Salient Engineering Logo
Reverse SSH Server Deployment and Configuration | Salient Engineering
products

Reverse SSH Server Deployment and Configuration

Learn how to deploy a Reverse SSH Server to maintain persistent, secure access to remote systems and IoT devices hiding behind private firewalls.

Available in AWS
Free Trial with AWS

Reverse SSH Server Deployment and Configuration

Estimated Deployment Time: 15 Minutes

The Basics

The Reverse SSH Server is a specialized appliance that maintains persistent connections to remote servers, laptops, and IoT devices—even when those devices are hiding behind strict corporate firewalls, sitting on private IP addresses, or rebooting unexpectedly.

Instead of trying to poke holes in a remote client's firewall, the remote client actively connects out to your Reverse SSH Server. System administrators can then connect to the Reverse SSH Server to securely access those remote devices via SSH over port 22.

Authentication is strictly key-based and uniquely generated for every single client, ensuring maximum security.

Why Use a Reverse SSH Server?

If you're managing dozens or hundreds of endpoint systems, tracking dynamic IP addresses and dealing with NAT/firewall traversal is a nightmare. The Reverse SSH Server solves this by having all clients automatically "call home" and maintain that connection indefinitely.

Key benefits include:

  • Persistent Access: All clients stay connected to a single, central server for easy management.
  • Friendly Naming: Assign custom, human-readable names to your clients so you don't have to memorize IP addresses.
  • Connection Durability: The connection automatically re-establishes itself even if the remote client reboots or drops its network connection.
  • Custom Ports: You can configure the server to listen on port 443 (or any other port) to bypass restrictive outbound firewalls.

Deployment Guide

Deploying the Reverse SSH Server is incredibly simple.

  1. Deploy the Appliance: Head to the AWS Marketplace and launch the Reverse SSH Server.
  2. Configure Security: In your EC2 security group, only allow inbound SSH traffic (port 22) from trusted IP addresses. Practice the principle of least privilege—never expose ports you don't need.
  3. Generate a Client Script: SSH into your new Reverse SSH Server and run the following command to generate a connection script for your first client (we'll name it myclient): 
    sudo reversessh -a myclient
    Note: This command generates a script in your current directory containing a private RSA key. Treat this file like a password.
  4. Copy the Script: Display the script's contents and copy it to your clipboard: 
    cat ReverseSSH-myclient-Client.sh
  5. Install on the Client: Open a new terminal and SSH into your remote client machine. Create a new file, paste the copied contents, and save it: 
    nano ReverseSSH-myclient-Client.sh
  6. Execute the Connection: Make the script executable and run it using sudo: 
    chmod +x ReverseSSH-myclient-Client.sh
sudo ./ReverseSSH-myclient-Client.sh

Verifying the Connection

Back on your Reverse SSH Server, check if the client successfully connected:

sudo netstat -antp

If it worked, you'll see your client's name on the right side of the output, along with the specific local port that the Reverse SSH Server is forwarding.

To connect to your remote client from the Reverse SSH Server, just use the local forwarded port and the generated RSA key. For example, if the forwarded port is 56148:

ssh ec2-user@localhost -p 56148 -i ~/.ssh/myclient-id_rsa

Removing a Client

If you need to revoke access for a specific client, run this command on the Reverse SSH Server:

sudo reversessh -r myclient

This instantly terminates any active connections from that client and deletes their authentication keys.

Frequently Asked Questions

Does the server support multi-AZ or multi-region?
It's a single EC2 instance, but you can deploy it in any VPC across any AWS region.

Should I use my root account for deployment?
No, always use a dedicated IAM user.

Can I encrypt the server?
Yes, we recommend encrypting the EBS volume when provisioning the server.

Is the traffic actually secure?
Yes, all connections routed through the Reverse SSH Server use fully encrypted SSH tunnels.

How much does it cost?
You'll pay the standard AWS EC2 rate plus the software licensing fee. For example, a t3.small costs about $0.036 per hour total ($0.021 for compute + $0.015 for software).

How do I install security patches?
You don't need to manually intervene. The appliance automatically checks for and installs security updates daily.