by: Linux/Unix Raspberry Pi2 Comments on Reverse Shell with AutoSSH

Sometimes you need to get SSH access into a host that is inside a network behind a Firewall/NAT and only outbound connections are allowed.

AutoSSH can be installed on the client and will establish and persist an SSH tunnel into an external server allowing reverse connections into the client.

Install and manually test the connection

sudo apt install autossh
autossh -N -R 2022:localhost:22 [email protected]

Note: [email protected] is the server exposed to the internet ready to receive SSH connections, 2022 is the port that the server will start to listen and forward to the client on port 22. If the server firewall exposes port 2022 to the internet, anyone will be able to log into the client through the server at that port.

On the host that will receive the connection

ssh user@localhost -p 2022

AutoSSH will not type the password to connect to the server, so it requires an SSH-Key [Link].

It was tested and works fine. Now create a service on the client to enable the AutoSSH on the boot.

Configuring AutoSSH to run as a service

sudo nano /etc/systemd/system/autossh-tunnel.service

Add the content:

[Unit]
Description=AutoSSH Tunnel Service - Remote Port 2022

[Service]
#User=userName
Restart=always
RestartSec=10
ExecStart=/usr/bin/autossh -N -R 2022:localhost:22 [email protected]

[Install]
WantedBy=multi-user.target

The service will be executed as root, so the root user has to have the private key to be able to authenticate the connection.

sudo cp ~/.ssh/id_rsa /root/.ssh/
sudo cp ~/.ssh/id_rsa.pub /root/.ssh/

Use the systemctl to manage the AutoSSH service:

sudo systemctl daemon-reload
sudo systemctl enable autossh-tunnel.service
sudo systemctl start autossh-tunnel.service
sudo systemctl stop autossh-tunnel.service

The SSH Tunnel can be used to allow connection to different ports client’s localhost.

autossh -N -R 8080:localhost:80 [email protected]

The example above maps the port 8080 on the server that will be tunneled and get access to the HTTP (port 80) on the client.

The websites LocalHost.Run [Link] and Ngrok [Link] offers a service that uses the same ssh tunneling but connecting to their server instead of yours.

SSHd Configuration

Possibly the following configuration will have to be enabled on the SSH server:

...
AllowTCPForwarding yes
GatewayPorts yes
...

SSH is a versatile protocol that allows many other functionalities such as mount a remote directory locally and even set up a temporary VPN.

Mounting a Remote File System over SSH with SSHFS (client-side only):

sudo apt install sshfs
sshfs [email protected]:/shared sshfs

Setting a VPN over SSH with SSHuttle (client-site only):

sudo apt-get install sshuttle -y
sshuttle --dns -vvr user@host 0/0

Read also the post about Setting Up and Copying SSH Keys [Link]

2 Replies to “Reverse Shell with AutoSSH”

  1. Pingback: LAMP (Linux, Apache, MySQL, PHP) and Web Services – DFT Blog
  2. Pingback: Setting Up and Copying SSH Keys – DFT Blog

Comments are closed.