Best Way To Transfer Files To The Z Over A Netwok

[speculatrix]

I think that what is most important is to have your ssh port down, or act as being down when not in use, so you escape from all those internet scanners.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=155208\"][{POST_SNAPBACK}][/a][/div]

Note.. being "down" means dropping the request, not rejecting - rejecting will imply to hacker that there is something there but protected as they will get a response to their probe. Dropping means there'll be no response at all, so it will require them to sit and wait for timeout, and much harder to "fingerprint" the host.

[Da_Blitz]

i have been fidiling with my config file to auto connect ot a diffrent port bassed on the host and it seems to work well, next is to set up a port knock approch, anyone know how to gett ssh to automate this or do i have to manually launch it every time i want to ssh in?

[speculatrix]

i have been fidiling with my config file to auto connect ot a diffrent port bassed on the host and it seems to work well, next is to set up a port knock approch, anyone know how to gett ssh to automate this or do i have to manually launch it every time i want to ssh in?
[div align=\"right\"][a href=\"index.php?act=findpost&pid=155366\"][{POST_SNAPBACK}][/a][/div]

in your system firewall scripts, e.g. /etc/init.d/firewall, DONT permit ssh from everywhere, only from places you can always trust; simply DROP all ssh incoming... e.g.
    iptables -A INPUT -s 0/0 -p tcp --dport 22 -j LOG --log-prefix=" drop all ssh inbound"
    iptables -A INPUT -s 0/0 -j DROP

in the download tar.gz, there's scripts for opening up ssh when the appropriate ping is received; basically it looks like this
    iptables -I INPUT -s $PINGORIGIN -p  tcp --dport 22 -j ACCEPT

when the daemon times out the connection
    iptables -D INPUT -s $PINGORIGIN -p  tcp --dport 22 -j ACCEPT

you can add what you want to this script; e.g. to allow in http, proxy, imap-ssl or pop3-ssl. NOTE! this doesn't provide connectivity security, it's not a VPN (ok, you know this, but I wanted to remind you), so you still need to guard against someone on the local lan (especially wireless) sniffing for passwords and cookies!

the daemon writes to syslog too so you can see what's going on.

[speculatrix]

p.s. you also need to add the barricade startup script to /etc/init.d and put links in /etc/rc3.d and /etc/rc5.d
p.p.s. I would do an rpm but it's not really my package, I simply fixed up an existing program, and also it's really a one-off thing you'd set up, and to be useful requires so much customisation it'd be hard work to make an all-encompassing feature set!

[Da_Blitz]

ne rpm is fine as its a debain server  however i was thinking more along the lines of the port knocker program that requires a port combonation to unlock and update the firewall for your host only

[speculatrix]

ne rpm is fine as its a debain server  however i was thinking more along the lines of the port knocker program that requires a port combonation to unlock and update the firewall for your host only
[div align=\"right\"][a href=\"index.php?act=findpost&pid=155518\"][{POST_SNAPBACK}][/a][/div]

you could adapt that program to listen on a range of tcp ports; or, just google for port knocking and download one of the other solutions and build it.

[Capn_Fish]

I'm having issues again. I have been copying the id_dsa and id_dsa.pub files over each time I reflash my Z, but all of a sudden, it didn't work. I figured I'd just generate new keys, so I did. I copied the new id_dsa.pub file over to /home/user/.ssh/authorized_keys on my server and restarted sshd. I now try to login and it says "Permission denied (publickey)" I have id_dsa in /home/root/.ssh (I run as root). What is the issue? Before I would get a password prompt, but now it doesn't seem to recognize that the id_dsa file exists.

[speculatrix]

check that the home directory and the .ssh directory are only writable by the person who should own them, i.e. no group+other write.

I alway do "chmod -R go= .ssh" when I've set things up.

[Capn_Fish]

No joy. I have it set so I have read, write, and execute and group and other has only read on my Z and same except no read for group/other on the host. The same thing happens.

Any other ideas?

[desertrat]

No joy. I have it set so I have read, write, and execute and group and other has only read on my Z and same except no read for group/other on the host. The same thing happens.

The files inside ~/.ssh needs to be rw for the user and nothing for group and other.

[Capn_Fish]

Still nothing.

I'm supposed to get a promp for the password of id_dsa whether it is being used or not, correct?

[speculatrix]

use "ssh -v" and it should give you a hint. look at "dmesg | tail" or "tail /var/log/messages" or "tail /var/log/auth*" on the "receiving" machine.

[Capn_Fish]

I don't see anything related to accepting or dropping a request.

I'm thinking it's an issue on the Z (client) end, as I'm using the same sshd_config that I was using and that worked.

Any other ideas?

Thanks for your help.

EDIT: I've been using the command

Code: [Select]

ssh -p xxx xxx.xxx.xxx.xxx
where xxx and xxx.xxx.xxx.xxx are replaced by the port and the host IP respectively.

[desertrat]

EDIT: I've been using the command

Code: [Select]

ssh -p xxx xxx.xxx.xxx.xxx

Could you tell us what exactly you're trying to do? AFAICT you're trying to setup an automated ssh login (using keys), in which case the command you need is something like:

Code: [Select]

ssh -i ~/.ssh/some.key user@example.com

[Capn_Fish]

I am trying to get my setup back to the point where I have my Ubuntu server blocking all requests to ssh in except from the holder of the correct id_dsa file (my Z). I had it setup in this way and was using it to copy files between the server and my Z, but after reflashing my Z I can't get it to work again.

Basically, I'm trying to set up a secure ssh connection between my Z and an Ubuntu box using dsa keys for authentication.

Anything else you need to know?