SSH-Tunnel Access for hMailServer and other Ports

This section contains user-submitted tutorials.
Post Reply
User avatar
Dravion
Senior user
Senior user
Posts: 1489
Joined: 2015-09-26 11:50
Location: Germany
Contact:

SSH-Tunnel Access for hMailServer and other Ports

Post by Dravion » 2019-01-26 20:19

This Guide applies mainly to Root and VPS-Servers running on the Public Internet but is not restricted to it.

WARNING: This is an advanced Tutorial
First test it inside Virtualbox or something similar before applying it to your Production server!

The Problem:
Nmap scan report for xxx.xxxxxx.com (xxx.xxx.xxx.xxx)
Host is up (0.024s latency).
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
465/tcp open smtps
554/tcp open rtsp
587/tcp open submission
990/tcp open ftps
993/tcp open imaps
995/tcp open pop3s
1028/tcp open unknown
3306/tcp open mysql
3389/tcp open ms-wbt-server
7070/tcp open realserver

As you can see many Windows Root/VPS-Servers exposing a lot of ports to the internet. This is far from ideal we should close any port which doesnt needs to exposed to the public by Firewall. The Problem: Some ports are needed for specific task and services and cannot be closed without harm, so we need a different Solution.

Prequesites:
I expect you have a running Windows Server 2008/2008_R2 / 2012/2012_R2 or 2016/2019
in your Virtualbox, VMWare, HyperV, QEMU/KVM or on Real Hardware or your Thirdparty hosted Windows Server with a STATIC P v4 Address.

I assume your Remote Desktop Service is running on your Windows Server
If not, type in the following commands into a Windows Admin Command prompt and press ENTER

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

After you executed the above command, your Windows Server should be accessible via Remote Desktop Client.
Login with your static ipaddress with a User from the local Windows Server Administrator Group and its Password.
If you cannot access your Windows Server via Remote Desktop due a timeout execute the following Firewall Rules

netsh advfirewall firewall add rule name="RemoteDesktop_IN" dir=in action=allow protocol=TCP localport=3389 profile=public -> and hit ENTER
netsh advfirewall firewall add rule name="RemoteDesktop_OUT" dir=out action=allow protocol=TCP localport=3389 profile=public -> and hit ENTER

Install a decent Browser like Firefox and the latest 32-Bit version of official hMailServer and configure a Dummy Domain with
a Account called account01 and Password MyPa$$word

From now on we use only Remote Desktop Connections
Under normal circumstances, your Hosting Provider should enabled Remote Desktop
already on your Windows Server, but in some cases (Amazon AWS or Azure) you might need to follow a few steps to enable it by yourself.

Lets begin:
1)
Open a Windows Command Prompt “as Administrator...”
2)
Create a new Windows Account by typing in net user /add sysmanager
3)
Change the password net user sysmanager MyPa$$word
4)
Add user to Admingroup net localgroup administrators sysmanager /add
5)
Logoff from the local console and login with the new “sysmanager” User
via Remote Desktop, from now on all task we will be done by Remote Desktop.

Changing the Windows Firewall settings
There is a diffrence between stopping the Windows Firewall Service Process or altering the Firewall Profile Rules.
Windows Firewall has 3.x Profiles, Public (open to the Internet, or WAN), Domain (your Active Directory Domain)
or Private (localhost only).

Turning off the Windows Firewall
1) Open a Windows Command Prompt as sysmanager
2) type in: netsh advfirewall set allprofiles state off

This will disable all firewall rules but doesnt stop the Firewall Service Process.

Now we will delete all existing Firewall rules.
Open a Windows Command as Administrator and type in the following Commands and hit ENTER

netsh advfirewall firewall delete rule name=all dir=in profile=any
netsh advfirewall firewall delete rule name=all dir=out profile=any
netsh advfirewall firewall delete rule name=all && netsh advfirewall set allprofiles state off

The last line will prevent the autol re-enabled the Firewall which will kick us out otherwise!

Install and Setup Cygwin as SSH-Server
01)
Open Firefox and and goto www.cygwin.com
02)
Lookout for setup-x86_64.exe and click and Download it.
03)
In your Download Folder double click on setup-x86_64
04)
Skip the Welcomescreen and select “Install from Internet” and click next
05)
Select as root C:\cygwin64 (default) and click next
06)
Leave Local Package Directory to its default and click next and next again
07)
Choose a Download Site near you and click next
08)
In the Select Packages Windows, you can select common Linux Programs to install
09)
In the Searchbox type in: ssh and expand the node “+All” and “+Net” and select OpenSSH
In OpenSSH select the Dropdown and choose 7.9p1-1 and click next, this will take a moment:
Click the Finish button.

Configuring the Cygwin SSH-Server as Windows Service
1)
On your Desktop right Click “Cygwin64 Terminal” and select “Run as administrator”
2)
In the Cygwin Terminal type in ssh-host-config
3)
Type in yes if asked for “StrictMode” and hit ENTER
Type in yes if asked “new local account sshd’ and hit ENTER
Type in yes if asked “install sshd as service?” and hit ENTER
Type in no if asked “Do you want a different name?” and hit ENTER
Type in yes if asked “create prvellege user \cyg_server” and hit ENTER
Type in a password (Attention, must be 8 chars and complex or ERROR!) + ENTER

If everything worked out so far, your should see the following line
Info: Host configuration finished. Have fun!

Now start your new Windows SSH-Server by typing net start sshd + ENTER

This should look like this:
The CYGWIN sshd service is starting.
The CYGWIN sshd service was started successfully.

Time for Putty (Our Windows SSH-Client)
Now our Windows Server has a SSH-Server running which will be accessible on any
Windows Boot automatically. SSH has a encrypted connection and to access it, we need
to install a SSH-Client. There are a few of them but my favorite is Putty. Its small and has everything we need.

Downlod Putty to Your Workstation (not your Windows Server) and install it, select the Windows 64-Bit Windows Installer
https://www.chiark.greenend.org.uk/~sgt ... atest.html

Connecting to your new Windows SSH-Server
1)
Open Putty and type in a sysmanager@220.240.130.44 and Port 22 and click save.
2)
Click load and then the “Open” Button below, click “Yes” in the Warning Dialog and type in your password (in this guide MyPa$$word and hit ENTER

Hint:
Every new SSH-User is a Windows User Account!
I someone needs access to your Windows Server via SSH, you need to add a normal Windows user, this User will automatically
be ready to login via SSH-Client from a Remote Computer.

Firewall: Closing Ports for Public Access
Now we can add all port rules we need to the Private Windows Firewall profile so its
not longer visible from the outside. If this part is finished, there should only SMTP, SSH and
HTTPS listed as Public ports.

Allowing Remote Desktop Connections to localhost only
netsh advfirewall firewall add rule name="RemoteDesktop_IN" dir=in action=allow protocol=TCP localport=3389 profile=private
netsh advfirewall firewall add rule name="RemoteDesktop_OUT" dir=out action=allow protocol=TCP localport=3389 profile=private

Allowing SSH Connections from the public Internet
netsh advfirewall firewall add rule name="SSH_IN" dir=in action=allow protocol=TCP localport=22 profile=public
netsh advfirewall firewall add rule name="SSH_OUT" dir=out action=allow protocol=TCP localport=22 profile=public

Showtime:
Now we will kickout us self!

Open a Windows Admin Command prompt and type the following command

netsh advfirewall set allprofiles state on

and hit ENTER -> This will kick end your Remote Desktop Session, but dont worry.

Whats happened?
You Re-Enabled the Windows Firewall and there is only 1 Public Port configured at this time SSH!
Nothing else the SSH access is allowed right now and thats excactly what we want a this point in time.
To regain access via Remote Desktop Client we need to grant access to the Remote Desktop Service to localhost
and granting access to it for incommning SSH-Tunnel connections.

Putty and the Tunnel
On your Workstation Computer (not your Windows Server) open a normal, non Administrator Command Prompt and type in:

plink.exe and hit ENTER
If you see something like “Plink: command-line connection utility” as response, its all good,
if not add the “C:\Program Files\PuTTY\plink.exe” Path to your Windows System Environment PATH variable so
plink can be found on Windows Command prompt.

Next steps:
1)
Type in your Windows Command Prompt:
start /B plink -pw MyPa$$word sysmanager@220.240.130.44 -L 11:localhost:3389 -P 22
2)
Open Remote Desktop Connection and type in localhost:11
3)
Cllick on “Show options” and type in as user “sysmanager” and click Connect
4)
Type in your Password: MyPa$$word and click OK

Now you are back on your Windows Server with Remote Desktop but this time via SSH-Tunnel Connection!
You can start as Many tunnels using “plink.exe” as you need or use a BAT-Script file which make the Tunnels for you
(see the attached ptunnel.bat Script)

Make hMailServer great / work again

1) Open a Windows Admin Command Prompt on your Windows Server

2) Type in the following commands and hit ENTER

Allow SMTP on Port 25 to the Public
netsh advfirewall firewall add rule name="SMTP_25_IN" dir=in action=allow protocol=TCP localport=25 profile=any
netsh advfirewall firewall add rule name="SMTP_25_OUT" dir=out action=allow protocol=TCP localport=25 profile=any

Allow Submission on Port 587 to localhost restricted only
netsh advfirewall firewall add rule name="Submission_IN" dir=in action=allow protocol=TCP localport=587 profile=private
netsh advfirewall firewall add rule name="Submission_OUT" dir=out action=allow protocol=TCP localport=587 profile=private

Allow POP3 on Port 110 to localhost restricted only
netsh advfirewall firewall add rule name="POP3_IN" dir=in action=allow protocol=TCP localport=110 profile=private
netsh advfirewall firewall add rule name="POP3_OUT" dir=out action=allow protocol=TCP localport=110 profile=private

Allow IMAP on Port 143 to localhost restricted only
netsh advfirewall firewall add rule name="IMAP_IN" dir=in action=allow protocol=TCP localport=143 profile=private
netsh advfirewall firewall add rule name="IMAP_OUT" dir=out action=allow protocol=TCP localport=143 profile=private

And so on and on
If you need Port 21 for example, just copy and paste and modify it to your needs, thats it!

Thunderbird / Outlook hMailServer SSH-Tunnel Connections
For creating new hMailServer accounts, you need to keep in Mind you need now two
account a Windows Account (not admin) and a hMailServer account. The Windows account is
required to connect via SSH to your Windows server, the hMailServer Account to let Thunderbird and Outlook connect to your hMailServer.

Screenshot Thunderbird Configuration Example:
SSH-Thunderbird.jpg
As you can see in the Screenshot!
Every Client or even Remotedesktop needs as IP Address 127.0.0.1 or localhost.
If ptunnel.bat is running, plink.exe will catch up all Requests by port and redirect it trough the SSH-Tunnel as long as ptunnel.bat
is closed. If you close ptunnel.bat, Thunderbirg or Outlook cannot longer access hMailServer or Remote Desktop cannot access the
Windows Server by Remote Desktop.

This Tutorial work not only on Windows Server. In will work from XP up to Windows 10 just fine but Windows Server will be the most likely
version in popular Hosting plans.

Tip:
Checkout the attached ptunnel.bat script. Change it to your needs and allways doubleclick it and leave it open as you wish to connect to
your Windows Server to receive and send Email hMailServer via Thunderbird or Outlook.
Attachments
ptunnel.zip
(356 Bytes) Downloaded 40 times

User avatar
mattg
Moderator
Moderator
Posts: 20299
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: SSH-Tunnel Access for hMailServer and other Ports

Post by mattg » 2019-01-28 01:49

Dravion wrote:
2019-01-26 20:19
The Problem:
Nmap scan report for xxx.xxxxxx.com (xxx.xxx.xxx.xxx)
Host is up (0.024s latency).
PORT STATE SERVICE
21/tcp open ftp
25/tcp open smtp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
465/tcp open smtps
554/tcp open rtsp
587/tcp open submission
990/tcp open ftps
993/tcp open imaps
995/tcp open pop3s
1028/tcp open unknown
3306/tcp open mysql
3389/tcp open ms-wbt-server
7070/tcp open realserver
your Windows Server to receive and send Email hMailServer via Thunderbird or Outlook.
Seeing this makes me glad that I run my own servers and a firewall appliance. My only accessible ports from outside are the specific ports that I allow
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 1489
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: SSH-Tunnel Access for hMailServer and other Ports

Post by Dravion » 2019-01-29 00:02

Yeah Appliances are cool.
But if you rent a Windows Server for example on Hostgator for 40 bucks per Month you dont have a sophisticated Firewall Appliance in Front of it.
Its of cause a diffrent Situation if you host your own Hardware in your LAN with a public IP to the Internet.

User avatar
SorenR
Senior user
Senior user
Posts: 3228
Joined: 2006-08-21 15:38
Location: Denmark

Re: SSH-Tunnel Access for hMailServer and other Ports

Post by SorenR » 2019-01-29 00:34

Goto https://www.grc.com/x/ne.dll?bh0bkyd2 and do the ShieldsUP! testing... I've been following him since 2001... Cool dude Steve Gibson, writes most of his Windows programs in Assembler :shock:

His SpinRite has saved me on many occations, it works both at 1G on Earth and 0G on the International Space Station (the .ISO file is only 1.45MB) :mrgreen:

@Dravion

I use VNC on my server so I can access it from my phone :mrgreen:
SørenR.

“With age comes wisdom, but sometimes age comes alone.”
- Oscar Wilde

User avatar
Dravion
Senior user
Senior user
Posts: 1489
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: SSH-Tunnel Access for hMailServer and other Ports

Post by Dravion » 2019-01-29 06:55

Assember for App Development - Insane :D

But cool, :lol:

Post Reply