Enter your E-Mail address and sign up for our newsletter.

E-Mail:

It is important for you to understand the implications and potential risks of using a web based SSH client. Please make sure to read this page carefully prior to using the consoleFISH.

On this page it is first of all described how web based SSH clients work. The associated risks are discussed before the advantages and disadvantages of such systems are summarized. Finally, we present essential security strategies that shall be applied in order to minimize the risks associated with the use of a web based SSH client.

How it works.

To access SSH servers via your web browser, you have to use a tunnelling server (a so called SSH relay). This server is responsible for translating HTTP requests into SSH commands, and SSH replies back into HTTP responses. Ideally you communicate with the tunnelling server via HTTPS on port 443. The SSH tunnel is responsible for opening and maintaining an SSH session with your destination server on a secure connection (which is 22 by default).

The respective setup is summarized in the above figure. Your workstation (on the very left-hand side) may be behind a firewall or proxy, which only allows you to communicate on ports 80/443. On these ports, your SSH tunnel can be reached which itself maintains the secure connection to your secure shell server.

Why it can be dangerous.

Apart from the general risks associated with allowing SSH access to your servers (see this article for a discussion of security issues for example), in particular the use of a web based SSH client may be risky. This is due to the fact, that the employed SSH tunnel technically acts as a man-in-the-middle, who needs to read and translate your entire communication with the SSH server. As all of your communication is available in unencrypted form at the SSH tunnel, usernames and passwords could be stolen and the transmission of sensitive data could be logged.

Why you still might want to use web based SSH clients.

Taking these risks into consideration, it has to be clear that a web based SSH client can never be an equal substitute for a local SSH client application (which connects directly with your SSH server). Thus, if you can reach the ports of your SSH servers from within your environment, please make sure to use tools such as PuTTY or OpenSSH instead of the consoleFISH.

However, if you are within a company or a free public network, firewall/proxy settings may block access to port 22. In these scenarios, web based SSH clients represent a powerful tool for backup access to SSH servers. They make it possible for you to reach your shell from any browser on the internet, no matter where you are.

How to minimize risks.

So if you want (or have) to use a web based SSH client, please take the following security measures into consideration. They shall help you minimizing the risk of losing sensitive data.

  • Find yourself a trustworthy SSH tunnel. The best option of getting web based SSH access is to set up your own SSH tunnel. Several instructions on how to do so can be found on the internet. If you are not willing or able to set up your own tunnel, you may alternatively want to use a third-party service such as the one provided here. If you decide to do so, please make sure to carefully review the policies of your web shell provider. Our own security policy and system implementation can be summarized as follows:
    • No Data Logging/Storage. We never log any of the data forwarded by our SSH tunnels. In particular we do not and will never store passwords or sensitive data that is transmitted by use of the consoleFISH. Only the duration of individual sessions, IPs and usernames are logged for statistical/legal purposes (please also refer to our terms and conditions). In the unlikely event that our servers are compromised, no one will thus gain access to your systems.
    • HTTP over SSL. Of course all the communication between your browser and our servers is encrypted by use of SSL. All data is transmitted via HTTPS and the identity of serFISH.com is validated by use of a publically signed certificate.
    • Automatic Session Shutdown. When you're finished, you should always log out from the SSH session opened by use of the consoleFISH by typing exit. If you forget to do so, however, our server software will make sure that your connection is closed after a predefined amount of time has passed.
    If you think that our policies do not fit your needs, you might also want to take an alternative provider into account. Respective (non-free) services can easily be found by searching the web.
  • Control access to your SSH servers. We suggest that you restrict access to your SSH servers based on usernames as well as on IP addresses. Good practice is to allow only certain users to access your system from the consoleFISH IP - 78.47.79.193. Moreover, you should also set appropriate timeouts for all incoming SSH connections. Information on how to configure your SSH server and firewalls appropriately can be found on the web.
  • Use web based SSH clients wisely. It has already been mentioned before that web based SSH access must never be regarded as a replacement for the use of local client applications. It is thus recommended to use web based SSH clients only if you have no other possibility to reach your SSH servers.

Questions?

If you have any further questions, comments or concerns about the provided services or web shell security in general, please do not hesitate to get in touch with us.

All rights reserved, (c) serFISH.com, 2007-2016