2

I have multiple machines connecting to a single server by reverse SSH tunnels. So, each machine is running a command like the following:

while true; do
    ssh -X -R 19999:localhost:22 www.sern.pro
    sleep 30
done

The 19999 here would be varied for the different connections (e.g. 19990, 19991 etc.). These reverse SSH connections could be accessed from the server using a command like the following:

ssh -X localhost -p 19999

How can the server display a list of active reverse SSH connections? I have attempted using netstat but this requires foreknowledge of the local ports in use and doesn't make it clear that it is a reverse SSH connection:

# netstat --all --timers | grep "19999"
tcp        0      0 localhost.localdo:19999 *:*                     LISTEN      off (0.00/0/0)
tcp6       0      0 ip6-localhost:19999     [::]:*                  LISTEN      off (0.00/0/0)

Following a suggestion from @frank-thomas, I tried using the command netstat --all --timers --program --numeric | grep ssh to seek out non-standard SSH processes. When I do this, after the netstat TCP listings, I get UNIX listings like the following:

Active UNIX domain sockets (servers and established)
Proto RefCnt Flags       Type       State         I-Node   PID/Program name         Path
unix  2      [ ]         DGRAM                    64179539 28569/sshd: username [pr P475
unix  3      [ ]         STREAM     CONNECTED     60024486 14205/sshd: username [pr P60024485
unix  3      [ ]         STREAM     CONNECTED     62232808 5088/sshd: username [pri P62232133
unix  2      [ ]         DGRAM                    60024422 14205/sshd: username [pr P475
unix  3      [ ]         STREAM     CONNECTED     64180927 28569/sshd: username [pr P64180926
unix  3      [ ]         STREAM     CONNECTED     8303     3911/sshd                P8304
unix  3      [ ]         STREAM     CONNECTED     60024487 14205/sshd: username [pr P60024488
unix  2      [ ]         DGRAM                    62232598 5088/sshd: username [pri P475
unix  3      [ ]         STREAM     CONNECTED     64180931 28569/sshd: username [pr P64180932
unix  3      [ ]         STREAM     CONNECTED     62232798 5088/sshd: username [pri P62232797

How can this data be interpreted to give a listing of the reverse SSH tunnel ports in use on the server? How could a number like 19999 be derived from this?

Improve this question
2
  • would just ssh connections work? I believe you could add -p to netstat, and grep for /ssh. then any connection not on 22 is likely a reverse tunnel.
    – Frank Thomas
    Commented Jun 27, 2017 at 13:44
  • @FrankThomas Thanks very much for the suggestion. I've tried using netstat in a way like that which you suggest and I've edited my question to provide details on this. I am getting a listing of what may be the reverse SSH tunnels, but I'm not sure how to derive the ports in use from this listing. Would you have any idea?
    – BlandCorporation
    Commented Jun 27, 2017 at 13:56

2 Answers 2

Reset to default
0

You can get it using:

netstat -anp | egrep '127.0.0.1:*(LISTEN|.*)' | sort

This command lists all the connections with the ports that are actives and sort it.

If you have a range of ports that only includes, for example, a ports from 40000 to 45000 you can add the 4 to the egrep like '127.0.0.1:4*(LISTEN|.*)' to get only that ones that starts with 4 instead of getting all the ports.

Improve this answer
0
2

You could use

sudo ss -ltp | grep sshd

to list all TCP ports opened for listening by an sshd process, including the default listener (typically on tcp/22, but elsewhere if you have chosen to configure an alternate port for the sshd daemon). You could then examine the listed PIDs to determine what user had opened the ssh connection which was listening on each port.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .