john pfeiffer

sshd install and ssh security non-interactive

[TOC]

ssh username@myhostnaname.com -p 2995

connect to a remote machine from the linux command line (bash)

ssh -i ~/.sshkeys/aws.pem -p 2345 ec2-user@compute.amazonaws.com

connect using a specified private key file

ssh username@remotehost.net ls -l /

non interactive ssh, just one command

ERROR sudo: no tty present and no askpass program specified

ssh -t -i /home/ubuntu/aws.pem ubuntu@compute.amazonaws.com "sudo /bin/bash -c 'touch /opt/.license/.eula'"

force a pseudo tty and sudo to run a command

sudo apt-get install ssh

approx 18.6MB in size)

OR sudo apt-get install openssh-server

ssh is the open source secure method of remotely control via command line

ssh2 is the current secure version, "putty" is an example portable windows client binary

sudo nano /etc/ssh/sshd_config

protocol 2          //ensure ssh version 2 only

//note you may use your router for port redirection so that remote access is
//via an alt port but LAN is still through 22

#Port 22            //the default is too easy for script kiddies, change it...
Port 1119           //or have multiple ports
Port 2119           //but you may have to configure your firewall

PermitRootLogin yes      //change this to "no", use a normal user and sudo

AllowUsers user1 user2   //add to the end of the file to allow only specific users

service sshd restart        //won't disconnect your current session

sudo /etc/init.d/ssh reload             //reload the new config
sudo /etc/init.d/ssh restart            //restart the service (doesn't disconnect)

PORT FORWARDING WITH SSH

Similar to a VPN connection that allows you to act like you are making connections from the remote network that you VPN into.

A port forward from your home machine to hostname.domain.org so that it will take connections to localhost port 3306 and forward them to the remote side mysql.domain.org port 3306.

ssh -L 3306:mysql.domain.org:3306 username@hostname.domain.org

REVERSE PORT FORWARDING

Useful if you want to connect to a machine remotely to allow connections back in. 

ssh -R 7022:localhost:22 username@home.ip.address

Then, at home.ip.address you can connect using: ssh -p 8022 username@localhost

IP TABLES TO REGULATE SSH

In the first example, if a user enters the wrong password, access to the SSH service is blocked for one minute, and the user gets only one login try per minute from that moment on:

~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT ~# iptables -A INPUT -p tcp -m state --syn --state NEW --dport 22 -j DROP

In a second example, iptables are set to allow only host 193.180.177.13 to connect to the SSH service. After three failed login tries, iptables allows the host only one login try per minute:

~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -m limit --limit 1/minute --limit-burst 1 -j ACCEPT ~# iptables -A INPUT -p tcp -s 193.180.177.13 -m state --syn --state NEW --dport 22 -j DROP

PREVENTING CONNECTION TIMEOUTS AFTER A SHORT TIME

nano /etc/ssh/sshd_config

every 30 seconds sends a "do you want to quit"

after 5 messages without a response then it can disconnect

ClientAliveInterval 30 ClientAliveCountMax 5

Published

Category

linux

~492 words

Tags