Reverse SSH - Poor man site-to-site communication

Taken from http://toic.org/blog/2009/01/18/reverse-ssh-port-forwarding/

Real life example
I will assume that home PC is connected via dynamically assigned IP address. First thing you will need to make sure you have ssh server installed on your home PC and it should be accessible from Internet. If you have some NAT routers, be sure to forward port 22 to your home PC. Secondly you will need to setup a dyndns account so you can connect to your home PC regardless of IP address changes. Now the goal will be to connect to ssh server on our office PC. so the port in question will be 22 if you wish to forward another port change it in your configuration accordingly. For the purpose of this example i will name my home PC: bhome.dyndns.com office computer name will be bwork.office.com bwork computer uses private IP range of 192.168.0.0/24 with address 192.168.0.100 So if the firewall is preventing outside connections to our bwork computer we must initiate connection from it. We can do this with simple ssh command:

ssh -R 2210:localhost:22 bhome.dyndns.com

So what just happened here? We are initiating ssh connection "ssh" with reverse port forwarding option "-R" which will then open listening port "2210:" who is going to be forwarded back to localhost's port ":22" and all this will happen on remote computer "bhome.dyndns.com". This connection represents the green line in the diagram above, and it's a legit connection as far as corporate firewall is concerned. So if we now open up a terminal on bhome computer, and type in:

ssh -p 2210 localhost

we will try to connect to localhost (bhome.dyndns.com) on port 2210. Since that port is setuped by remote ssh connection it will tunnel the request back via that link to the bwork.office.com computer. This is the red line on the diagram above. Looking from firewall's perspective it's a legit traffic, since it is responding traffic on already initiated link from bwork computer. 


Some more fun with reverse tunnels.
But i have a printer behind that corporate firewall. How can i connect to it? Easy... remember the first example? the command ssh -R is taking 5 arguments of which 4 are mandatory

ssh -R [bind_address:]port:host:hostport

bind_address is the network address on which port will be listening, and forwarded to host (connected to network from which reverse tunnel originated) on hostport. so if we issue the command like this on our bwork pc:

ssh -R 89.xxx.xx.4:2211:192.168.0.10:631 bserver.outside.com

we will get something like this: reverese-ssh4so again we have previously established reverse ssh tunnel listening on port 2210 to channel the ssh connection towards office PC. Now with this new command we established the reverse ssh tunnel (yellow line) towards bserver which will listen for incoming connections on port 2211. When the home pc makes a data connection to port 2211 on bserver (brown line) it is then forwarded to office PC (black line) which is then redirected towards office printer at address 192.168.0.10 on port 631 (violet line). Remember, all this traffic is passing trough corporate firewall as legit traffic, even if the illustration perhaps shows otherwise.

Automating the task
So by now we should have covered the basics on how to bypass corporate firewall in order to get to your office computer and network equipment. Now ssh -R isn't really practical, it consumes one terminal, and as soon as it shuts down there is no tunnel and no outside connectivity for that matter. The easiest thing to do is putting a cron job that will connect to remote server if the connection fails, office computer reboots etc. First of all generate ssh keys, and add them to ssh-agent so that script won't ask you for remote server's password all the time. Next we will add two extra parameters to our command -N and -f so that the connection goes into the background. the command will look like:

ssh -N -f -R [bind_address:]port:host:hostport 

next we need a shell script that will be triggered by the cron. For this example we will use the Real life example 2.

#!/bin/sh
COMMAND="ssh -N -f -R 89.xxx.xx.4:2210:localhost:22 bserver.outside.com"
pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMAND


now edit this code so it suits your needs, and save it in your home dir as reverse_ssh_tunnel.sh Now we need to add a crontab entry which will trigger this script every 5 minutes.

crontab -e

and add:

/5 * /bin/sh /home/username/reverse_ssh_tunnel.sh

If you are connecting to different user name on remote server you can edit your commands so they look like: ssh -R [bind_address]:port:host:host_port username@remote_host

Comments

Post a Comment

Popular Posts