Hardening reverse SSH tunnel (via jump host)

When inspecting the system logs of some other issue, I noticed that I was getting lots of SSH attempts in real time. Specifically I have about 10'000 attempts daily !

$ grep Disconnected /var/log/auth.log | wc -l #since March 6
46149

This was quite an eye-opener to me, as I am behind a NAT and normally have 0 logon attempts. From the logs I got a clear hint as to what was going on: the logon attempts were all from localhost!

Mar 10 11:27:38 devbox sshd: Disconnected from invalid user mn 127.0.0.1 port 45822 [preauth]
Mar 10 11:27:46 devbox sshd: Disconnected from authenticating user root 127.0.0.1 port 45824 [preauth]

The only thing I could come up with that made sense, was that these connections originated from the reverse SSH tunnel I have established towards my jump host to be able to login to my work computer from home. And indeed, when doing sudo systemctl stop reverse-tunnel all activity stopped immediately! So something about my setup is fishy. Up until now, I had assumed that my setup required the client side to be able to login to the jump host using a certificate valid for that host to be allowed to initiate a connection, but this was clearly wrong! # Setup ## The client side .ssh/config

Host jump
    HostName jumphost.somedomain.com
    User ubuntu
    IdentityFile ~/.ssh/jump

# local -> jump -> jump:30001 --> work
# reverse tunnel: work -> jump:22 sets up jump:30001 -> work
Host work
    ProxyJump jump
    User my-user
    IdentityFile ~/.ssh/work
    HostName jumphost.somedomain.com
    Port 30001

The above seems fine, as that just covers the "client side" bit, telling my local computer how to connect. ## The reverse tunnel service This is setup as a systemd service that always is running and is what actually allows inbound connections from the jump host to my work computer. This is the prime suspect.

# The SSH tunnel is configured mostly through options specified in the default ssh config file (such as private key)
# It needs to be copied to /etc/systemd/system/ to be picked up and then run
#    sudo systemctl daemon-reload
#    sudo systemctl enable tunnel
#    sudo systemctl start tunnel
# Original implementation: https://askubuntu.com/a/1316825/165026 

[Unit]
Description=Maintain Reverse SSH Tunnel
After=network.target

[Service]
User=my-user
ExecStart=/usr/bin/autossh  -o ServerAliveInterval=30 -o "ServerAliveCountMax 3" -M 44444 -o ExitOnForwardFailure=yes -gnNT -R 30001:localhost:22 jump
RestartSec=15
Restart=always
KillMode=mixed

[Install]
WantedBy=multi-user.target

I suspect this bit to be the culprit: -R 30001:localhost:22 jump