OESF Portables Forum
Everything Else => General Support and Discussion => Zaurus General Forums => Archived Forums => Security and Networking => Topic started by: Capn_Fish on February 14, 2007, 08:52:26 am
-
I have an Ubuntu box with no monitor that control with VNC with my Zaurus. I would like to be able to easily transfer files from there to my Z in a secure manner. What would be the best way of doing this?
Thanks.
-
The most convenient way is IMHO to use Samba directory sharing.
daniel
-
I have an Ubuntu box with no monitor that control with VNC with my Zaurus. I would like to be able to easily transfer files from there to my Z in a secure manner. What would be the best way of doing this?
Thanks.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=154046\"][{POST_SNAPBACK}][/a][/div]
My tool of choice is rsync + ssh. Works like a charm and no need to mount.
(Btw: Are there fuse and sshfs for the Z?)
-
Any good how-tos for ssh & rsync? Or can you provide one?
Thanks!
EDIT: I've tried to set up Samba in the past, and it seems to be difficult (or I was just being stupid), so I'm not really looking at that.
EDIT2: How does using rsync and ssh work?
-
(Btw: Are there fuse and sshfs for the Z?)
[div align=\"right\"][a href=\"index.php?act=findpost&pid=154053\"][{POST_SNAPBACK}][/a][/div]
yes, I used it just recently on OpenZaurus. To mount connections on the Z should just work OOTB IIRC. To mount your Z on another box you need to "enhance" dropbear with the openssh-sftp package.
-
"ipkg install rsync"
then on desktop
rsync -r -v -z /dir/dir/ 192.168.129.201:/dir2/dir2
stick in a "-n" to not actually do the copy beforehand just to make sure nothing's going to go wrong.
"man rsync" or "rsync --help" is your friend.
-
whats the diffrence apart from only uploading the changes to using rsync over scp or sftp in this type of enviroment. we are talking about high bandwidth links here so there is really no need to upload changes, a dumb copy would be fine
or am i missing somthing here
-
I have an Ubuntu box with no monitor that control with VNC with my Zaurus. I would like to be able to easily transfer files from there to my Z in a secure manner. What would be the best way of doing this?
Use ssh, and if you use KDE it's as simple as typing:
sftp://username@ip.address.of.zaurus/
into konqueror to browse your Z filesystem.
-
What do I need to set up on Ubuntu? I set up the /etc/rsyncd.conf.
-
What do I need to set up on Ubuntu? I set up the /etc/rsyncd.conf.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=154097\"][{POST_SNAPBACK}][/a][/div]
you don't need to set anything up on the PC side... ok, quick tutorial. rsync is a bit like "scp -prd", only it's a lot more intelligent - it can be told to ignore existing files (by checking size and date or using a checksum /slower/)
When invoked, it talks to rsync on the remote host either because the remote host is running rsync as a daemon OR by ssh'ing to it and running it.
So, on the ubuntu side, no need to run rsync as daemon. So long as when you ssh into zaurus rsync is in the path it will work. Or vice versa. Generally rsync is in /bin or /usr/bin and is virtually guaranteed to work.
So, use the "-n" /dryrun/ option just to be sure.
rsync has a HUGE number of options but they are fairly clearly explained.
-
personally, i think scp is the easiest and most secure.
-
personally, i think scp is the easiest and most secure.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=154143\"][{POST_SNAPBACK}][/a][/div]
er, rsync uses ssh as the default connection channel, so it's as secure as scp but more powerful.
you can use rsync as a daemon. you could also do rsync over plain telnet. both would be unencrypted.
you can also use tar, e.g. use compression to copy a directory from one machine to another using an ssh secure channel
cd /mydir; tar cf - . | gzip | ssh otherhost "cd /newdir; gunzip | tar xf -"
the advantages of tar and rsync is they understand symlinks better, tar also preserves ownership and protection but doesn't know not to copy an existing file.
--edit--
oops, I forgot the gunzip on the target, added explanatory comment
-
To be honest, I don't need power or the ability to preserve symlinks. All I want is the ability to simply copy one file over a LAN from Ubuntu to my Z with minimal set-up time.
Is SCP or RSync easier to set up for this?
-
To be honest, I don't need power or the ability to preserve symlinks. All I want is the ability to simply copy one file over a LAN from Ubuntu to my Z with minimal set-up time.
Is SCP or RSync easier to set up for this?
[div align=\"right\"][a href=\"index.php?act=findpost&pid=154151\"][{POST_SNAPBACK}][/a][/div]
scp... just scp youfile root@host:/where you want it
example... scp test.txt root@192.168.1.45:/home/root/
or scp test.txt 192.168.1.45:
if you want to just copy that file, you are already an equal user name to the one on the destination, and you want it just to go to the users home dir.
Late
-
I've got an ssh connection working as well as scp. I'm now trying to figure out how to block all attempts to ssh into my Ubuntu box except from my Zaurus. All of the documentation I've found seems to be a bit vague, but it seems to indicate that all that is involved is moving some authentication keys around. What exactly do I need to do (starting from getting the connection working)? If it's too much to explain, could you point me to some good documentation?
Thanks!
-
firewalling is your best option if its by ip adress but i use and recomend public key crypto for this
give yourself about 30mins and read up on it, set it up on your ubuntu box and you will find that you will never use the user:pass combo again
i use passwords on my private keys so that i can keep them on a flashdisk so i also use ssh-agent which is greaat once you work out that to exectute it is eval `ssh-keychain`
that wont work on multiple shells, if you want somthing that will allow you to use your ssh keys for every xterm you open then i recomend getting a prog named keychain and using that, gentoo has the best docs on thier page for it (they wrote it) but it helps preserve the settings between shell launches. you might have to add it to your bashrc file
just ignore my rambeleing, the best reason to use it is that i only have to type my password for my private keys once and then every ssh session is password less or can optionally pop up a dialog box asking for permission under X
would anyone like me to start up a therad on ssh, i have found some stuff recentlly that is little used (such as connection sharing which speeds up the login delay to under a second) and proper keymanagment/generation and such + how to disable all authentication methods but public key and optionally krb5 while still using PAM for session managment and accounting (normally you have to leave passphrase authentication on to do this)
-
That's exactly what I want to do. You get a new key every time you open a terminal? Or is that just for moving your key around to different computers? I'm assuming that it is, because it seems that the Z only generates a rsa/dsa key pair the first time it boots after flashing.
Could somebody just tell me what file/strings I need to copy from where to where? I sadly haven't really gleaned that info yet.
Thanks.
-
the rsa/dsa key generation is only for identifing the host. not for logging in
to log in you need to generate a key and put half of it (the public half) on the server you want to log into and the rest (the private part) somewhere safe.
i put my keys on a flashdisk. this is not that safe as anyone can read a flashdisk when its plugged in (unless you tweak /prooc/usb for a multihead setup so that some users get acsess to some usb port, i havent tested that) i do keep them encrypted so that they need to be decrypted in ram so that no one else can just copy them off unlsess they are root. they could do a offline attack however but thats beyond the scope of this post
so you want to genetare a rsa key pair. well go somewhere on your fs thats "clean" or create a folder and change your current dir to there (cmd line here) and run ssh-keygen.
follow the prompts. i recomend you change the name. it isnt a requirement but i dont want to clober my keys in the futre. i also generate a diffrent key for each host i use however the added benifits of this are slight. it dosent cost me however so i do it. ill come back to that latter
well i suppose you entered a name instead of a path for the keyfile which is what you would want if you want the files in the current directory. if not for the rest of this tut the keys are in your .ssh folder it your /home dir
now the fun part. you have to get the <key file>.pub to your Z somehow. eaist way is to log in via ssh like this. cat <path to public key> | ssh <user>@<host> "touch ~/.ssh/authorized_keys | tee !$"
what i did is cat the public key, pipe that as standard input to ssh. on the Z what happens is ssh logs in, creates the authorised keys file if its not been created and takes the standard input from the box you are working on and adds it to the allowed keys for this user list
congratulations you are now half way there
ok now you half to execute "eval `ssh-agent`" (note the backticks, we need a shell for ssh-agent) OR "eval $((ssh-agent))" which is the posix version (its a history lesson kids )
this launches a authentication proxy for you. its goal is to collect your ssh keys and store them. not that handy if you didnt put a password on your key (shame on you) but really handy if you did as you only have to type the pass once.
add the private key with ssh-add <path to private key> (the one without .pub).
now ssh into your box . it shouldnt ask for a password
this is just stage one. you can take it futher if you want and i am willing to write the guides if someone wants it. as i have stated before it mainly increses security by disabling 3des encryption and using blowfish or AES-256-cbc, adds session sharing (poor mans ssh-agent and faster loging times as well as less conections) and compresion of everything thats goes throgh the link (best on slow WANs, some people like to only do it manually but i fuigure it dosent hurt unless you are doing file transfer to somthing without much cpu grunt like the Z over usb)
also a guide to allowingpublic key logins and hardeneing your ssh server could be written too if i am up to it and there is demand
now back to some issues, i use 1 key per srever. you can use the one id for every server if you wish however i like it my way as when i am on a windows PC i can give it only the certs i need to get the job done so if someone reads its mem they wont get all the keys
the other hand reason is that it makes ssh-agent proxying alot safer, if you create a seperate ssh-keychain instance with only node B and node C (if you are on A and can only see B but B can see C) then you only add 2 keys and you can enable fowarding to your hearts content knowing thatnot every server you can connect to will be comprimised if someone has hacked that box (as only B and Cs keys have been put on the keychain
just aquick word about the proxy thing, that means when you logg into B from A, B can reuse the ssh-keychain and the keys on its keychain to log into C without a password, if the kys to D were on it and the bok got hacked then someone with your privs or root could then tell a ssh session to authenticate to the ssh-agent onA to log into D
confused?, i know i was. it clicks once you have mastered the basics
you might want to try X fowarding, add -X to your ssh prog (ie ssh -X <user>@<host>. now any X app on your Z will run on you PCs monitor, but exectue on the Z. makes editing text files fun and is best used with a usb flashdisk with putty and an X server on it. meaning you can do stuff on your work pc knowing that the progs on the Z (security) or that the data is on your Z (portability). it also means you then get cross platform compatability as you then have an X server for nearly evrey OS on the market (macos, unix and clones, windows)
might tell you about the "revers ssh" that i suggested else where to bypass a firewall, basically its a good use of port fowarding.
you connect the port on a machine A (the Z for eg) that connects to ssh (127.0.0.1:22) to a port on a remote machine (eg 2222), you then ssh into port 2222 on the proxy machine © from your PC (. this will mean that you have just ssh'd into the Z (ssh from B to C, then wrap it in another ssh session and onto A)
note that thats cpu intensive as it does 2 ssh sessions. B (your laptop) and C (the proxy) will only do one but A (the Z) will have to do 2 of them. this can kill a Z if transfering files but is fine for ssh work. not sure about X as i never did any bandwidth testing on it but pretend its a 8mbit linx (overhead) with near lan latency (near lan because ssh add latency, even more so when overloaded)
-
wow, you wrote half an essay
-
OK, I have this set up, but I want my server to block all SSH requests except from those in the authorized_keys file. I searched, but I can't figure out how to do it. Could somebody help here as well?
Oh, and thanks for the essay! It was very helpful.
-
OK, I have this set up, but I want my server to block all SSH requests except from those in the authorized_keys file. I searched, but I can't figure out how to do it. Could somebody help here as well?[div align=\"right\"][a href=\"index.php?act=findpost&pid=154617\"][{POST_SNAPBACK}][/a][/div]
have a look in your sshd_config file and turn off password encryption like this: PasswordAuthentication no
you probably also wantPermitEmptyPasswords no
-
that looks about right but my config has:
UsePAM yes
ChallengeResponseAuthentication no
PermitEmptyPasswords no
PasswordAuthentication no
the challenge response has to do with PAM password authentication, whereas i am using PAM for the session and accounting rather than session, accounting and password.
basically it means you can use the pam rlimits, sourcing a file, login between certin time stuff. the good stuff of pam that dosent deal with passwords (and that many people dont relise it does)
-
It's now working, my Ubuntu box will block all computers except my Z, and I don't need a password for that.
Thanks for your help!
-
dont know if you have your ubuntu box connected to the net but mine gets about 100 attempts to log in via ssh, the usual suspects, root, nobody,mail, ftp, http and such all with no password.
so as you can see it can be a good idea to just use keys as it means if i did accedentially not put a password on an account and you could login localy with it it wouldnt allow ssh to let you in as there is no authorized keys ifle for that account
security always pays off in the end
-
Since I tried iptables firewalling more than I trust ssh daemon, I don't allow anything to connect to ssh from world, and then I use "port knocking" to open a hole in the firewall for the IP I am knocking from... I can then connect over ssh and secure-imap.
That means in order to break in there must be a failure in iptables and also sshd.
See my website http://www.zaurus.org.uk/portknocking.html (http://www.zaurus.org.uk/portknocking.html) for details
get the download for my fixed "barricade" ping-knocking s/w at http://www.zaurus.org.uk/download/barricad...0.0-PADM.tar.gz (http://www.zaurus.org.uk/download/barricade-1.0.0-PADM.tar.gz)
-
dont know if you have your ubuntu box connected to the net but mine gets about 100 attempts to log in via ssh, the usual suspects, root, nobody,mail, ftp, http and such all with no password.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=154738\"][{POST_SNAPBACK}][/a][/div]
How do you tell how many times somebody tried to login with SSH?
-
How do you tell how many times somebody tried to login with SSH?
[div align=\"right\"][a href=\"index.php?act=findpost&pid=154765\"][{POST_SNAPBACK}][/a][/div]
hmm, let me look at my firewall log, this file active since Jan 30 @21:01
# cd /var/log
# grep EXT-Drop | grep DPT=22 firewall | wc -l
113
so, about five or six times a day someone's probed my sshd (!)
for the same 21 day period I've had 15253 drops logged.
-
One thing worth adding to /etc/ssh/sshd_config is
AllowUsers sometrusteduser
This will allow only sometrusteduser to login.
-
One thing worth adding to /etc/ssh/sshd_config is
AllowUsers sometrusteduser
This will allow only sometrusteduser to login.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=154786\"][{POST_SNAPBACK}][/a][/div]
also consider running sshd on a different port, e.g. 222, as this cuts down the number of attempted probes very significantly.
on the Z you have to change inetd.conf (for cacko at least) doesn't run sshd as a daemon but only via inetd.
-
Hi speculatix, in
See my website http://www.zaurus.org.uk/portknocking.html (http://www.zaurus.org.uk/portknocking.html) for details
you mention that
The advantage of using ping is that its much easier to set up the client - nearly every linux x86 PC has the required software already installed. For the Zaurus (Cacko at least) and Windows, the standard ping program doesn't work because they don't support the required options to insert a character string password into the ping datagram; however, just install hping2 on the Zaurus and it works. It also means that if you're using a guest computer, there's a good chance you can run ping!
which doesn't make sense to me: if you need hping2 as a client, because normal ping doesn't work, you cannot use ping on a guest computer
Nice web, btw
-
you mention that
The advantage of using ping is that its much easier to set up the client - nearly every linux
...
which doesn't make sense to me: if you need hping2 as a client, because normal ping doesn't work, you cannot use ping on a guest computer
Nice web, btw
[div align=\"right\"][a href=\"index.php?act=findpost&pid=154799\"][{POST_SNAPBACK}][/a][/div]
yeah, reading it now it's not 100% clear, I will clarify, thanks for that. I could say "surely all your friends computers will be running linux by now"
thanks for +ve feedback.
-
i dont belive that running ssh on a diffrent port is worth the hassle, at the moment i am only getting ssh logins with no password attempts, i have max attempts set to 3. if i was really paranoid (basically i dont have the time at the moment) i would set up deny hosts but i have a feeling my public key login with 2048 bit keys should stand up to a bit of punisment
allow root logins = no of course
-
And for the real paranoid, like me:
I have an SMS modem attached, so when receiving a SMS with a special SMS content then ssh is activated for a certain eriod and, if noone logs in, it deactivates itself again.
Of course, all other measures also apply: pblic keys only with passhphrased enabled keys, no root, ...
I'm able to ssh in my servers using the Z and a nokia E61 (3G with qwerty keyboard), using the symbiam putty, which makes it very nice !
-
i dont belive that running ssh on a diffrent port is worth the hassle, at the moment i am only [div align=\"right\"][a href=\"index.php?act=findpost&pid=154843\"][{POST_SNAPBACK}][/a][/div]
well, it's a pretty trivial change to sshd_config, and you only need to add "-p" to the ssh command when connecting. Most importantly, there are occasional vulnerabilities found in openssl, libz and openssh, so although it's security by obscurity it can help but should not be relied apon.
And for the real paranoid, like me:
I have an SMS modem attached, so when receiving a SMS with a special SMS content then ssh is activated for a certain eriod and, if noone logs in, it deactivates itself again.[div align=\"right\"][a href=\"index.php?act=findpost&pid=154860\"][{POST_SNAPBACK}][/a][/div]
that's a neat idea!
I notice noone seems to be running a VPN server. We have one at work, and all the "suits" use it for access to outlook/exchange, and all the techies use an ssh jump box with key-only auth. Speaks volumes
-
actually i have a comercial sms sender (basically a mobile phone in a box with a serial cable attached) that i could put to good use
sms everytime someone logs in
actually i signed up for that paypal key program and looked into hacking it so i could use the OTP it generates as an aditonal requirement (ie usb flashdisk with ssh keys and otp needed to log in) but even though the crypto stuff is documented it cannot be used without paypals secret key (which they wont give up) and the timer value (hard to guess)
basically its sha1 used as a hmac then ascii encoded and stripped of digits at the frount and back to give you a 6 digit number
its a shame as it would then make a cheap otp device
-
well i said i would write some more stuff so here it is
create a file called config in your .ssh folder in your /home dir and put the following in it
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
Compression yes
Ciphers aes256-cbc,blowfish-cbc
what this does (if you didnt work it out already) is sets up the global options for every ssh connection (ie everything that has a hostname that matches *, see host *) if you want to create a config for a specific machine you connect to copy and paste this code again but rewrite the "host *" line to "host <yourhost addr>", this can be handy to seperate local and remote connections
a good example of this is
host 192.168.*
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
Compression no #<<< note turning of commpresion for local coms
Ciphers aes256-cbc,blowfish-cbc
# for connecting to the Z, no compression (kills cpu) and a less cpu intensize algorithim, great for usbnet, in fact for that you could use almost on encryption
host zaurus # perhaps its better to specify an ip address here, ethier way you iwll have to change it to whatever your Z uses
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
Compression no
Ciphers aes128-cbc,blowfish-cbc
there is some more info in "man ssh_config"
anyway back to the topic, control master is what allows resharing of an exsisting ssh connection, if you typed in a password and didnt set up public keys then this will automatically reuse an exsisting connection so you dont have to retype the password, ssh was designed to tunnel more than one connection over the one link, its how the shell and port fowarding are implemented at the same time
so now thatt we have the reusable connections bieng built and torn down on demand (the "auto" option) the next line is to tell ssh where to look for the connections, i belive it defaults to /tmp but i put it in my .ssh folder as i know its permissions are secure (only i can read and write) so i dont have to worry about permissions. may have problems with nfs but YMMV
i think compression=yes explains itself, requests compresion if the server supports it
and finally its tightening of the ciphers used by ssh, these are universial algorithms that every morden kernel ships with, i belive that if you had problems it would be with a comercial ssh server that dosent implement the cipehr or a windows ssh server (i am not sure what cipher spec they support)
for those intrested here is the default cipher spec in order of prefrence (letft to right)
‘‘aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr’’
note the 3des and other lower security settings .
basically its free security by turning on the harder to crack ciphers
thats all for today, next time it will be port fowarding with ssh and if i get it working "poor mans vpn: what to do with ssh and tap/tun or PPP"
if i ever get the server up i will show you how to set up openvpn as well
-
hmm sorry to spam but how intrested is anyone in a hosted openvpn solution thats mantince free (ssl certs and everything handeled by someone else), you get your own private subnet to connect a few devices together from anyware on the net and quite posibly a dns subdomain so you dont have to remeber ip addresss to connect back to home
i have been thinking about it for awhile and now have most of the infrastructure in place to offer it, bulk transfers are not allowed, ie dont use it to pull down a DVD from your house to your pda but ssh, getting files and email from home in a secure manner or cvs would be fine
if you want bulk transfers thats what the dns subdomain is for, just point it back to your house (dynamic ip OK) and trasfer without going through me
-
Hi,
I've been looking for free encripted proxy, so when connected over open wifi, I would always like to have all my connections go to the proxy encrypted, avoiding at least kismet sniffing.
The idea would be:
zaurus-wifi <-> secure tunnel for http, pop3, ssh <-> secure proxy <-> plain http pop3 ssh <-> server http, pop3, ssh
Would that fit into your scheme? What needs to be running on the Z ?
-
All the software needed for SSHing comes installed with pdaXrom, I don't know about proxys.
-
Hi,
I've been looking for free encripted proxy, so when connected over open wifi, I would always like to have all my connections go to the proxy encrypted, avoiding at least kismet sniffing.
The idea would be:
zaurus-wifi <-> secure tunnel for http, pop3, ssh <-> secure proxy <-> plain http pop3 ssh <-> server http, pop3, ssh
Would that fit into your scheme? What needs to be running on the Z ?
[div align=\"right\"][{POST_SNAPBACK}][/a][/div] (http://index.php?act=findpost&pid=154972\")
tunnel ports using ssh thus...
zaurus$ ssh -L80:mypc:80 -L 110:mypc:110 -L 8080:mypc:8080 mypc
the -L means listen on local port. then you can see your home PC website on [a href=\"http://127.0.0.1]http://127.0.0.1[/url], its pop3 server on 127.0.0.1:110 and set your proxy to be http://127.0.0.1:8080 (http://127.0.0.1:8080) (asssuming your pc runs proxy on 8080!)
it'd be more efficient to use pop3-ssl if you can. I have imap-ssl running at home, so I can do my email from anywhere.
HTH
Paul
-
well i said i would write some more stuff so here it is
create a file called config in your .ssh folder in your /home dir and put the following in it
Host *
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
Compression yes
Ciphers aes256-cbc,blowfish-cbc
another useful addition to your $HOME/.ssh/config file:Host zaurus
User zaurus
to automatically connect to your Z as user zaurus and not your current username, saves having to type "ssh zaurus@myzaurus".
-
it would be openvpn, so you would need an openvpn client, its an ssl bassed vpn so you would see anoether interface (tap0) with an ip and a routing table
if you want all gcomms to go over it you would have to change the default route to the vpn connection
ill reveal more details latter, basically i have a serverwith bandwidth and i am not going to be using all o it so i thought that someone here might like some resources
that hosts trick is a neta idea, there are a couple of machines i need to try that on
-
Ok todays tutorial is for advanced cyber elite hacker ninja monkey admins, what is it?
well this should show you how to store your ssh servers host key in its dns record so that ssh can auotomatically verify the authenticity of the machine, not so useful after the inital connection (where you type yes) but its handy if you use machines that dont have your servers fingerprint alot (eg tech support guys, contractor, student)
scince this i a 10 minute hack its worth it (10 minutes for you, i spent half a day getting it to work) so i thought i would pass on my knowlage to you. note that you can also put your pgp keys in your dns record and have openpgp pull them from dns rather than a keyserver , eg peter.yourdomain.com with your pgp public key would be the ekey for the email adress peter@yourdomain.com
anyway onto the howto
prerequisetes:
A dns server that you control the zone files on (the godaddy interface dosent count, you really need to run your own dns server orbe able to hack the zone files by hand)
idealy the dns server on a diffrent machine and ip to the ssh server (its a trust/hack thing)
anyway, locate the ssh server you wish to publish the keys for, ill use my zone ifles to show off
for bind less than 9.3
pocketnix.org. A 203.12.2.248
TYPE44 \# 22 ( 02013f4bd588c6146610bc2c3d70e6adc6de2bad8fa5 )
TYPE44 \# 22 ( 0101950f1a8aa5162e0235be3c3e7bfbad5445d3f508 )
for bind equal to or greater than 9.3
pocketnix.org. A 203.12.2.248
pocketnix.org SSHFP 1 1 950f1a8aa5162e0235be3c3e7bfbad5445d3f508
pocketnix.org SSHFP 2 1 3f4bd588c6146610bc2c3d70e6adc6de2bad8fa5
the reson for the differing code is that the older bind dosent have direct support for it (record type 44) but you can hack it to work by entering the packet type, then the raw payload in hex which is mostly aoutgenerated, i only had to add 2 0's
the program to generate the keys, or more acurattly format the exsisting keys into dns records is ssh-keygen -r <hostname>
first go to /etc/ssh, the entere ssh-keygen <hostname> where hostname matches the dns name of the PC, when prompted for a keyfile enter ssh_host_dsa_key.pub
and repeat for the rsa key (ssh_host_rsa_key.pub). this should have spat out a line of code that looks like the second example i gave, if you use bind >=9.3 then copy it to the zone file in the line below the hosts A record
if you are using the older bind then it needs a bit of massaging see the following steps
pocketnix.org IN SSHFP 2 1 3f4bd588c6146610bc2c3d70e6adc6de2bad8fa5
remove pocketnix.org IN SSHFP so it becomes
2 1 3f4bd588c6146610bc2c3d70e6adc6de2bad8fa5
add a 0 to the 2 and the one at the beggining (or both 1s for the rsa key
02 01 3f4bd588c6146610bc2c3d70e6adc6de2bad8fa5
remove spaces
02013f4bd588c6146610bc2c3d70e6adc6de2bad8fa5
wrap in barackets with spaces
( 02013f4bd588c6146610bc2c3d70e6adc6de2bad8fa5 )
add TYPE44 \# 22 to the front
TYPE44 \# 22 ( 02013f4bd588c6146610bc2c3d70e6adc6de2bad8fa5 )
and finally add underneath the hosts A record, the reson for adding it underneath the hosts A record is because we did not specify the host the key belongs to, by placing it under the A record it uses the last A record to work out who it belongs to
hope this helped, its not your standard feature but for some peopel it adds a bit of security.
when you now login to the server for the first time it will say
The authenticity of host 'lookout.pocketnix.org (203.12.2.248)' can't be established.
RSA key fingerprint is e5:ec:ae:56:a0:75:56:b0:c2:07:d8:1d:d0:89:fd:d8.
Matching host key fingerprint found in DNS.
Are you sure you want to continue connecting (yes/no)?
see the matching host in dns bit?, it comes in handy if you dont want to remeber the fingerprints of every host
i also added this to my .ssh/config file
VerifyHostKeyDNS yes
this makes ssh check the dns entry by default, otherwise you have ot do ssd -o "VerifyHostKeyDNS yes" <hostname> to get it to verify the keys (i suppose i should mention that at an earlier point)
-
sorry to spam but i might change my ssh port address aafter all
dablitz@lookout:/var/log$ sudo cat auth.log | grep Illegal | head -n 1
Feb 20 16:20:53 xen610106 sshd[5908]: Illegal user router from 89.149.213.99
dablitz@lookout:/var/log$ sudo cat auth.log | grep Illegal | tail -n 1
Feb 24 22:36:17 lookout sshd[20078]: Illegal user gnax from 208.6.86.172
dablitz@lookout:/var/log$ sudo cat auth.log | grep Illegal | wc -l
8749
-
I think that what is most important is to have your ssh port down, or act as being down when not in use, so you escape from all those internet scanners.
You can do that by either moving to another port, installing port-knocking, or / and any other measure that hides as mush as possible your IP from those scanners. Once you are on the list, you'll always have probes for new user/passwords or exploits as new versions are coming along, to check that you have upgraded.
Mi 0.02: avoid being included in the list of internet -servers running ssh, even all other ssh settings must be properly setup.
-
I think that what is most important is to have your ssh port down, or act as being down when not in use, so you escape from all those internet scanners.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=155208\"][{POST_SNAPBACK}][/a][/div]
Note.. being "down" means dropping the request, not rejecting - rejecting will imply to hacker that there is something there but protected as they will get a response to their probe. Dropping means there'll be no response at all, so it will require them to sit and wait for timeout, and much harder to "fingerprint" the host.
-
i have been fidiling with my config file to auto connect ot a diffrent port bassed on the host and it seems to work well, next is to set up a port knock approch, anyone know how to gett ssh to automate this or do i have to manually launch it every time i want to ssh in?
-
i have been fidiling with my config file to auto connect ot a diffrent port bassed on the host and it seems to work well, next is to set up a port knock approch, anyone know how to gett ssh to automate this or do i have to manually launch it every time i want to ssh in?
[div align=\"right\"][a href=\"index.php?act=findpost&pid=155366\"][{POST_SNAPBACK}][/a][/div]
in your system firewall scripts, e.g. /etc/init.d/firewall, DONT permit ssh from everywhere, only from places you can always trust; simply DROP all ssh incoming... e.g.
iptables -A INPUT -s 0/0 -p tcp --dport 22 -j LOG --log-prefix=" drop all ssh inbound"
iptables -A INPUT -s 0/0 -j DROP
in the download tar.gz, there's scripts for opening up ssh when the appropriate ping is received; basically it looks like this
iptables -I INPUT -s $PINGORIGIN -p tcp --dport 22 -j ACCEPT
when the daemon times out the connection
iptables -D INPUT -s $PINGORIGIN -p tcp --dport 22 -j ACCEPT
you can add what you want to this script; e.g. to allow in http, proxy, imap-ssl or pop3-ssl. NOTE! this doesn't provide connectivity security, it's not a VPN (ok, you know this, but I wanted to remind you), so you still need to guard against someone on the local lan (especially wireless) sniffing for passwords and cookies!
the daemon writes to syslog too so you can see what's going on.
-
p.s. you also need to add the barricade startup script to /etc/init.d and put links in /etc/rc3.d and /etc/rc5.d
p.p.s. I would do an rpm but it's not really my package, I simply fixed up an existing program, and also it's really a one-off thing you'd set up, and to be useful requires so much customisation it'd be hard work to make an all-encompassing feature set!
-
ne rpm is fine as its a debain server however i was thinking more along the lines of the port knocker program that requires a port combonation to unlock and update the firewall for your host only
-
ne rpm is fine as its a debain server however i was thinking more along the lines of the port knocker program that requires a port combonation to unlock and update the firewall for your host only
[div align=\"right\"][a href=\"index.php?act=findpost&pid=155518\"][{POST_SNAPBACK}][/a][/div]
you could adapt that program to listen on a range of tcp ports; or, just google for port knocking and download one of the other solutions and build it.
-
I'm having issues again. I have been copying the id_dsa and id_dsa.pub files over each time I reflash my Z, but all of a sudden, it didn't work. I figured I'd just generate new keys, so I did. I copied the new id_dsa.pub file over to /home/user/.ssh/authorized_keys on my server and restarted sshd. I now try to login and it says "Permission denied (publickey)" I have id_dsa in /home/root/.ssh (I run as root). What is the issue? Before I would get a password prompt, but now it doesn't seem to recognize that the id_dsa file exists.
-
check that the home directory and the .ssh directory are only writable by the person who should own them, i.e. no group+other write.
I alway do "chmod -R go= .ssh" when I've set things up.
-
No joy. I have it set so I have read, write, and execute and group and other has only read on my Z and same except no read for group/other on the host. The same thing happens.
Any other ideas?
-
No joy. I have it set so I have read, write, and execute and group and other has only read on my Z and same except no read for group/other on the host. The same thing happens.
The files inside ~/.ssh needs to be rw for the user and nothing for group and other.
-
Still nothing.
I'm supposed to get a promp for the password of id_dsa whether it is being used or not, correct?
-
use "ssh -v" and it should give you a hint. look at "dmesg | tail" or "tail /var/log/messages" or "tail /var/log/auth*" on the "receiving" machine.
-
I don't see anything related to accepting or dropping a request.
I'm thinking it's an issue on the Z (client) end, as I'm using the same sshd_config that I was using and that worked.
Any other ideas?
Thanks for your help.
EDIT: I've been using the command
ssh -p xxx xxx.xxx.xxx.xxx
where xxx and xxx.xxx.xxx.xxx are replaced by the port and the host IP respectively.
-
EDIT: I've been using the command
ssh -p xxx xxx.xxx.xxx.xxx
Could you tell us what exactly you're trying to do? AFAICT you're trying to setup an automated ssh login (using keys), in which case the command you need is something like:
ssh -i ~/.ssh/some.key user@example.com
-
I am trying to get my setup back to the point where I have my Ubuntu server blocking all requests to ssh in except from the holder of the correct id_dsa file (my Z). I had it setup in this way and was using it to copy files between the server and my Z, but after reflashing my Z I can't get it to work again.
Basically, I'm trying to set up a secure ssh connection between my Z and an Ubuntu box using dsa keys for authentication.
Anything else you need to know?
-
don't see anything related to accepting or dropping a request.
firewall?
-
Considering I haven't set up a firewall, I don't think so. It worked last time (same setup) without tweaking any firewall options.
-
Well, I just tried it again (after reflashing numerous times in between), and it worked. I also changed the location of the authorized_keys folder on the server to /root/.ssh/, so that may have helped.
-
I also changed the location of the authorized_keys folder on the server to /root/.ssh/, so that may have helped.
If you are logging in as root on the server then yes I think it would have helped. May I ask where was it before you moved it?
-
I also changed the location of the authorized_keys folder on the server to /root/.ssh/, so that may have helped.
If you are logging in as root on the server then yes I think it would have helped. May I ask where was it before you moved it?
[div align=\"right\"][a href=\"index.php?act=findpost&pid=157698\"][{POST_SNAPBACK}][/a][/div]
It was in my normal user's home dir (/home/USERNAME/.ssh/).
-
wait you werent trying to ssh in as root@z with your authorised keys in you $HOME/.ssh/authorised keys were you?
putting your key in the authorised keys file in your home dir only allows you to log in as that user
-
wait you werent trying to ssh in as root@z with your authorised keys in you $HOME/.ssh/authorised keys were you?
putting your key in the authorised keys file in your home dir only allows you to log in as that user
[div align=\"right\"][a href=\"index.php?act=findpost&pid=157704\"][{POST_SNAPBACK}][/a][/div]
I guess I figured that out the hard way...
-
dant worry, i do that every second week when i log into a machine that i havent uploaded my ,ssh/config file to (and the usernames are diffrent)
-
Everything is working really well, but I now want more security, meaning I want to set up a firewall/port knocking on my server, starting with the firewall. Are there any good tutorials for this, or can somebody provide one?
Thanks.
-
Everything is working really well, but I now want more security, meaning I want to set up a firewall/port knocking on my server, starting with the firewall. Are there any good tutorials for this, or can somebody provide one?
Thanks.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=158150\"][{POST_SNAPBACK}][/a][/div]
if possible use iptables to permit ssh only from IPs you trust all the time and use port knocking if you login from other places - see my website for port knocking.
general advice is to use 2048 bit ssh keys ("ssh-keygen -t rsa -b 2048"), ensure sshd_config on the machine doesn't allow root ("PermitRoot no" or something), disable plain text/interactive logins to force pre-shared keys only.
ensure .ssh directories and files therein have no group/other access.
cacko has stateful inspection modules too, so search the forum for iptables for useful scripts.
-
Everything is working really well, but I now want more security, meaning I want to set up a firewall/port knocking on my server, starting with the firewall. Are there any good tutorials for this, or can somebody provide one?
Thanks.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=158150\"][{POST_SNAPBACK}][/a][/div]
if possible use iptables to permit ssh only from IPs you trust all the time and use port knocking if you login from other places - see my website for port knocking.
general advice is to use 2048 bit ssh keys ("ssh-keygen -t rsa -b 2048"), ensure sshd_config on the machine doesn't allow root ("PermitRoot no" or something), disable plain text/interactive logins to force pre-shared keys only.
ensure .ssh directories and files therein have no group/other access.
cacko has stateful inspection modules too, so search the forum for iptables for useful scripts.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=158157\"][{POST_SNAPBACK}][/a][/div]
I had ruled out the whole only accepting from certain ip addresses, as they change on me occasionally, but I CAN set static IP addresses.
And about the IPTables thing...I believe I need a total n00b guide, as I have NO clue how to use it. Do you know of any good guides? Or is it easy enough for you to just write one up here?
Thanks for your help.
-
And about the IPTables thing...I believe I need a total n00b guide, as I have NO clue how to use it. Do you know of any good guides? Or is it easy enough for you to just write one up here?
Thanks for your help.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=158172\"][{POST_SNAPBACK}][/a][/div]
well, there are many many tutorials and basic examples of firewall scripts using iptables, so I would say "JGI" or just google it.
-
And about the IPTables thing...I believe I need a total n00b guide, as I have NO clue how to use it. Do you know of any good guides? Or is it easy enough for you to just write one up here?
Thanks for your help.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=158172\"][{POST_SNAPBACK}][/a][/div]
well, there are many many tutorials and basic examples of firewall scripts using iptables, so I would say "JGI" or just google it.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=158207\"][{POST_SNAPBACK}][/a][/div]
I've looked some, but they seem confusing. I'm truly a n00b in this area, so any pointers would be much appreciated.
-
I've looked some, but they seem confusing. I'm truly a n00b in this area, so any pointers would be much appreciated.
Shorewall is a very good, easy[1] to setup firewall builder. It has extensive, well written documents.
http://www.shorewall.net (http://www.shorewall.net)
[1] although the latest versions seems to be getting a bit more complicated because of the all the new features being added.
-
the netfilter site, home to iptables, is pretty good.
the snag is there's so much documentation, it's knowing where to start, so try here:
http://www.netfilter.org/documentation/ind...mentation-howto (http://www.netfilter.org/documentation/index.html#documentation-howto)
the main page of docs is here:
http://www.netfilter.org/documentation/ind...mentation-howto (http://www.netfilter.org/documentation/index.html#documentation-howto)
just search the page for "English"!
The key thing with the filter is to stop inbound and forwarded traffic, but you can allow IP packets related to existing connections; this is easy with TCP but for UDP the network stack needs to observe activity and remember its own "state"
thus the minimal firewall for the Zaurus would be
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j ACCEPT
iptables -A INPUT -m state --state established,related -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -j REJECT
this basically says we don't forward, we allow everything OUT, and we only allow existing connection and new ssh IN. The command "iptables -A" means append a rule, the FORWARD, OUTPUT and INPUT say to which filter we append, the rest is guessable.
HTH
Paul