Auto SSH reverse tunnel into AWS with raspberry pi

Borrowed from:

1) Setup Free Tier AWS instance
2) Download user_hostname.pem SSH key

(on pi)
Copy user_hostname.pem to ~/ on pi


createTunnel() {
  /usr/bin/ssh -i user_hostname.pem -N -R 2222:localhost:22 user@aws-dns-hostname
  if [[ $? -eq 0 ]]; then
    echo Tunnel to jumpbox created successfully
    echo An error occurred creating a tunnel to jumpbox. RC was $?
/bin/pidof ssh
if [[ $? -ne 0 ]]; then
  echo Creating new tunnel connection

crontab -e
*/1 * * * * ~/ > tunnel.log 2>&1

sudo /etc/init.d/crontab reload
(end on pi)

(on aws)
echo “ssh -p 2222 user@localhost” > connect
(end on aws)

change 2222 for each pi added to the “network”.


iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp –dport 22 -j ACCEPT
iptables -A INPUT -p tcp –dport 80 -j ACCEPT
# Drop an IP address
# iptables -A INPUT -s -j DROP
# Accept packets from trusted IP addresses using standard slash notation
# iptables -A INPUT -s -j ACCEPT
# Accept packets from trusted IP/MAC addresses
# iptables -A INPUT -s -m mac –mac-source 00:50:8D:FD:E6:32 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -L -v


echo “Generating Root Key”
openssl genrsa -des3 -out root-ca.key 2048
echo “ok?”
read x

echo “Signing Root Cert”
openssl req -new -x509 -days 1825 -key root-ca.key -out root-ca.crt
echo “ok?”
read x

touch index.txt
mkdir certs
mkdir newcerts
mkdir crl
touch serial
echo “01\n”>serial
echo “” >> serial

echo “Generating Host Key and CSR”
openssl req -newkey rsa:2048 -keyout host.key -nodes -out host.req
echo “ok?”
read x

echo “Signing Host Cert”
openssl ca -keyfile root-ca.key -cert root-ca.crt -out host.crt -infiles host.req
echo “ok?”
read x

echo “Generating User Key and CSR”
openssl req -newkey rsa:2048 -keyout user.key -out user.req
echo “ok?”
read x

echo “Signing User Cert”
openssl ca -keyfile root-ca.key -cert root-ca.crt -out user.crt -infiles user.req
echo “ok?”
read x

echo “Bundling Cert and Key and Root cert”
openssl pkcs12 -export -out user.p12 -inkey user.key -in user.crt -certfile root-ca.crt
echo “ok?”
read x

Protecting WordPress

Preventing brute force login programs from guessing your WordPress installation can be a pain, but I started changing the name of the wp-login.php file long ago when I figured that I couldn’t easily change the ‘admin’ username and didn’t want to wrap the wp-login.php file in basic auth (not really secure). Remember there is no silver bullet for security. This is just another layer.

Every time you update WordPress, take these extra steps.

  1. SSH into your server.
  2. Navigate to your blogs directory ( eg: cd /var/www/blog )
  3. Backup your wp-login.php file ( eg: mv wp-login.php wp-login.pbackup.452012 )
    Some web scanners will look for every file accessible and change the extension to .backup or php.old or .php.bak, so I include the date to add another layer.
  4. Think what you want to change your wp-login.php file name to. For this example I’m going to use wp-banana.php. I like bananas, there is one on my desk.
  5. Run this sed command: sed 's/wp-login/wp-banana/g' <wp-login.pbackup.452012 >wp-banana.php
  6. Open a browser and access your new login page.
    You should see the normal login and it should take you to your Dashboard.
  7. If this didn’t work, copy the backup back.( eg:cp wp-login.pbackup.452012 wp-login.php )
  8. Make sure wp-login.php doens’t exist. should return a 404 error.
  9. Use your blog, don’t forget your new filename and now you can keep attackers from brute forcing your WordPress admin password.