I have multiple machines connecting to a single server by reverse SSH tunnels. So, each machine is running a command like the following:
while true; do
ssh -X -R 19999:localhost:22 www.sern.pro
sleep 30
done
The 19999
here would be varied for the different connections (e.g. 19990
, 19991
etc.). These reverse SSH connections could be accessed from the server using a command like the following:
ssh -X localhost -p 19999
How can the server display a list of active reverse SSH connections? I have attempted using netstat
but this requires foreknowledge of the local ports in use and doesn't make it clear that it is a reverse SSH connection:
# netstat --all --timers | grep "19999"
tcp 0 0 localhost.localdo:19999 *:* LISTEN off (0.00/0/0)
tcp6 0 0 ip6-localhost:19999 [::]:* LISTEN off (0.00/0/0)
Following a suggestion from @frank-thomas, I tried using the command netstat --all --timers --program --numeric | grep ssh
to seek out non-standard SSH processes. When I do this, after the netstat
TCP listings, I get UNIX listings like the following:
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node PID/Program name Path
unix 2 [ ] DGRAM 64179539 28569/sshd: username [pr P475
unix 3 [ ] STREAM CONNECTED 60024486 14205/sshd: username [pr P60024485
unix 3 [ ] STREAM CONNECTED 62232808 5088/sshd: username [pri P62232133
unix 2 [ ] DGRAM 60024422 14205/sshd: username [pr P475
unix 3 [ ] STREAM CONNECTED 64180927 28569/sshd: username [pr P64180926
unix 3 [ ] STREAM CONNECTED 8303 3911/sshd P8304
unix 3 [ ] STREAM CONNECTED 60024487 14205/sshd: username [pr P60024488
unix 2 [ ] DGRAM 62232598 5088/sshd: username [pri P475
unix 3 [ ] STREAM CONNECTED 64180931 28569/sshd: username [pr P64180932
unix 3 [ ] STREAM CONNECTED 62232798 5088/sshd: username [pri P62232797
How can this data be interpreted to give a listing of the reverse SSH tunnel ports in use on the server? How could a number like 19999 be derived from this?
-p
to netstat, and grep for/ssh
. then any connection not on 22 is likely a reverse tunnel.netstat
in a way like that which you suggest and I've edited my question to provide details on this. I am getting a listing of what may be the reverse SSH tunnels, but I'm not sure how to derive the ports in use from this listing. Would you have any idea?