Linux – Remote access to a Linux machine behind a firewall

linuxremote-accessssh

I'm going to be deploying an Linux machine as a sort of public terminal at a remote location. I'd like to be able to access it remotely via SSH for maintenance but I don't want to keep a port open on the remote firewall for the rare occasions I need to access this machine. I've though about a simple script to create a reverse SSH tunnel to a machine on the outside, but I'd rather not have to have a user have to do anything when I need to access it. Any ideas?

Update: I've decided to go with my original plan of a script to create a reverse ssh tunnel. While other suggested solutions, such as port knocking would be more along the lines of what I really want to do, in this case, I don't have any access to configure the router other than walking a user through a config. shudder

Best Answer

It has less to do with being concerned with a port being open and more to do with not wanting to walk a user though the process of opening up a port. I don't have any access to this router at all unfortunately.

If changing the router is completely out of the question, you may need to look at a P2P or VPN solution like Hamachi. If you setup the system to automatically establish the VPN connection at startup, then you should be able to connect in whenever you need to. Hamachi does all the firewall negotiation for you. The one drawback is you have to rely on the Hamachi servers being up and functional when you need to connect.

If you have a server that is always up, you could setup autossh so that the remote system always keeps a tunnel open and connected to your server. The one drawback is the remote system is compromised they attacker will get the keys that where used to establish the ssh session. It would be very important to keep your system that accept the ssh connection really locked down.

Below is my original answer, I had assumed that updating the router was an option.

One solution you might want to investigate if you firewall supports it, is port knocking. With some firewalls it should be possible to send out a special set of packets that the firewall notices and then temporarily opens hole through the firewall.

There are many implementations some better then others. Some use strong cryptography to make it nearly impossible for a person without the right keys to send the correct knock.

Related Solutions

Linux – SSH Tunneling to box behind firewall

If you already have a reverse ssh tunnel with the server, you're probably looking for "-g" option.

-g      Allows remote hosts to connect to local forwarded ports.

Otherwise only localhost will be allowed to use your tunnel.

Ssh from home to machine behind firewall

Your corporate firewall only permits ports 22 and 80...so you can only run services on ports 22 and 80. If you want to establish port forwarding over ssh to access otherwise inaccessible ports, you first need to connect to the remote host, which you can't do unless you're able to traverse the corporate firewall.

In other words, you're going to have to leave ssh running on port 22. Your best bet, if you're worried about those ever industrious script kiddies, is to simply disable password authentication and always use ssh keys. This will render the system largely invulnerable to password-based brute-force attacks. It obviously doesn't help if someone were to discover some sort of ssh vulnerability that could be exploited pre-authentication, but it's probably the best you're going to get in your situation.

Best Answer

Related Solutions

Linux – SSH Tunneling to box behind firewall

Ssh from home to machine behind firewall

Related Topic