Best Way To Transfer Files To The Z Over A Netwok

[speculatrix]

you mention that

The advantage of using ping is that its much easier to set up the client - nearly every linux
...

which doesn't make sense to me: if you need hping2 as a client, because normal ping doesn't work, you cannot use ping on a guest computer

Nice web, btw
[div align=\"right\"][a href=\"index.php?act=findpost&pid=154799\"][{POST_SNAPBACK}][/a][/div]

yeah, reading it now it's not 100% clear, I will clarify, thanks for that. I could say "surely all your friends computers will be running linux by now"

thanks for +ve feedback.

[Da_Blitz]

i dont belive that running ssh on a diffrent port is worth the hassle, at the moment i am only getting ssh logins with no password attempts, i have max attempts set to 3. if i was really paranoid (basically i dont have the time at the moment) i would set up deny hosts but i have a feeling my public key login with 2048 bit keys should stand up to a bit of punisment

allow root logins = no of course

[zmiq2]

And for the real paranoid, like me:

I have an SMS modem attached, so when receiving a SMS with a special SMS content then ssh is activated for a certain eriod and, if noone logs in, it deactivates itself again.

Of course, all other measures also apply: pblic keys only with passhphrased enabled keys, no root, ...

I'm able to ssh in my servers using the Z and a nokia E61 (3G with qwerty keyboard), using the symbiam putty, which makes it very nice !

[speculatrix]

i dont belive that running ssh on a diffrent port is worth the hassle, at the moment i am only [div align=\"right\"][a href=\"index.php?act=findpost&pid=154843\"][{POST_SNAPBACK}][/a][/div]

well, it's a pretty trivial change to sshd_config, and you only need to add "-p" to the ssh command when connecting. Most importantly, there are occasional vulnerabilities found in openssl, libz and openssh, so although it's security by obscurity it can help but should not be relied apon.

And for the real paranoid, like me:
I have an SMS modem attached, so when receiving a SMS with a special SMS content then ssh is activated for a certain eriod and, if noone logs in, it deactivates itself again.[div align=\"right\"][a href=\"index.php?act=findpost&pid=154860\"][{POST_SNAPBACK}][/a][/div]

that's a neat idea!

I notice noone seems to be running a VPN server. We have one at work, and all the "suits" use it for access to outlook/exchange, and all the techies use an ssh jump box with key-only auth. Speaks volumes

[Da_Blitz]

actually i have a comercial sms sender (basically a mobile phone in a box with a serial cable attached) that i could put to good use

sms everytime someone logs in

actually i signed up for that paypal key program and looked into hacking it so i could use the OTP it generates as an aditonal requirement (ie usb flashdisk with ssh keys and otp needed to log in) but even though the crypto stuff is documented it cannot be used without paypals secret key (which they wont give up) and the timer value (hard to guess)

basically its sha1 used as a hmac then ascii encoded and stripped of digits at the frount and back to give you a 6 digit number

its a shame as it would then make a cheap otp device

[Da_Blitz]

well i said i would write some more stuff so here it is

create a file called config in your .ssh folder in your /home dir and put the following in it

Code: [Select]

Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
Compression yes
Ciphers  aes256-cbc,blowfish-cbc
what this does (if you didnt work it out already) is sets up the global options for every ssh connection (ie everything that has a hostname that matches *, see host *) if you want to create a config for a specific machine you connect to copy and paste this code again but rewrite the "host *" line to "host <yourhost addr>", this can be handy to seperate local and remote connections

a good example of this is

Code: [Select]

host 192.168.*
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
Compression no #<<< note turning of commpresion for local coms
Ciphers  aes256-cbc,blowfish-cbc

# for connecting to the Z, no compression (kills cpu) and a less cpu intensize algorithim, great for usbnet, in fact for that you could use almost on encryption
host zaurus # perhaps its better to specify an ip address here, ethier way you iwll have to change it to whatever your Z uses
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
Compression no
Ciphers  aes128-cbc,blowfish-cbc
there is some more info in "man ssh_config"

anyway back to the topic, control master is what allows resharing of an exsisting ssh connection, if you typed in a password and didnt set up public keys then this will automatically reuse an exsisting connection so you dont have to retype the password, ssh was designed to tunnel more than one connection over the one link, its how the shell and port fowarding are implemented at the  same time

so now thatt we have the reusable connections bieng built and torn down on demand (the "auto" option) the next line is to tell ssh where to look for the connections, i belive it defaults to /tmp but i put it in my .ssh folder as i know its permissions are secure (only i can read and write) so i dont have to worry about permissions. may  have problems with nfs but YMMV

i think compression=yes explains itself, requests compresion if the server supports it

and finally its tightening of the ciphers used by ssh, these are universial algorithms that every morden kernel ships with, i belive that if you had problems it would be with a comercial ssh server that dosent implement the cipehr or a windows ssh server (i am not sure what cipher spec they support)

for those intrested here is the default cipher spec in order of prefrence (letft to right)

Code: [Select]

              ‘‘aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
                 arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
                 aes192-ctr,aes256-ctr’’
note the 3des  and other lower security settings  .

basically its free security by turning on the harder to crack ciphers

thats all for today, next time it will be port fowarding with ssh and if i get it working "poor mans vpn: what to do with ssh and tap/tun or PPP"

if i ever get the server up i will show you how to set up openvpn as well

[Da_Blitz]

hmm sorry to spam but how intrested is anyone in a hosted openvpn solution thats mantince free (ssl certs and everything handeled by someone else), you get your own private subnet to connect a few devices together from anyware on the net and quite posibly a dns subdomain so you dont have to remeber ip addresss to connect back to home

i have been thinking about it for awhile and now have most of the infrastructure in place to offer it, bulk transfers are not allowed, ie dont use it to pull down a DVD from your house to your pda but ssh, getting files and email from home in a secure manner or cvs would be fine

if you want bulk transfers thats what the dns subdomain is for, just point it back to your house (dynamic ip OK) and trasfer without going through me

[zmiq2]

Hi,

I've been looking for free encripted proxy, so when connected over open wifi, I would always like to have all my connections go to the proxy encrypted, avoiding at least kismet sniffing.

The idea would be:

zaurus-wifi <-> secure tunnel for http, pop3, ssh <-> secure proxy <-> plain http pop3 ssh <-> server http, pop3, ssh

Would that fit into your scheme? What needs to be running on the Z ?

[Capn_Fish]

All the software needed for SSHing comes installed with pdaXrom, I don't know about proxys.

[speculatrix]

Hi,

I've been looking for free encripted proxy, so when connected over open wifi, I would always like to have all my connections go to the proxy encrypted, avoiding at least kismet sniffing.

The idea would be:

zaurus-wifi <-> secure tunnel for http, pop3, ssh <-> secure proxy <-> plain http pop3 ssh <-> server http, pop3, ssh

Would that fit into your scheme? What needs to be running on the Z ?
[div align=\"right\"][{POST_SNAPBACK}][/a][/div]

tunnel ports using ssh thus...

zaurus$ ssh -L80:mypc:80  -L 110:mypc:110 -L 8080:mypc:8080 mypc

the -L means listen on local port. then you can see your home PC website on [a href=\"http://127.0.0.1]http://127.0.0.1[/url], its pop3 server on 127.0.0.1:110 and set your proxy to be http://127.0.0.1:8080 (asssuming your pc runs proxy on 8080!)

it'd be more efficient to use pop3-ssl if you can. I have imap-ssl running at home, so I can do my email from anywhere.

HTH
Paul

[speculatrix]

well i said i would write some more stuff so here it is

create a file called config in your .ssh folder in your /home dir and put the following in it

Code: [Select]

Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
Compression yes
Ciphers  aes256-cbc,blowfish-cbc

another useful addition to your $HOME/.ssh/config file:

Code: [Select]

Host zaurus
    User zaurus
to automatically connect to your Z as user zaurus and not your current username, saves having to type "ssh zaurus@myzaurus".

[Da_Blitz]

it would be openvpn, so you would need an openvpn client, its an ssl bassed vpn so you would see anoether interface (tap0) with an ip and a routing table

if you want all gcomms to go over it you would have to change the default route to the vpn connection

ill reveal more details latter, basically i have a serverwith bandwidth and i am not going to be using all o it so i thought that someone here might like some resources

that hosts trick is a neta idea, there are a couple of machines i need to try that on

[Da_Blitz]

Ok todays tutorial is for advanced cyber elite hacker ninja monkey admins, what is it?

well this should show you how to store your ssh servers host key in its dns record so that ssh can auotomatically verify the authenticity of the machine, not so useful after the inital connection (where you type yes) but its handy if you use machines that dont have your servers fingerprint alot (eg tech support guys, contractor, student)

scince this i a 10 minute hack its worth it (10 minutes for you, i spent half a day getting it to work) so i thought i would pass on my knowlage to you. note that you can also put your pgp keys in your dns record and have openpgp pull them from dns rather than a keyserver , eg peter.yourdomain.com with your pgp public key would be the ekey for the email adress peter@yourdomain.com

anyway onto the howto  

prerequisetes:
A dns server that you control the zone files on (the godaddy interface dosent count, you really need to run your own dns server orbe able to hack the zone files by hand)
idealy the dns server on a diffrent machine and ip to the ssh server (its a trust/hack thing)

anyway, locate the ssh server you wish to publish the keys for, ill use my zone ifles to show off

Code: [Select]

for bind less than 9.3
pocketnix.org.          A       203.12.2.248
                                 TYPE44 \# 22 ( 02013f4bd588c6146610bc2c3d70e6adc6de2bad8fa5 )
                                 TYPE44 \# 22 ( 0101950f1a8aa5162e0235be3c3e7bfbad5445d3f508 )

Code: [Select]

for bind equal to or greater than 9.3
pocketnix.org.          A       203.12.2.248
pocketnix.org           SSHFP 1 1 950f1a8aa5162e0235be3c3e7bfbad5445d3f508
pocketnix.org           SSHFP 2 1 3f4bd588c6146610bc2c3d70e6adc6de2bad8fa5
the reson for the differing code is that the older bind dosent have direct support for it (record type 44) but you can hack it to work by entering the packet type, then the raw payload in hex which is mostly aoutgenerated, i only had to add 2 0's

the program to generate the keys, or more acurattly format the exsisting keys into dns records is ssh-keygen -r <hostname>

first go to /etc/ssh, the entere ssh-keygen <hostname> where hostname matches the dns name of the PC, when prompted for a keyfile enter  ssh_host_dsa_key.pub
and repeat for the rsa key (ssh_host_rsa_key.pub). this should have spat out a line of code that looks like the second example i gave, if you use bind >=9.3 then copy it to the zone file in the line below the hosts A record

if you are using the older bind then it needs a bit of massaging see the following steps
pocketnix.org IN SSHFP 2 1 3f4bd588c6146610bc2c3d70e6adc6de2bad8fa5
remove pocketnix.org IN SSHFP  so it becomes

Code: [Select]

2 1 3f4bd588c6146610bc2c3d70e6adc6de2bad8fa5add a 0 to the 2 and the one at the beggining (or both 1s for the rsa key

Code: [Select]

02 01 3f4bd588c6146610bc2c3d70e6adc6de2bad8fa5remove spaces

Code: [Select]

02013f4bd588c6146610bc2c3d70e6adc6de2bad8fa5wrap in barackets with spaces

Code: [Select]

( 02013f4bd588c6146610bc2c3d70e6adc6de2bad8fa5 )add TYPE44 \# 22 to the front

Code: [Select]

TYPE44 \# 22 ( 02013f4bd588c6146610bc2c3d70e6adc6de2bad8fa5 )
and finally add underneath the hosts A record, the reson for adding it underneath the hosts A record is because we did not specify the host the key belongs to, by placing it under the A record it uses the last A record to work out who it belongs to

hope this helped, its not your standard feature but for some peopel it adds a bit of security.

when you now login to the server for the first time it will say

Code: [Select]

The authenticity of host 'lookout.pocketnix.org (203.12.2.248)' can't be established.
RSA key fingerprint is e5:ec:ae:56:a0:75:56:b0:c2:07:d8:1d:d0:89:fd:d8.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
see the matching host in dns bit?, it comes in handy if you dont want to remeber the fingerprints of every host

i also added this to my .ssh/config file
 VerifyHostKeyDNS yes
this makes ssh check the dns entry by default, otherwise you have ot do ssd -o "VerifyHostKeyDNS yes" <hostname> to get it to verify the keys (i suppose i should mention that at an earlier point)

[Da_Blitz]

sorry to spam but i might change my ssh port address aafter all

Code: [Select]

dablitz@lookout:/var/log$ sudo cat auth.log | grep Illegal | head -n 1
Feb 20 16:20:53 xen610106 sshd[5908]: Illegal user router from 89.149.213.99
dablitz@lookout:/var/log$ sudo cat auth.log | grep Illegal | tail -n 1
Feb 24 22:36:17 lookout sshd[20078]: Illegal user gnax from 208.6.86.172
dablitz@lookout:/var/log$ sudo cat auth.log | grep Illegal | wc -l    
8749

[zmiq2]

I think that what is most important is to have your ssh port down, or act as being down when not in use, so you escape from all those internet scanners.

You can do that by either moving to another port, installing port-knocking, or / and any other measure that hides as mush as possible your IP from those scanners. Once you are on the list, you'll always have probes for new user/passwords or exploits as new versions are coming along, to check that you have upgraded.

Mi 0.02: avoid being included in the list of internet -servers running ssh, even all other ssh settings must be properly setup.