SSH reverse tunnel to monitor and manage remote devices

Question

I have a set a distributed set of devices running Ubuntu 12.04 that I am distributing to clients. I would like to manage them remotely. They may not have fixed IPs and potentially might be behind firewalls.

What I am planning to do is have the devices (permanently connected to the net) poll a request URL and based on the response open a reverse tunnel to my server, so that I can access them via that tunnel.

Most of what I read about reverse tunnel over SSH is for single use cases and very little about heavy production usage. Is there some reason for this, security issues? or stability?

Any help would be much obliged.

Answer 1

I have seen companies do this before. Barracuda Networks uses a "Support Tunnel" that is built into their UI that basically creates a reverse SSH tunnel. If you prefer something a bit more autonomous, then Google "persistent ssh tunnel". There are plenty of shell scripts out there.

Just keep in mind, if the reverse SSH ports on your support server are accessible on the internet, then you are exposing your customers/users to a security vulnerability that they might not have "signed up for". I would also make private key management a high priority. If you use the same PK's for all devices and that private key is compromised, then everyone is compromised.

I personally have used OpenVPN as a support tunnel (certificate authentication). The service is already persistent (out-of-the-box) and is very easy to setup. Again, key management is always a high priority. Everyone is issued a different certificate. I can always revoke the cert if things go bad. I also isolate my clients, so that they cant see/talk to eachother.

Good luck!