Debian/Ubuntu Backdoor Using A Reverse SSH Tunnel - SideDoor
sidedoor maintains a reverse tunnel to provide a backdoor. sidedoor can be used to remotely control a device behind a NAT.
sidedoor is packaged for Debian-based systems with systemd or upstart. It has been used on Debian 8 (jessie) and Ubuntu 14.04 LTS (trusty).
The sidedoor user has full root access configured in /etc/sudoers.d.
Installation
If sidedoor is in your package repositories, simply install it, e.g.,
sudo apt-get install sidedoor
. Otherwise, you will need to build a Debian package and install it. First, install build dependencies.
sudo apt-get install debhelper dh-systemd
Then, from the directory containing this README file, build and install a package. rm -f ../sidedoor*.deb # remove old package build
dpkg-buildpackage -us -uc -b
sudo dpkg -i ../sidedoor*.deb
Configuration
The remote server and tunnel port are configured in
/etc/default/sidedoor
. SSH configuration files are located in the /etc/sidedoor
directory. ~sidedoor/.ssh
is a symlink to /etc/sidedoor
. - Configure
REMOTE_SERVER
andTUNNEL_PORT
in/etc/default/sidedoor
. - Create SSH configuration files under
/etc/sidedoor
.-
authorized_keys
: SSH public key(s) to control access to the local sidedoor user. -
id_rsa
: SSH private key to access the remote server. Can be generated withsudo ssh-keygen -t rsa -f /etc/sidedoor/id_rsa
(press enter when prompted for passphrase to leave empty). Needs read permission by the sidedoor user or group, e.g.,sudo chown root:sidedoor /etc/sidedoor/id_rsa
andsudo chmod 640 /etc/sidedoor/id_rsa
. The corresponding public keyid_rsa.pub
will need to be included in the remote user's~/.ssh/authorized_keys
file. -
known_hosts
: SSH host key of the remote server. -
config
(optional): Additional SSH config, seeman ssh_config
.
-
sudo service sidedoor restart
Recommendations
- Lock down the local SSH server by editing
/etc/ssh/sshd_config
.- Disable password authentication (
ChallengeResponseAuthentication no
andPasswordAuthentication no
). - Limit daemon to only listen on localhost. (
ListenAddress ::1
andListenAddress 127.0.0.1
). - To apply changes, restart or reload sshd, e.g.,
sudo service ssh reload
.
- Disable password authentication (
- Modify the
ssh_client_config_example
file and include it in a client's~/.ssh/config
file to easily access the tunneled backdoor withssh
,scp
,rsync
, etc.