical or prohibitively expensive. Source code may not be available, the vendor may no longer exist, the\r\nproduct may be out of support, or the development team may no longer exist. Adding a security wrapper, such as\r\nSSH tunneling, has provided a cost-effective and practical way to add security for such applications. For example,\r\nentire country-wide ATM networks run using tunneling for security. \r\nSSH's Tectia SSH Client/Server is a commercial solution that can provide secure application tunneling along\r\nwith SFTP and secure remote access for enterprises.\r\nSSH tunneling in the corporate risk portfolio\r\nhttps://www.ssh.com/ssh/tunneling\r\nPage 2 of 4\n\nAs useful as SSH tunneling is, it also creates risk that needs to be addressed by corporate IT security teams. SSH\r\nconnections are protected with strong encryption. This makes their content is invisible to most deployed network\r\nmonitoring and traffic filtering solutions. This invisibility carries considerable risk potential if it is used for\r\nmalicious purposes such as data exfiltration. Cybercriminals or malware could exploit SSH tunnels to hide their\r\nunauthorized communications, or to exfiltrate stolen data from the target network.\r\nIn an SSH back-tunneling attack, the attacker sets up a server outside the target network (in Amazon AWS, for\r\nexample). Once the attacker is in the target system, she connects to the outside SSH server from the inside. Most\r\norganizations permit outgoing SSH connections, at least if they have servers in a public cloud. This SSH\r\nconnection is set up with an option that enables TCP port forwarding from a port on the external server to an SSH\r\nport on a server in the internal network. Setting up this SSH back-tunnel requires a single one-line command on\r\nthe inside, and it can easily be automated. Most firewalls offer little to no protection against it.\r\nThere are several widely known and documented cases of malware leveraging the SSH protocol as a means for\r\nhiding data exfiltration and command channels. Several instances of malware have been actively collecting SSH\r\nkeys. Captured and collected SSH keys have also been sold on hacker forums.\r\nCombined with attacks based on unmanaged SSH keys, SSH tunneling allows an attacker to utilize stolen SSH\r\nkeys for an intranet from the public Internet.\r\nSSH tunneling attacks can also be used for hiding the source of the attack. It is common or hackers to bounce\r\nattacks off systems and devices that allow SSH port forwarding to hide their tracks. This allows them to probe for\r\nvulnerabilities, try various login credentials, or run attack tools against email, web, telephony and any other\r\nprotocols. Bouncing an attack through a dozen random devices via encrypted tunnels also carrying other traffic\r\nmakes it virtually untraceable. Akamai documented millions of IoT devices being used in this way.\r\nCountering these risks requires the capability to monitor, control and audit encrypted SSH connections. For\r\npreventing bouncing, it requires proper configuration and hardening of IoT operating systems.\r\nhttps://www.ssh.com/ssh/tunneling\r\nPage 3 of 4\n\nIt should also be noted that tunneling attacks are not specific to SSH - a competent programmer can write a tool to\r\ntunnel ports in a few hours and can run it on any machine on the internal network. Any laptop or other device on\r\nthe internal network can do it - it just needs to be able to communicate with some (any) service on the Internet.\r\nSuch a tool could be made to work over SSL/TLS, could emulate HTTP, or could operate over UDP and use\r\npackets that look like DNS requests and responses. SSH just makes it easier for non-programmers. You can only\r\nprotect from tunneling attacks against people who are able to run software on the inside or connect any device to\r\nthe internal network by only allowing protocols you can inspect through the firewall.\r\nHow to configure an SSH tunnel\r\nSee the configuration example page for detailed configuration instructions. The SSH command line options and\r\nSSH server configuration file pages may also be helpful.\r\nSource: https://www.ssh.com/ssh/tunneling\r\nhttps://www.ssh.com/ssh/tunneling\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.ssh.com/ssh/tunneling"
	],
	"report_names": [
		"tunneling"
	],
	"threat_actors": [],
	"ts_created_at": 1775434955,
	"ts_updated_at": 1775826762,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6aaf398119a1533cb768b610f44fb07d0233bbae.pdf",
		"text": "https://archive.orkl.eu/6aaf398119a1533cb768b610f44fb07d0233bbae.txt",
		"img": "https://archive.orkl.eu/6aaf398119a1533cb768b610f44fb07d0233bbae.jpg"
	}
}