From 07bedee34d9ded6f86904c7e4b4e02464ff8cb14 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Thu, 15 Sep 2016 00:47:34 +0100 Subject: added tools --- tools/openssh.html | 305 +++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 305 insertions(+) create mode 100644 tools/openssh.html (limited to 'tools/openssh.html') diff --git a/tools/openssh.html b/tools/openssh.html new file mode 100644 index 0000000..53ca007 --- /dev/null +++ b/tools/openssh.html @@ -0,0 +1,305 @@ + + + + + 1. OpenSSH + + + Tools Index +

1. OpenSSH

+ +

OpenBSD Secure Shell, is a suite of security-related + network-level utilities based on the SSH protocol, + which help to secure network communications via the + encryption of network traffic over multiple authentication + methods and by providing secure tunneling capabilities.

+ +

1.1. Server

+ +

Crux openssh port install this files to etc;

+ + 
+        $ pkginfo -l openssh
+        etc/rc.d/sshd
+        etc/ssh/moduli
+        etc/ssh/ssh_config
+        etc/ssh/sshd_config
+
+ +

User commands;

+ + 
+        usr/bin/scp
+        usr/bin/sftp
+        usr/bin/slogin
+        usr/bin/ssh
+        usr/bin/ssh-add
+        usr/bin/ssh-agent
+        usr/bin/ssh-keygen
+        usr/bin/ssh-keyscan
+
+ +

More information about sshd in man;

+ + 
+        $ man sshd
+
+ +

1.1.1. Configure Server

+ +

Read OpenSSH server + Best Security Practices, + This example uses 2222 port to avoid + "default" port, edit /etc/ssh/sshd_config;

+ + 
+        #Port 22
+        Port 2222
+
+ +

By default ssh will listen on all local addresses, to restrict + to a specific ip edit;

+ + 
+        #AddressFamily any
+        AddressFamily inet
+        #ListenAddress 0.0.0.0
+        #ListenAddress 192.168.1.254
+        #ListenAddress ::
+
+ +

Authentication settings;

+ + 
+        # Authentication:
+
+        #LoginGraceTime 2m
+        LoginGraceTime 1m
+        #PermitRootLogin prohibit-password
+        PermitRootLogin no
+        #StrictModes yes
+        #MaxAuthTries 6
+        MaxAuthTries 3
+        #MaxSessions 10
+
+ +

Restrict AllowUsers, AllowGroups that can login;

+ + 
+        #RSAAuthentication yes
+        #PubkeyAuthentication yes
+
+        AllowGroups admin users gitolite
+
+ +

Disable interactive-keyboard and password login;

+ + 
+        # To disable tunneled clear text passwords, change to no here!
+        #PasswordAuthentication yes
+        PasswordAuthentication no
+        #PermitEmptyPasswords no
+
+        # Change to no to disable s/key passwords
+        #ChallengeResponseAuthentication yes
+        ChallengeResponseAuthentication no
+
+ +

Make sure PAM is disable or above settings can be + overridden. Set banner;

+ + 
+        # no default banner path
+        #Banner none
+        Banner /etc/issue
+
+ +

Iptables;

+ +

Example of iptable script

+ + 
+        $IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+        $IPT -A INPUT  -i ${PUB_IF} -p tcp --dport 2222 --sport 1024:65535 -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
+        $IPT -A OUTPUT -o ${PUB_IF} -p tcp --sport 2222 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
+
+ +

Change SyslogFacility in accordance with syslog-ng configuration;

+ + 
+        # Logging
+        # obsoletes QuietMode and FascistLogging
+        #SyslogFacility AUTH
+        SyslogFacility LOCAL1
+        #LogLevel INFO
+        LogLevel VERBOSE
+
+ +

Example rule for syslog-ng;

+ + 
+        destination d_sshd { file("/var/log/sshd"); };
+        filter f_sshd { facility(local1); };
+        log { source(s_log); filter(f_sshd); destination(d_sshd); };
+
+ +

Deny login for root, limit max sessions to 3 if you have limited + resources and only allow 3 failed logins;

+ + +

Start sshd server;

+ + 
+        # sh /etc/rc.d/sshd start
+        # ss -f inet -l -p | grep ssh
+
+ +

1.2. Client

+ +

To create new key;

+ + 
+        $ ssh-keygen -t rsa
+
+ +

By default this creates two files;

+ + 
+        ~/.ssh/id_rsa       : identification (private) key
+        ~/.ssh/id_rsa.pub   : public key
+
+ +

Default uses id_rsa and id_rsa.pub as output files in + this example we will create keys for gitolite admin so we + name output as gitolte;

+ + 
+        $ ssh-keygen -t rsa -f ~/.ssh/gitolite
+
+ +

Set correct permissions;

+ + 
+        $ chmod 700  ~/.ssh
+        $ touch ~/.ssh/authorized_keys
+        $ chmod 600 ~/.ssh/authorized_keys
+        $ chmod 600 ~/.ssh/gitolite
+
+ +

1.2.1. Install Public Keys

+ +

Send gitolite.pub public key to server. In this example + bob (administrator of gitolite) is on same host, + first copy is public key to admin home directory;

+ + 
+        # install -o admin -g admin /home/bob/.ssh/gitolite.pub /home/admin/.ssh/gitolite.pub
+
+ +

If the server is on remote a remote machine;

+ + 
+        $ scp /home/bob/.ssh/gitolite.pub admin@nark.biz.tm:/home/admin/.ssh/
+        bob@nark.biz.tm's password:
+        gitolite.pub                              100%  390     0.4KB/s   00:00
+
+ +

In case of bob public key for normal ssh login, admin can + add his public key to authorized keys;

+ + 
+        $ cat bob_rsa.pub >> ~/.ssh/authorized_keys
+
+ + 
+        $ ssh -P 2222 bob@remote.org
+
+ +

1.2.2. Configure Identities

+ +

When you have multiple accounts/identities you + can configure ssh client so you dont need to give + -i flag. Create or edit ~/.ssh/config

+ + 
+        Host admin
+            Hostname nark.biz.tm
+            IdentityFile ~/.ssh/id_rsa
+            Port 2222
+            User admin
+
+        Host gitolite
+            Hostname nark.biz.tm
+            IdentityFile ~/.ssh/gitolite
+            Port 2222
+            User gitolite
+
+        Host box
+            Hostname nark.biz.tm
+            IdentityFile ~/.ssh/id_rsa
+            Port 2222
+            User bob
+
+        Host devbox
+            Hostname nark.biz.tm
+            IdentityFile ~/.ssh/id_rsa
+            Port 2222
+            User gitolite
+
+ +

Now you can just type;

+ + 
+        $ ssh box
+
+ +

On remote start tmux + and detach from the session with ctrl + b d

+ +

Create alias on ~/.profile;

+ + 
+        alias boxtmux="ssh servername -t tmux a"
+
+ +

Source it and attach to remote;

+ + 
+        $ boxtmux
+
+ +

Logout just detach from session with ctrl + b d

+ +

1.3. Reverse connection

+ +

This information is inspired by + Reverse SSH connections + and implement the update from SSH all the time, + +

Simple way, run this command on the machine you want to + access (server);

+ + 
+        $ ssh -f -N -R 2222:localhost:22 user@laptop
+
+ +

This creates a connection from server to client, client will listen + on 2222 port and forward requests to the server as they are on localhost + on port 22.

+ + 
+        wget http://github.com/mikeymckay/reverse_ssh_tunnel/raw/master/setup_reverse_tunnel.sh
+        chmod +x ./setup_reverse_tunnel.sh
+        sudo ./setup_reverse_tunnel.sh
+
+ + Tools Index +

This is part of the c9-doc Manual. +Copyright (C) 2016 +Silvino Silva. +See the file Gnu Free Documentation License +for copying conditions.

+ + + + -- cgit 1.4.1-2-gfad0