OESF | ELSI | pdaXrom | OpenZaurus | Zaurus Themes | Community Links | Ibiblio

IPB

Welcome Guest ( Log In | Register )

5 Pages V  « < 2 3 4 5 >  
Reply to this topicStart new topic
> Best Way To Transfer Files To The Z Over A Netwok
speculatrix
post Feb 25 2007, 02:53 PM
Post #46





Group: Admin
Posts: 3,281
Joined: 29-July 04
From: Cambridge, England
Member No.: 4,149



QUOTE(zmiq2 @ Feb 25 2007, 11:34 AM)
I think that what is most important is to have your ssh port down, or act as being down when not in use, so you escape from all those internet scanners.
*


Note.. being "down" means dropping the request, not rejecting - rejecting will imply to hacker that there is something there but protected as they will get a response to their probe. Dropping means there'll be no response at all, so it will require them to sit and wait for timeout, and much harder to "fingerprint" the host.
Go to the top of the page
 
+Quote Post
Da_Blitz
post Mar 4 2007, 05:52 PM
Post #47





Group: Members
Posts: 1,565
Joined: 7-April 05
From: Sydney, Australia
Member No.: 6,806



i have been fidiling with my config file to auto connect ot a diffrent port bassed on the host and it seems to work well, next is to set up a port knock approch, anyone know how to gett ssh to automate this or do i have to manually launch it every time i want to ssh in?
Go to the top of the page
 
+Quote Post
speculatrix
post Mar 5 2007, 02:12 AM
Post #48





Group: Admin
Posts: 3,281
Joined: 29-July 04
From: Cambridge, England
Member No.: 4,149



QUOTE(Da_Blitz @ Mar 5 2007, 02:52 AM)
i have been fidiling with my config file to auto connect ot a diffrent port bassed on the host and it seems to work well, next is to set up a port knock approch, anyone know how to gett ssh to automate this or do i have to manually launch it every time i want to ssh in?
*


in your system firewall scripts, e.g. /etc/init.d/firewall, DONT permit ssh from everywhere, only from places you can always trust; simply DROP all ssh incoming... e.g.
iptables -A INPUT -s 0/0 -p tcp --dport 22 -j LOG --log-prefix=" drop all ssh inbound"
iptables -A INPUT -s 0/0 -j DROP

in the download tar.gz, there's scripts for opening up ssh when the appropriate ping is received; basically it looks like this
iptables -I INPUT -s $PINGORIGIN -p tcp --dport 22 -j ACCEPT

when the daemon times out the connection
iptables -D INPUT -s $PINGORIGIN -p tcp --dport 22 -j ACCEPT

you can add what you want to this script; e.g. to allow in http, proxy, imap-ssl or pop3-ssl. NOTE! this doesn't provide connectivity security, it's not a VPN (ok, you know this, but I wanted to remind you), so you still need to guard against someone on the local lan (especially wireless) sniffing for passwords and cookies!

the daemon writes to syslog too so you can see what's going on.
Go to the top of the page
 
+Quote Post
speculatrix
post Mar 5 2007, 02:19 AM
Post #49





Group: Admin
Posts: 3,281
Joined: 29-July 04
From: Cambridge, England
Member No.: 4,149



p.s. you also need to add the barricade startup script to /etc/init.d and put links in /etc/rc3.d and /etc/rc5.d
p.p.s. I would do an rpm but it's not really my package, I simply fixed up an existing program, and also it's really a one-off thing you'd set up, and to be useful requires so much customisation it'd be hard work to make an all-encompassing feature set!
Go to the top of the page
 
+Quote Post
Da_Blitz
post Mar 6 2007, 12:17 AM
Post #50





Group: Members
Posts: 1,565
Joined: 7-April 05
From: Sydney, Australia
Member No.: 6,806



ne rpm is fine as its a debain server smile.gif however i was thinking more along the lines of the port knocker program that requires a port combonation to unlock and update the firewall for your host only
Go to the top of the page
 
+Quote Post
speculatrix
post Mar 6 2007, 02:33 AM
Post #51





Group: Admin
Posts: 3,281
Joined: 29-July 04
From: Cambridge, England
Member No.: 4,149



QUOTE(Da_Blitz @ Mar 6 2007, 09:17 AM)
ne rpm is fine as its a debain server smile.gif however i was thinking more along the lines of the port knocker program that requires a port combonation to unlock and update the firewall for your host only
*


you could adapt that program to listen on a range of tcp ports; or, just google for port knocking and download one of the other solutions and build it.
Go to the top of the page
 
+Quote Post
Capn_Fish
post Mar 14 2007, 02:39 PM
Post #52





Group: Members
Posts: 2,350
Joined: 30-July 06
Member No.: 10,575



I'm having issues again. I have been copying the id_dsa and id_dsa.pub files over each time I reflash my Z, but all of a sudden, it didn't work. I figured I'd just generate new keys, so I did. I copied the new id_dsa.pub file over to /home/user/.ssh/authorized_keys on my server and restarted sshd. I now try to login and it says "Permission denied (publickey)" I have id_dsa in /home/root/.ssh (I run as root). What is the issue? Before I would get a password prompt, but now it doesn't seem to recognize that the id_dsa file exists.
Go to the top of the page
 
+Quote Post
speculatrix
post Mar 14 2007, 03:22 PM
Post #53





Group: Admin
Posts: 3,281
Joined: 29-July 04
From: Cambridge, England
Member No.: 4,149



check that the home directory and the .ssh directory are only writable by the person who should own them, i.e. no group+other write.

I alway do "chmod -R go= .ssh" when I've set things up.
Go to the top of the page
 
+Quote Post
Capn_Fish
post Mar 14 2007, 03:53 PM
Post #54





Group: Members
Posts: 2,350
Joined: 30-July 06
Member No.: 10,575



No joy. I have it set so I have read, write, and execute and group and other has only read on my Z and same except no read for group/other on the host. The same thing happens.

Any other ideas?
Go to the top of the page
 
+Quote Post
desertrat
post Mar 14 2007, 09:14 PM
Post #55





Group: Members
Posts: 742
Joined: 15-October 05
From: Gulag, Siberia
Member No.: 8,322



QUOTE(Capn_Fish @ Mar 14 2007, 11:53 PM)
No joy. I have it set so I have read, write, and execute and group and other has only read on my Z and same except no read for group/other on the host. The same thing happens.

The files inside ~/.ssh needs to be rw for the user and nothing for group and other.
Go to the top of the page
 
+Quote Post
Capn_Fish
post Mar 15 2007, 10:29 AM
Post #56





Group: Members
Posts: 2,350
Joined: 30-July 06
Member No.: 10,575



Still nothing.

I'm supposed to get a promp for the password of id_dsa whether it is being used or not, correct?
Go to the top of the page
 
+Quote Post
speculatrix
post Mar 15 2007, 02:53 PM
Post #57





Group: Admin
Posts: 3,281
Joined: 29-July 04
From: Cambridge, England
Member No.: 4,149



use "ssh -v" and it should give you a hint. look at "dmesg | tail" or "tail /var/log/messages" or "tail /var/log/auth*" on the "receiving" machine.
Go to the top of the page
 
+Quote Post
Capn_Fish
post Mar 15 2007, 03:11 PM
Post #58





Group: Members
Posts: 2,350
Joined: 30-July 06
Member No.: 10,575



I don't see anything related to accepting or dropping a request.

I'm thinking it's an issue on the Z (client) end, as I'm using the same sshd_config that I was using and that worked.

Any other ideas?

Thanks for your help.

EDIT: I've been using the command

CODE
ssh -p xxx xxx.xxx.xxx.xxx


where xxx and xxx.xxx.xxx.xxx are replaced by the port and the host IP respectively.
Go to the top of the page
 
+Quote Post
desertrat
post Mar 15 2007, 03:36 PM
Post #59





Group: Members
Posts: 742
Joined: 15-October 05
From: Gulag, Siberia
Member No.: 8,322



QUOTE(Capn_Fish @ Mar 15 2007, 11:11 PM)
EDIT: I've been using the command
CODE
ssh -p xxx xxx.xxx.xxx.xxx

Could you tell us what exactly you're trying to do? AFAICT you're trying to setup an automated ssh login (using keys), in which case the command you need is something like:

CODE
ssh -i ~/.ssh/some.key user@example.com
Go to the top of the page
 
+Quote Post
Capn_Fish
post Mar 15 2007, 03:47 PM
Post #60





Group: Members
Posts: 2,350
Joined: 30-July 06
Member No.: 10,575



I am trying to get my setup back to the point where I have my Ubuntu server blocking all requests to ssh in except from the holder of the correct id_dsa file (my Z). I had it setup in this way and was using it to copy files between the server and my Z, but after reflashing my Z I can't get it to work again.

Basically, I'm trying to set up a secure ssh connection between my Z and an Ubuntu box using dsa keys for authentication.

Anything else you need to know?
Go to the top of the page
 
+Quote Post

5 Pages V  « < 2 3 4 5 >
Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 19th December 2014 - 10:34 PM