SSH reverse active connection and scripting encryption

recently, in the deployment of the relevant DNS system services for the company's customers, for resource scheduling services, but the customer export lack of public IP address, can not easily manage this server, began to think of using teamviewer to do transit, penetrate the intranet, but in the CentOS environment, According to the TeamViewer official manual to try to install several times, did not, always failed to obtain the ID number, and even finally installed a graphical GNOME environment, try to install TeamViewer in a graphical environment, the network is always notready, finally, can only abandon the use of TeamViewer , in the company found a machine with public network IP, with SSH reverse active connection, that is, often said port forwarding.

This way with the first popular online rebound remote control tools similar principles, such as gray pigeons, ren I line, pcshare and so on, including now many hackers use the remote control Trojan is this active connection rebound Trojan, "fortress always from the internal breakthrough easier."

Return to the point, first to practice, the last principle.

System environment:

Company Host: Extrahost (behalf of the host name and IP, with public IP), user name: root SSH Port: 2200

Client server: Intrahost (refers to host name and IP, private network IP NAT), user name: Root SSH port: 2211

Parameters used by SSH:

- N: Do not perform any instructions

-F: Background execution

-R: Establishing reverse Tunnel

Enter the following command in the customer's system:

----------------------------------------------------------------------------------------------------------

[Email protected]]# ssh-nfr 2233:localhost:2211 [email protected] - p 2200

You can enter your password

port2233 refers to binding a remote host Extrahost port 2233

-------------------------------------------------------------------

In the company management device see if Port 2233 is in listening state, netstat-ant,

If you are not listening successfully, check that the management device firewall and sshd have associated access controls

In the company management host Extrahost Enter the following command and password, login to the customer System Intrahost

--------------------------------------------------------------------

[[email protected]] #ssh [email protected]-P 2233

Can be connected to the customer's server

------------------------------------------------------------------

Problem

I. Connection stability issues

Because it is a reverse active connection, the session is abnormally interrupted and the connection cannot be initiated by the control, we can use several tools to help us keep the session.

1. Using the Autossh tool

Installation method The Autossh tool is not in a Linux source and needs to be downloaded from a third-party source

Address: http://pkgs.repoforge.org/autossh/installation package has 32-bit and 64-bit, download according to the operating system to choose.

Using the same method as SSH, the difference between autossh needs to constantly detect the SSH connection state, we need to use the-m parameter, to specify the AUTOSSH listening port:

---------------------------------------------------------------------------------------

[ Email protected]]autossh-m 1100-NFR 2233:localhost:2211 [email protected] - p 2200

----------------------------------------------------------------------------------------

2. Use the Nohup command to truncate the suspend signal

Usage: Usage:nohup COMMAND [ARG] ...

Or:nohup OPTION

Example:

------------------------------------------------------------------------------------

[[Email protected]]nohup s SH-NFR 2233:localhost:2211 [email protected] - P 2200

To interrupt the suspend signal to SSH.

---------------------------------------------------------------------------

3. It is recommended to use the Nohup command, this method is very reliable, for the reasons explained later, now we write scripts to use the Crond schedule any plan to maintain the SSH session, the script content is as follows.

#!/bin/bash Createtunnel () {/USR/BIN/SSH-NFR 2233:localhost:2211 [email protected]-P 2200if [[$?-eq 0]]; then E Cho Tunnel to Jumpbox created successfully else echo an error occurred creating a tunnel to Jumpbox.  RC was $? Fi}/bin/pidof Sshif [[$-ne 0]]; Then echo Creating new tunnel Connection Createtunnelfi

Add a scheduled task schedule and repeat the script to determine the establishment of the communication tunnel

-----------------------------------------------------

Command: CRONTAB-E

*/1 * * * */root/reversessh.sh > Tunnel.log 2>&1

Don't forget to give the script execute permission

----------------------------------------------------

chmod u+x/root/reversessh.sh

-----------------------------------------------------

I can see and think of the way to maintain the conversation, it is here, you are welcome to share their innovative methods.

Second, security issues

Although we frankly established this tunnel, but we have overlooked a thing, is to establish a reverse connection tunnel, we need to enter the other device's password, assuming that our device because of our character relationship, led to restart, at this time, no matter how good to keep the conversation tools and commands, There is no way to enter the password for you, unless the company's customers are your good friends or at least you trust people, let him help you enter the password, unfortunately, things are often beyond our imagination.

So, we need to create a script that will enter the password for us and encrypt the script to prevent the customer from prying into the password of our management device. Also, take the key to do authentication to password-free landing, do not recommend that you do so, although convenient management, but also means that customers can use the device at will to access our management equipment, which we do not want to happen, although our customers are lovely and kind and amiable.

The script content is as follows, we need to use the automation tool expect, as to expect is what kind of kit and the tool, the concrete usage method, everybody may go to check the material study, this is our automation operation the more commonly used interactive tool, recommends everybody grasps.

Except installation method, it is recommended to use Yum installation:

----------------------------------------------

Yum-y Install expect*

----------------------------------------------

#!/bin/sh# description:the script file for keepalive ssh session# founder Broadband interconnection.de created by John.zha ng# update 20151104passwd=********expect-c "/USR/BIN/SSH-NFR 2233:localhost:2211 [email protected]-P 2200set Timeout 5e Xpect \ "password:\" Send \ "${passwd}\r\" expect EOF "

Script content features simple implementation, we can play, and then we encrypt the script file, more commonly used there are three or four, we recommend that you use the SHC tool, easy and safe.

Detailed installation method everyone to the online search, here simply drifting over, we only say how to use.

:wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.9b.tgz

After downloading, we unpack the package,

TAR-XVF shc-3.8.9b.tgz

This package is not under the source code, is a precompiled file, directly installed to make the install

Use example:[[Email protected]]#shc-r-F ~/reversessh_pass.sh

After running, two files are generated, reversessh_pass.x and reversessh_pass.x.c. Where sreversessh_pass.x is an executable binary that is encrypted and can be run with./reversessh_pass.x, REVERSESSH_PASS.X.C is the original file that generates Reversessh_pass.x, We recommend that you copy it to your computer and delete it from the server. and add execute permission to the program, add to boot boot.

[[Email protected]]# vi/etc/rc3.d/s99local

The program/root/reversessh_pass.x after writing our encryption script under this file is used for power-on self-booting. Note Here is the command line method, note the start level.

Three, the principle elaboration, the big God can neglect.

1.SSH Reverse Tunnel

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/7F/04/wKioL1cQWc-QCNF_AABIUFxMF48574.png "title=" Tunel.png "alt=" Wkiol1cqwc-qcnf_aabiufxmf48574.png "/>

, for the SSH service forward and reverse two kinds of session connection, normally (forward), we are initiated by the client session request to the server, using the SSH protocol for us to establish a connection communication, we can regard this connection as a tunnel (tunnel), So I can use the terminal tools to remotely manage our servers, note that here we do not really mean to open the terminal, but we are on the network layer, through the built up tunnel to connect to the terminal, so we put like using putty,securecrt such tools, The terminal is also called the simulation terminal to establish the connection rendering.

Since we have built such a tunnel, it is inevitable that each tunnel has the same endpoint, the starting and ending ends, and that the endpoints on both ends are our clients and the service side, but the forward connection is the peer IP and port that declares the connection. A reverse connection is a peer-to-peer IP and communication port that is declared by the server to connect to the native computer.

Here is to remind you that the forward connection and the reverse connection, the direction of the establishment of the tunnel is consistent, are created by the client as the beginning of the communication tunnel, the so-called forward connection and the reverse connection depends on the service side in the tunneling behavior, positive connection, is passively accept requests from the client, establish a connection Whereas a reverse connection is an unsolicited connection by the server, the starting end of the creation session connection is always the client.

Similarly, after understanding the principle, then like telnet,ftp, even we use to connect to the Windows desktop RDP, can also realize the reverse connection, you can search on the Internet specific methods.

2.nohup

Just now we mentioned nohup This command, this understanding is actually very easy, from the literal not difficult to understand the prohibition hangs, the official manual explanation is also very simple, ignoring hangup signals, ignores hangs the signal, the personal thought interprets it as the truncation hangs the signal, better point, The Nohup implementation principle is like a daemon, but the mechanism of its work is the semaphore level, when we run the process in an abnormal interrupt, or time out, will produce an interrupt signal to end the process, save resources, Nohup principle is when received from the process of the interrupt signal, Will prevent the signal from being sent, thus keeping the process running without interruption due to abnormal conditions.

The advantage of using this command is that the AUTOSSH maintains that the session works basically like the script we wrote, and that the nohup work mechanism is directly signal-level and does not need to generate the signal result feedback by executing another program, the Linux signaling mechanism originates from the UNIX system, and the semaphore is generated by the software. , the communication between processes is completed by the signal, so nohup execution efficiency and stability compared to autossh is very high, or two is not comparable, because they are implemented in a different way.

Write to this, the road is long and down and quest, I hope you can put forward a better way, finally attach the relevant components and tools.

This article is from the "Comefrom two Longshan down/Seven Door" blog, please be sure to keep this source http://zj1991.blog.51cto.com/1847949/1764244

SSH reverse active connection and scripting encryption