SSH Tunneling and reverse SSH

One of the tools in any system engineer’s hand as well as those dealing with customer remote service is to set a remote connection to the other end’s server or PC, through VPN, Public IP or any other possible way. One easy yet effective approach is to establish a ssh tunnel by means of reverse SSH.

There are so many applications to reverse ssh but here we deal with 2 most commonly used scenarios:

Scenario #1:

You want to connect to a PC or server which is behind firewall or inaccessible through internet. on the other hand your laptop is connected to internet by means of you router. If you don’t have a public IP on your laptop you can use dyndns.com and register a domain like mehrdust.dyndns.com. Here we are not supposed to talk about dyndns, so we assume that the router is configured to forward ssh ports (default: 22) to the ip of your laptop. Now all you need to do is to run this on PC:

ssh -N -R 10555:localhost:22 username@mehrdust.dyndns.com

Note: 10555 could be any available port on your laptop. The -R 10555:localhost:22 option causes the laptop to listen on port 10000 and forward any requests on that port to the work machine (this is basically ssh tunneling).

Next thing to do is to ssh to port 10555 on your laptop and you will actually be sshing to port 22 on the firewalled server:

ssh -p 10555 PCusername@localhost

Scenario #2:

Now let’s presume that we want to remotely log into a customer’s server from our desktop PC in the office. The thing is neither sides are accessible from internet. (nor public ip nor dyndns) But we have a server/PC which is accessible. we can simply use it as a platform (middleman) between the customer server and your desktop.

So here is how it works:

customer server ip: 192.168.0.199/24 linux user: support
Middle man Public IP: 60.55.222.111
linux user: miduser
Your Desktop PC IP: 192.168.1.55/24
user: mehrdust

All you need to do is to ask your customer to run this on their server:

ssh -f -N -R 10050:localhost:22 miduser@60.55.111.222

Then you will be prompted for the password.

You can now login to their server by running this from your desktop:

ssh -p 10015  support@60.55.111.222

Note:

Make sure you add the following in /etc/sshd_config:

TCPKeepAlive yes
ClientAliveInterval 30
ClientAliveCountMax 99999
GatewayPorts yes

After setting the above restart ssh deamon:

# service ssh restart

To check the list of opened tunnels on the middleman run:

# sudo lsof -i -n | egrep '\<sshd\>'
sshd      25407     root    3r  IPv4 777970       TCP 219.92.66.66:ssh->175.143.74.170:49104 (ESTABLISHED)
sshd      25415  support    3u  IPv4 777970       TCP 219.92.66.66:ssh->175.143.74.170:49104 (ESTABLISHED)
sshd      25415  support    9u  IPv6 778070       TCP [::1]:10150 (LISTEN)
sshd      25415  support   10u  IPv4 778071       TCP 127.0.0.1:10150 (LISTEN)
sshd      25471     root    3r  IPv4 778472       TCP 219.92.66.66:ssh->175.143.37.103:49533 (ESTABLISHED)
sshd      25479  support    3u  IPv4 778472       TCP 219.92.66.66:ssh->175.143.37.103:49533 (ESTABLISHED)
sshd      25551     root    3u  IPv4 778922       TCP *:ssh (LISTEN)
sshd      25551     root    4u  IPv6 778924       TCP *:ssh (LISTEN)
sshd      25554     root    3r  IPv4 778930       TCP 219.92.66.66:ssh->175.143.74.170:53246 (ESTABLISHED)
sshd      25562  support    3u  IPv4 778930       TCP 219.92.66.66:ssh->175.143.74.170:53246 (ESTABLISHED)
sshd      25672     root    3r  IPv4 779734       TCP 219.92.66.66:ssh->175.143.37.103:52538 (ESTABLISHED)
sshd      25680  support    3u  IPv4 779734       TCP 219.92.66.66:ssh->175.143.37.103:52538 (ESTABLISHED)
sshd      25680  support    9u  IPv4 779835       TCP *:10142 (LISTEN)

NOTE: To drop the connection simply kill the PID (in this case 25680).

You can also use: 


netstat -n --protocol inet | grep ':22'

Here is a script to check the ssh tunnel and bring it back on in case it’s down:

#!/bin/bash
while true 
do 
if ps aux | grep "[6]0.55.111.222"
then 
echo "SSH connection up." 
else 
echo "SSH connection down." 
echo "Trying to connect ..." 
ssh -f -N -R 10050:localhost:22 miduser@60.55.111.222
fi 

sleep 60 
done

Source:
  Reversing ssh connection

You may also like