Vim & Vision

You searched for articles tagged with SSH.

[ #235 ] Converting ssh2 public keys to openssh Permalink

SSH, Shell Added about three weeks ago

Sometimes you will have to convert a public key generated by PuttyGen for use on *nix. Just use ssh-keygen:

ssh-keygen -i -f sshv2.pub > id_dsa.pub

[ #215 ] fail2ban on NetBSD for ssh Permalink

NetBSD, SSH Added less than a year ago

Check out fail2ban - it's a great way of securing your system using firewall rules (to block offending IPs) when hack attempts like numerous failed ssh logins occur.

To set it up on NetBSD, install it from source - it's Python so you can just:

$ sudo python setup.py install

Then add an rc script:

#!/bin/sh
#
# PROVIDE: fail2ban
# REQUIRE: NETWORKING syslogd

. /etc/rc.subr

name="fail2ban"
rcvar=$name
command="/usr/pkg/bin/fail2ban-client"
pidfile="/var/run/${name}/${name}.pid"
extra_commands="reload"

fail2ban_start()
{
    if [ -n "${the_fail2ban_pid}" ]; then
        echo "${command} already running as pid ${the_fail2ban_pid}."
        return 1
    fi
    echo "Starting ${name}"
    ${command} start
}

fail2ban_stop()
{
    if [ -z "${the_fail2ban_pid}" ]; then
        echo "${command} not running? (check ${pidfile})."
        return 1
    fi
    echo "Stopping ${name}"
    ${command} stop
}

fail2ban_status()
{
    if [ -z "${the_fail2ban_pid}" ]; then
        echo "${command} is not running? (check ${pidfile})."
    else
        echo "${command} is running as pid ${the_fail2ban_pid}."
    fi
}

fail2ban_reload()
{
    if [ -z "${the_fail2ban_pid}" ]; then
        echo "${command} not running? (check ${pidfile})."
        return 1
    fi
    echo "Reloading fail2ban"
    ${command} reload
}

start_cmd="fail2ban_start"
stop_cmd="fail2ban_stop"
status_cmd="fail2ban_status"
reload_cmd="fail2ban_reload"
the_fail2ban_pid=`check_pidfile ${pidfile} /usr/pkg/bin/python`

load_rc_config $name
run_rc_command "$1"

(don't forget to add fail2ban=YES to your /etc/rc.conf)

And setup your jail.conf with a section like this:

[ssh-ipfilter]

enabled  = true
filter   = sshd
action   = sendmail-whois[name=SSH, dest=youremail@email.com, sender=fail2ban@yourbox]
           ipfilter[name=SSH, port=ssh, protocol=tcp]
logpath  = /var/log/authlog
maxretry = 5

(Read the fail2ban docs or the message after installation to determine where your jail.conf and other conf files are. Mine are in /etc/fail2ban/)

Then start it up like this:

$ sudo /etc/rc.d/fail2ban start

Check out all the other actions and filters too... fail2ban is not just for blocking failed ssh authentications!

I get an email whenever fail2ban is started or stopped - and also whenever it blocks a possible attacking IP. It works great!

[ #92 ] Secure HTTP Tunnel Permalink

Linux, Shell, Privacy, SSH Added a year and a bit ago and last edited a year and a bit ago

The Stupid Way

(Don't do this, see The Smart Way below)

On a remote machine that you have SSH access to:

remote$ hostname
host.where.proxy.is.running
remote$ # start an HTTP proxy running on port 8887 here

Then, on your local machine:

local$ ssh -qnN -L 8080:localhost:8887 host.where.proxy.is.running.tld &

... and setup your browser to use localhost:8080 as the proxy.

The proxy software I use on my remote host is TinyProxy

The Smart Way

You don't even need to setup a proxy at your remote host if you just create a tunnel like this:

local$ ssh -qnN -D 1080 remotehost &

... that will setup a tunnel from on your local machine from localhost:1080 over to remote, and then use the remote server to just send any requests you make through there... like a relay. So if you set your browser to use the SOCKS proxy on localhost:1080 then you have a tunnel without having to setup any proxy software. Thanks Snare!

[ #86 ] SSH Config Permalink

Linux, Shell, SSH Added a year and a bit ago and last edited less than a year ago

Users

If you are on a system as user fredb and you want to ssh to a host where your login is superman, you would normally have to specify the username on the ssh line like so:

fredb@thishost$ ssh superman@otherhost

... but you can save yourself some typing by specifying that a ssh to otherhost should try to login as superman every time by adding some lines to your ~/.ssh/config file:

Host otherhost
    User superman

Now you can simply do this:

fredb@thishost$ ssh otherhost

... and it will ask for superman's password instead of fredb's.

Host Nicknames

You can also use your config file to specify host nicknames. Say you normally connect to longhostname.tld, you can shorten that to lhn if you like:

Host lhn
    Hostname longhostname.tld
    User jsmith

... now you simply:

$ ssh lhn

Identity Files (Keys)

If you have keys set up for your various hosts, and those keys are loaded in your ssh-agent, you might like to specify which key belongs to which host in the config file.

Host lhn
    Hostname longhostname.tld
    User jsmith
    IdentityFile ~/.ssh/id_dsa.longhostname

This is important if you have greater than 6 keys in your agent. Why? Because without this mapping, ssh-agent will iterate through its list of keys until it finds one that works - but the host will hang up after 6 unsuccessful tries! If your key is number seven in the list then it will not work. So, adding the IdentityFile mapping in the config file as above will make ssh-agent try the correct key the very first time.

(Nothing Older) ... (Nothing Newer)

Colophon

Django Python 960.gs Git Vim NetBSD Nginx

The Author

This is the blog of Brad Willis, a software engineer living in Brisbane.

Links

ChoppingBoard, DaveMisc, Project365, RageQuit