SSH tunneling, or as it's sometimes called, SSH port forwarding, is a handy way to protect non-secure protocols. For example, by tunneling normal HTTP through an SSH tunnel, you can access a non-secure website in a secure fashion. To do this, you would do the following:

sudo ssh -L 80:localhost:80 [email protected]

I had to use sudo here because all network ports below port 1024 are privileged ports. If I were to change the web server configuration to listen on a non-privileged high-number port, I wouldn't need sudo.

Now, to connect to this site in a secure manner, I can just open the web browser on my local machine and type in the following URL:

http://localhost

Yeah, it seems strange to access a remote machine by typing in localhost, but that's the designator I used when I logged in with SSH. I could have used another name, but localhost is the name you traditionally see in SSH tutorials, so I'm following suit here. Now, as soon as I log out of the SSH session, my connection to the web server will break.

Even though this sounds like a good idea, it actually creates a security problem. Let's say that your corporate firewalls are set up to prevent people from going home and remoting into their company workstations. That's a good thing, right? Now, let's say that the company firewall has to allow outbound SSH connections. A user could create an SSH tunnel from their company workstation to their computer at another location, then go to that location and create a reverse tunnel back to their company workstation. So, if it isn't possible to block outgoing SSH traffic at the firewall, then your best bet is to disable SSH tunneling. In your sshd_config file, ensure that you have lines that look like this:

AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
PermitTunnel no

Restart the SSH service, as always. Now, port tunneling will be disabled.

Now that you know how to disable SSH tunneling, let's talk about changing the default port.