article in Tech
linux-unix-and-friends
SSH stuff
Tyblog | SSH Kung Fu - -L tunneling,sshfs,vim scp:// urls,-D SOCKS proxying, and more.
SSH tricks
Play Video/Audio on Remote X Server over SSH - vlc --fullscreen path.avi (X11 Forwarding with SSH X11Forwarding yes)
ssh tips
SSH ControlMaster: The Good, The Bad, The Ugly | Anchor Web Hosting Blog Specify Password Only Once for Multiple SSH Connections
Swish - Easy SFTP for Windows - Swish adds support for SFTP to Windows Explorer so you can access your files on another computer securely via SSH. - cinst swish using Chocolatey
ssh/scp using python with paramiko
paramiko: ssh2 protocol for python
The GITS Blog » Easy SFTP uploading with paramiko
Plumbum: Shell Combinators and More — Plumbum: Shell Combinators
multiplex ssh with other services
ssl/ssh multiplexer
Run Both SSHD and Nginx on Port 80 « Yi Wang's Tech Notes
ssh with python twisted Conch
Twisted Documentation: Writing a client with Twisted Conch
Twisted Documentation: Twisted Conch code examples
Blocking brute force attempts with ssh
There are quite a few tools out there to accomplish the blocking of invalid login attempts using iptables amd tcpwrappers. Most are actually written in python...;-D In fact, you can yum install both fail2ban and denyhosts! Making it quite easy to get on your box. However, I'm partial to closing ports all together and using dynamic rules instead of forming ban lists. Ban lists require additional resources and still expose a service to all for undocumented exploits to occur...(buffer overflows). See IPOpener - Block everything and allow to few (The power of dynamic rules).
But having said that, there are times when it might be interesting to see who's out there attacking my boxes. I've seen some cool network maps.
Main Page - Fail2ban - Fail2ban scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IP that makes too many password failures. It updates firewall rules to reject the IP address.
Packets Consulting - Ssh-faker - This program is called by /etc/hosts.deny whenever someone connects to port 22. Unless they type in a plaintext password or type the wrong password, they get an ssh-compatible error message, and a syslog message is generated. If they type in the right password, they are added to /etc/hosts.allow, and their next connection will reach the real sshd.
Welcome to DenyHosts - DenyHosts is a Python script that analyzes the sshd server log messages to determine what hosts are attempting to hack into your system. It also determines what user accounts are being targeted. It keeps track of the frequency of attempts from each host. Additionally, upon discovering a repeated attack host, the /etc/hosts.deny file is updated to prevent future break-in attempts from that host. An email report can be sent to a system admin.
BlockHosts | A C Zoom - Automatic blocking of abusive IP hosts, Script to record how many times system services are being probed, using configurable pattern matching to recognize failed accesses (such as for "sshd" or "proftpd" or any service), and when a particular IP address exceeds a certain number of failed attempts, that IP address is blocked by using multiple techniques: using /etc/hosts.allow for services that support TCP_WRAPPERS, or by executing ip route commands to setup null-routing for that source host address, or by executing iptables commands to setup packet filtering to drop packets from a source host address.
Preventing Brute Force Attacks With Fail2ban On Debian Etch | HowtoForge - Linux Howtos and Tutorials
Preventing SSH Dictionary Attacks With DenyHosts | HowtoForge - Linux Howtos and Tutorials
Port forwarding with SSH (Also called SSH tunneling)
(a good command is: ssh -N -R remoteport:localhost:22 config-host-name)
Port forwarding allows you to send arbitrary connections through your
SSH connection. This provides secure communication over otherwise
insecure networks.
SSH provides two flavors of port forwarding. LocalForward and RemoteForward.
LocalForward connects a remote server to the local machine. The ssh client machine actually
listens for new connections to be tunneled and sends them through the existing ssh connection.
ssh -L 9999:mailserver:110 sshserver
This would establish a LocalForward using sshserver. The forward
would be from mailserver:110 to the local machine port 9999.
RemoteForward is a tunnel initiated on the server
side that goes back through the client machine.
LocalForwards
Command Line Option
| -L local_listen_port:destination_host:destination_port |
Configuration file entry
| LocalForward local_listen_port:destination_host:destination_port |
local_listen_port is on
| SSH client loopback interface |
destination_host is contacted from
| SSH server host |
RemoteForwards
Command Line Option
| -R remote_listen_port:destination_host:destination_port |
Configuration file entry
| RemoteForward remote_listen_port:destination_host:destination_port |
remote_listen_port is on
| SSH server loopback interface |
destination_host is contacted from
| SSH client host |
SSH Port Forwarding
Auto-closing SSH tunnels
Key based auth setup
Use keys instead of passwords
Ok, before you starting banging your head trying to figure out why key
auth isn't working...make sure your sshd has the proper settings for
it. Check to make sure you have the following settings in your
sshd_config.
# Should we allow Identity (SSH version 1) authentication?
# (NOTE: Not necessary if you only want to use version 2,even if you use rsa keys)
RSAAuthentication yes
# Should we allow Pubkey (SSH version 2) authentication?
PubkeyAuthentication yes
# Where do we look for authorized public keys?
# If it doesn't start with a slash, then it is
# relative to the user's home directory
AuthorizedKeysFile .ssh/authorized_keys
What to try if sshd doesn't accept your key (authorized_keys don't work)
NOTE!Sept-10-2005: You also MUST make sure that the .ssh folder in your home directory is rxw(700) for the user only! In addition, your authorized_keys file must be rw(600) for the user only. If the file modes are incorrect, sshd will reject all attempts to auth with the keys. (this info could have saved me a good half hour of pain)
If you had the correct settings, great. If you didn't and you changed the config, restart the sshd process.
Now that we have verified the proper settings, lets move on to how to actually add keys!
# Move into your ssh directory for the user
cd $HOME/.ssh
# Generate a key pair, this will create a private key(one you keep on
your local machine) and a public key(one you give to the remote
machine).
ssh-keygen -t rsa -f ~/.ssh/remotemachine
# Copy the public key into the authorized keys on the remote machine.
cat remotemachine.pub |ssh user@remotemachine 'sh -c "cat - >>~/.ssh/authorized_keys;
The -t option allows you to choose a cipher but I suggest using
rsa. The -f option specifies the name of the key, replace the
remotemachine with the name you'd like.
localmachine$ chmod 600 ~/.ssh/authorized_keys;
This single line will copy the public key to the remote machine and
make sure the permissions are read and write only for the user.
Now you can simply login to the remote machine by doing the following:
ssh -i remotemachine user@remotemachine
So maybe you don't like having to specify that you want to use the
identity each time. SSH allows you to define config options for
hosts in your ~/.ssh/config file. You can simply name a session
name and the options associated with it.
For example, lets say I connect to remotemachine using the username auser and the identity backup.
I can create a config file with:
host remotemachine
hostname remotemachine.somenetwork.com
user auser
identityfile ~/.ssh/backup
compression yes
cipher blowfish
protocol 2
Now I can just use: ssh remotemachine to
login to the system. SSH will automatically try to find the
session name in my config file and use the appropriate settings.
Some extra options:
You can create single use keys by prepending command="<cmd>" to your public key in the authorized_keys file.
This specifies that the command is executed whenever this key is used
for authentication. The command supplied by the user (if any) is
ignored.
command="<cmd>"
For added security, you can only allow the key to be used from a certain host using the from option.
Example: from="*.somenetwork.net,!pc.someothernetwork.net"
Other options you might consider turning off include: no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty
command="<cmd>",from="some.host.net",no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty <public key here>
Here is a single command that adds options to the beginning of the
public key and pushes it to the remote machines authorized_keys.
echo 'command="<cmd>" ' `cat <whatever>.pub`|ssh user@remotemachine 'sh -c "cat - >>~/.ssh/authorized_keys;chmod 600 ~/.ssh/authorized_keys;"'
On some distros, you can use the ssh-copy-id program to install your public key in a remote machine's authorized_keys. It does much the same as above, cat'ing the key to the remote machine. If you don't specify a -i identity, ssh-copy-id will use ~/.ssh/id_rsa.pub. ssh-copy-id does not fix perms so you may still need to chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys; if you're perms aren't correct already.
shfs - mount a filesystem using ssh.
win-sshfs - mount ssh from windows!
SHFS
is a kernel module for linux that allows a user to mount a filesystem
remotely using only ssh. This is a wonderful module because I
love ssh access so much. It is wonderful because it allows you to
access your data remotely but securely.
Once you've installed it, all you've got to do is:
shfsmount --persistent -s user@host:/tmp /mnt/shfs
This mounts the /tmp directory on user@host to the local /mnt/shfs directory.
(-s expands remote symlinks, --persistent makes shfs more tolerant of connection problems)
Embed SSH in Browser
I'm looking into embedding a ssh client in the webbrowser. That would be awesome. Some possible clients are:
Mindterm - SSH java client
Using Mindterm - Cambridge uses it.
SSH for Java
keep that ssh connection alive
How to avoid SSH timeouts
TCPKeepAlive yes
KeepAlive yes
ClientAliveInterval 540
ClientAliveCountMax 99999
Fixing SSH login long delay | In just five minutes…
udpproxy
udpproxy allows you to tunnel UDP datagrams into a SSH tunnel with the help of NFQUEUE target from Netfilter. This enables easy selection of flow to be tunneled.
Projects | Vincent Bernat
vincentbernat/udpproxy - a Netfilter powered UDP proxy
Performing UDP tunneling through an SSH connection
Created: 2005-04-25 06:31:20
Modified: 2017-05-07 08:08:10
