Modbus over SSH

0 votes
asked May 18 by Prabhakar (390 points)

I wanted to use Modbus TCP to talk to device (slave). I am planning to use nmodbus4 (https://github.com/NModbus4/NModbus4). How do I use Rebex SSH library with nmodbus4 to have secured communication.

1 Answer

0 votes
answered May 18 by Lukas Pokorny (96,250 points)

I assume your scenario looks like this:

client <------> server <------> modbus device

Where the communication between client and server uses SSH and the communication between the server and the modbus device uses unencrypted TCP.

In this case, you would have to configure the server to allow outgoing SSH tunneling (unless it's enabled by default) and use Rebex Terminal Emulation's Ssh object to establish a tunnel:

// connect and log in to an SSH server
var ssh = new Rebex.Net.Ssh();
ssh.Connect(hostname);
ssh.Login(username, password);

// create tunneling rule
// to accept connections at localhost:8502
// and tunnel then over SSH session through the SSH server
// to the specified Modbus device
SshTunnel tunnel = ssh.StartOutgoingTunnel(
    "localhost", 8502, // client-side source address
    "modbus_device_addresss", 502); // server-side target address

// use NModbus4 here - connect to localhost:8502 in order use the SSH tunnel
...

// stop tunneling
tunnel.Close();

// close SSH connection
ssh.Disconnect();
commented May 18 by Prabhakar (390 points)
Thanks for your response. But there are only 2 devices.
client PC (modbus master) <------> server device (modbus slave)
The communication between PC and device is Modbus TCP secured.
commented May 18 by Lukas Pokorny (96,250 points)
Could you please specify what exactly "Modbus TCP secured" means? It's our understanding that Modbus over TCP does not offer any security by itself (and the article at https://www.rtaautomation.com/blog/modbus-security/ supports this). Does "server device (modbus slave)" support server-side SSH?
commented May 19 by Prabhakar (390 points)
Yes. The modbus slave supports server-side SSH.
commented May 21 by Lukas Pokorny (96,250 points)
In that case, my original code might still apply, but because "server" and "modbus device" are the same device, you would need to pass "localhost" as both the local and remote end in the StartOutgoingTunnel call (which means that "modbus_device_addresss" needs to be replaced with "localhost").

However, this would only work if this is how your device's Modbus over SSH is actually supposed to be used. We are unable to tell whether this is in fact the case.
commented Jul 30 by Prabhakar (390 points)
Hi Lukas,
If I have to buy Rebex pack for SSH, should I buy "Rebex Terminal Emulation"?
commented Jul 30 by Lukas Pokorny (96,250 points)
If you only need Rebex Ssh object, then buying "Rebex Terminal Emulation" would be sufficient. You can also buy "Rebex SSH Pack", which includes "Rebex Terminal Emualtion" (SSH and telnet clients), "Rebex SFTP" (SFTP client) and "Rebex File Server" (SFTP and SSH server). See the chart at https://www.rebex.net/kb/product-packages/
...