Remote access to a computer behind a NAT through an SSH tunnel
In continuation of the topic of passing through NAT , here is a brief retelling of my articles on computer management, which is behind NATOM.
In fact, this is a description of the backdoor, so make sure that you do not harm another's network and that local administrators are aware of your manipulations.
Task: to place a Linux computer on the network behind a NAT, and to have access to it from the outside world. For example, you troubleshoot or support something at the client, and in order not to sit in his office, you need to quickly build remote access. Or, for example, in 3G networks, clients usually get private addresses, and we need access to a computer where there is no other connection.
')
1. You need a Linux server with a global IP address. Cheap VPS in the minimum configuration is best suited. We get a new DNS record for our service, thereby untiing the service from a specific server. Further, the name "callhome.example.net" is used as an example.
2. Enable keepalives on the server and enable GatewayPorts in / etc / ssh / sshd_config:
3. Create a comehome user on the server:
4. Remote computer - in principle, any device under Linux. Let's call it agent01. If the root still does not have SSH keys, create a pair of keys with the ssh-keygen command. Then create the /root/ssh_tunnel.sh script:
The original article also has a script for /etc/init.d to automatically start our tunnel.
5. Add the public root key with agent01 to the list of authorized keys on the server, while not allowing the agent to execute any commands. We also inform the agent of the port address at which it will be available (all in one line):
Actually, everything. It remains only to test. After starting the tunnel, an SSH connection to port 2101 should land on port 22 of the remote computer.
If the agent is a laptop under ubunta, since ubunta 12.04 it is impossible to turn off the falling asleep from closing the lid globally (at least I did not succeed when I last tested it).
Do not forget to backup scripts.
Make sure that no one except you will get access to the agent, and also that the owner’s coordinates are clearly written on the agent - you don’t want to substitute someone else’s network at risk.
ServerAliveInterval is very important in the script (if the connection is broken, both the client and the server should terminate the previous tunnel) and sleep (without it, if there is no route to the ssh server, it returns instantly, so it’s best to slow down before the next launch). StrictHostKeyChecking is disabled in case the callhome service moves to another machine, and the agent is out of our physical reach.
In fact, this is a description of the backdoor, so make sure that you do not harm another's network and that local administrators are aware of your manipulations.
Task: to place a Linux computer on the network behind a NAT, and to have access to it from the outside world. For example, you troubleshoot or support something at the client, and in order not to sit in his office, you need to quickly build remote access. Or, for example, in 3G networks, clients usually get private addresses, and we need access to a computer where there is no other connection.
')
1. You need a Linux server with a global IP address. Cheap VPS in the minimum configuration is best suited. We get a new DNS record for our service, thereby untiing the service from a specific server. Further, the name "callhome.example.net" is used as an example.
2. Enable keepalives on the server and enable GatewayPorts in / etc / ssh / sshd_config:
ClientAliveInterval 5 ClientAliveCountMax 3 GatewayPorts yes 3. Create a comehome user on the server:
useradd -r -m -k /dev/null comehome cd /home/comehome/ mkdir .ssh chown comehome:comehome .ssh/ chmod 700 .ssh/ 4. Remote computer - in principle, any device under Linux. Let's call it agent01. If the root still does not have SSH keys, create a pair of keys with the ssh-keygen command. Then create the /root/ssh_tunnel.sh script:
#!/bin/sh SSHCMD="ssh -Tq -o ServerAliveInterval=5 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyChecking=no \ comehome@callhome.example.net" while true; do PORT=`$SSHCMD` if test 0${PORT} -gt 0; then $SSHCMD -NC -R "*:${PORT}:127.0.0.1:22" fi sleep 5 done The original article also has a script for /etc/init.d to automatically start our tunnel.
5. Add the public root key with agent01 to the list of authorized keys on the server, while not allowing the agent to execute any commands. We also inform the agent of the port address at which it will be available (all in one line):
cat >>.ssh/authorized_keys <<EOT command="/bin/echo 2101",no-user-rc,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3N/skipped/ root@agent01 EOT Actually, everything. It remains only to test. After starting the tunnel, an SSH connection to port 2101 should land on port 22 of the remote computer.
If the agent is a laptop under ubunta, since ubunta 12.04 it is impossible to turn off the falling asleep from closing the lid globally (at least I did not succeed when I last tested it).
Do not forget to backup scripts.
Make sure that no one except you will get access to the agent, and also that the owner’s coordinates are clearly written on the agent - you don’t want to substitute someone else’s network at risk.
ServerAliveInterval is very important in the script (if the connection is broken, both the client and the server should terminate the previous tunnel) and sleep (without it, if there is no route to the ssh server, it returns instantly, so it’s best to slow down before the next launch). StrictHostKeyChecking is disabled in case the callhome service moves to another machine, and the agent is out of our physical reach.
Source: https://habr.com/ru/post/147347/
All Articles