It is important for you to understand the implications and potential risks of using a web based SSH client. Please make sure to read this page carefully prior to using the consoleFISH.
On this page it is first of all described how web based SSH clients work. The associated risks
are discussed before the advantages and disadvantages of such systems are summarized. Finally,
we present essential security strategies that shall be applied in order to minimize the risks
associated with the use of a web based SSH client.
How it works.
To access SSH servers via your web browser, you have to use a tunnelling server (a so called
SSH relay). This server is responsible for translating HTTP requests into SSH commands, and SSH
replies back into HTTP responses. Ideally you communicate with the tunnelling server via HTTPS
on port 443. The SSH tunnel is responsible for opening and maintaining an SSH session with your
destination server on a secure connection (which is 22 by default).
The respective setup is summarized in the above figure. Your workstation (on the very
left-hand side) may be behind a firewall or proxy, which only allows you to communicate on ports
80/443. On these ports, your SSH tunnel can be reached which itself maintains the secure
connection to your secure shell server.
Why it can be dangerous.
Apart from the general risks associated with allowing SSH access to your servers (see
this article for a
discussion of security issues for example), in particular the use of a web based SSH
client may be risky. This is due to the fact, that the employed SSH tunnel technically acts
as a man-in-the-middle, who needs to read and translate your entire communication with the
SSH server. As all of your communication is available in unencrypted form at the SSH tunnel,
usernames and passwords could be stolen and the transmission of sensitive data could be
Why you still might want to use web based SSH clients.
Taking these risks into consideration, it has to be clear that a web based SSH client can
never be an equal substitute for a local SSH client application (which connects directly with
your SSH server). Thus, if you can reach the ports of your SSH servers from within your
environment, please make sure to use tools such as
OpenSSH instead of the
However, if you are within a company or a free public network, firewall/proxy settings
may block access to port 22. In these scenarios, web based SSH clients represent a powerful
tool for backup access to SSH servers. They make it possible for you to reach your shell from
any browser on the internet, no matter where you are.
How to minimize risks.
So if you want (or have) to use a web based SSH client, please take the following security
measures into consideration. They shall help you minimizing the risk of losing sensitive data.
Find yourself a trustworthy SSH tunnel. The best option of getting web based SSH access
is to set up your own SSH tunnel. Several instructions on how to do so can be found on the internet.
If you are not willing or able to set up your own tunnel, you may alternatively want to use a
third-party service such as the one provided here. If you decide to do so,
please make sure to carefully review the policies of your web shell provider. Our own security policy and system
implementation can be summarized as follows:
If you think that our policies do not fit your needs, you might also want to take an alternative
provider into account. Respective (non-free) services can easily be found by searching the web.
No Data Logging/Storage. We never log any of the data forwarded by our SSH tunnels.
In particular we do not and will never store passwords or sensitive data that is transmitted by
use of the consoleFISH. Only the duration of individual sessions, IPs
and usernames are logged for statistical/legal purposes (please also refer to our
terms and conditions). In the unlikely event that our servers are
compromised, no one will thus gain access to your systems.
HTTP over SSL. Of course all the communication between your browser and our servers
is encrypted by use of SSL. All data is transmitted via HTTPS and the identity of serFISH.com
is validated by use of a publically signed certificate.
Automatic Session Shutdown. When you're finished, you should always log out from the SSH
session opened by use of the consoleFISH by typing
exit. If you forget to do so, however, our server software will make
sure that your connection is closed after a predefined amount of time has passed.
Control access to your SSH servers. We suggest that you restrict access to your SSH servers
based on usernames as well as on IP addresses. Good practice is to allow only certain users to access
your system from the consoleFISH IP - 220.127.116.11. Moreover, you should also
set appropriate timeouts for all incoming SSH connections. Information on how to configure your SSH
server and firewalls appropriately can be found on the web.
Use web based SSH clients wisely. It has already been mentioned before that web based SSH
access must never be regarded as a replacement for the use of local client applications. It is thus
recommended to use web based SSH clients only if you have no other possibility to reach your SSH servers.
If you have any further questions, comments or concerns about the provided services or web shell
security in general, please do not hesitate to get in
touch with us.