Tuesday, March 23, 2010

ssh Reverse Tunnelling

The reverse tunnelling/connection is usually used to bypass firewall restrictions on open ports. A firewall usually blocks open ports, but does not block outgoing traffic. In a normal forward connection, a client connects to a server through the server's open port, but in the case of a reverse connection, the client opens the port that the server connects to. The most common way a reverse connection is used is to bypass firewall and Router security restrictions.

SSH is an extremely useful tool in that it allows you to do many things in a secure fashion that you might not otherwise be able to do. One of the things SSH allows you to do is to set up a reverse encrypted tunnel for data transfer. Typically, when you initiate an SSH tunnel, you forward a port on the local machine to a remote machine which can allow you to connect to an insecure service in a secure way, such as POP3 or IMAP. However, you can also do the reverse. You can forward a port on the remote machine to the local machine while still initiating the tunnel from the local machine.

This is useful if you have a service on the remote end that you want to have connected to something on the local machine, but you don't wish to open up your firewall or have SSH private keys stored on the remote machine. By using a reverse tunnel, you maintain all of the control on the local machine.
An example usage for this would be for logging messages; by setting up a reverse SSH tunnel, you can have a logger on the remote system send logs to the local system (i.e., syslog-ng).
Another example, a Trojan horse running on a computer behind a firewall that blocks incoming connections can easily open an outbound connection to a remote host on the Internet. Once the connection is established, the remote host can send commands to the Trojan horse. Trojan horses (Remote Administration Tools) that use a reverse connection usually send SYN (TCP) packets to the attacker's IP address. The attacker listens for these SYN packets and accepts the desired connections.

How to?
[SSH Reverse Tunnel HOWTO:- http://en.gentoo-wiki.com/wiki/Reverse_Tunneling]
To set up the reverse tunnel, use:

$ ssh -nNT -R 1100:local.mydomain.com:1100 remote.mydomain.com

What this does is initiate a connection to remote.mydomain.com and forwards TCP port 1100 on remote.mydomain.com to TCP port 1100 on local.mydomain.com. The "-n" option tells ssh to associate standard input with /dev/null, "-N" tells ssh to just set up the tunnel and not to prepare a command stream, and "-T" tells ssh not to allocate a pseudo-tty on the remote system. These options are useful because all that is desired is the tunnel and no actual commands will be sent through the tunnel, unlike a normal SSH login session. The "-R" option tells ssh to set up the tunnel as a reverse tunnel.

Now, if anything connects to port 1100 on the remote system, it will be transparently forwarded to port 1100 on the local system.

How to detect?

If a computer is sending SYN packets or is connected to an attacker's PC, the connections can be discovered by using the netstat command or a common port listener like “Active Ports”. If the Internet connection is closed down and an application still tries to connect to remote hosts it may be infected with malware. Keyloggers and other malicious programs are harder to detect once installed, because they connect only once per session. Note that SYN packets by themselves are not necessarily a cause for alarm, as they are a standard part of all TCP connections.

There are legitimate uses for using reverse connections, for example to allow hosts behind a NAT firewall to be administered remotely. These hosts do not normally have public IP addresses, and so must either have ports forwarded at the firewall, or open reverse connections to a central administration server.

No comments:

Post a Comment