Ask a Question

Modbus over SSH

0 votes
by (630 points)

I wanted to use Modbus TCP to talk to device (slave). I am planning to use nmodbus4 (https://github.com/NModbus4/NModbus4). How do I use Rebex SSH library with nmodbus4 to have secured communication.

Applies to: Rebex SFTP, Rebex Terminal Emulation

1 Answer

0 votes
by (147k points)

I assume your scenario looks like this:

client <------> server <------> modbus device

Where the communication between client and server uses SSH and the communication between the server and the modbus device uses unencrypted TCP.

In this case, you would have to configure the server to allow outgoing SSH tunneling (unless it's enabled by default) and use Rebex Terminal Emulation's Ssh object to establish a tunnel:

// connect and log in to an SSH server
var ssh = new Rebex.Net.Ssh();
ssh.Connect(hostname);
ssh.Login(username, password);

// create tunneling rule
// to accept connections at localhost:8502
// and tunnel then over SSH session through the SSH server
// to the specified Modbus device
SshTunnel tunnel = ssh.StartOutgoingTunnel(
    "localhost", 8502, // client-side source address
    "modbus_device_addresss", 502); // server-side target address

// use NModbus4 here - connect to localhost:8502 in order use the SSH tunnel
...

// stop tunneling
tunnel.Close();

// close SSH connection
ssh.Disconnect();
by (630 points)
Thanks for your response. But there are only 2 devices.
client PC (modbus master) <------> server device (modbus slave)
The communication between PC and device is Modbus TCP secured.
by (147k points)
Could you please specify what exactly "Modbus TCP secured" means? It's our understanding that Modbus over TCP does not offer any security by itself (and the article at https://www.rtaautomation.com/blog/modbus-security/ supports this). Does "server device (modbus slave)" support server-side SSH?
by (630 points)
Yes. The modbus slave supports server-side SSH.
by (147k points)
In that case, my original code might still apply, but because "server" and "modbus device" are the same device, you would need to pass "localhost" as both the local and remote end in the StartOutgoingTunnel call (which means that "modbus_device_addresss" needs to be replaced with "localhost").

However, this would only work if this is how your device's Modbus over SSH is actually supposed to be used. We are unable to tell whether this is in fact the case.
by (630 points)
Hi Lukas,
If I have to buy Rebex pack for SSH, should I buy "Rebex Terminal Emulation"?
by (147k points)
If you only need Rebex Ssh object, then buying "Rebex Terminal Emulation" would be sufficient. You can also buy "Rebex SSH Pack", which includes "Rebex Terminal Emualtion" (SSH and telnet clients), "Rebex SFTP" (SFTP client) and "Rebex File Server" (SFTP and SSH server). See the chart at https://www.rebex.net/kb/product-packages/
...