Sasecurity Wiki
Don't have an account?
Register
Register
in: Sasecurity, SSH, Mesh ssh,
and 3 more

Changes: Ssh

Back to page
Sign in to edit
(3 intermediate revisions by the same user not shown)
Line 49: Line 49:
   
 
[https://superuser.com/questions/588591/how-to-make-a-ssh-tunnel-publicly-accessible/591963#591963 make ssh tunnel publicly accessible] Warning: if you set GatewayPorts to yes this will make sshd bind your forwardings to any interface - regardless of the client configuration (-R, etc.). This can become quite a security issue if the client assumes he has limited his forwardings to f.e. localhost. Therefore, setting GatewayPorts to clientspecified is usually what you want.
 
[https://superuser.com/questions/588591/how-to-make-a-ssh-tunnel-publicly-accessible/591963#591963 make ssh tunnel publicly accessible] Warning: if you set GatewayPorts to yes this will make sshd bind your forwardings to any interface - regardless of the client configuration (-R, etc.). This can become quite a security issue if the client assumes he has limited his forwardings to f.e. localhost. Therefore, setting GatewayPorts to clientspecified is usually what you want.
 
   
 
Here's my answer for completion:
  
Here's my answer for completion:
  +
<pre>
 
I ended up using ssh -R ... for tunneling, and using socat on top of that for redirecting network traffic to 127.0.0.1:
 +
I ended up using ssh -R ... for tunneling, and using socat on top of
  +
that for redirecting network traffic to 127.0.0.1:
 
 
tunnel binded to 127.0.0.1:
  
tunnel binded to 127.0.0.1:
* ssh -R mitm:9999:<my.ip>:8084 me@mitm
 +
ssh -R mitm:9999:<my.ip>:8084 me@mitm
 
socat TCP-LISTEN:9090,fork TCP:127.0.0.1:9999
 
 
Other option is to do a local-only tunnel on top of that, but i
socat:
  
  +
find this much slower
* mitm$ socat TCP-LISTEN:9090,fork TCP:127.0.0.1:9999
  
 
ssh -L<mitm.ip.address>:9090:localhost:9999 localhost
 
  +
</pre>
Other option is to do a local-only tunnel on top of that, but i find this much slower
  
* mitm$ ssh -L<mitm.ip.address>:9090:localhost:9999 localhost
  
   
 
=== ssh keys ===
  
=== ssh keys ===
Line 97: Line 95:
 
https://www.youtube.com/watch?v=EjARnLxSqOg metasploit https://github.com/rapid7/metasploit-framework create reverse shell.
  
https://www.youtube.com/watch?v=EjARnLxSqOg metasploit https://github.com/rapid7/metasploit-framework create reverse shell.
   
=== SSH connection ===
  
{{{
  
 
We have a gateway node with 2mb 1:1, this node (gateway1) seams to be
 
acting up! the ssh commands are very slow at times sometimes never
 
conecting,(this via a public address) if I try running a leechtest, the node reports
 
slow speeds at times.
  
 
If I ssh via another gateway (gateway2) and connect to a repeater node
  
between the two gateways and run a leechtest I get full speed (yes the
  
repeater is fixed/locked to gateway1) gateway2 is only strong enough to
 
ssh by, and not provide BW.
  
 
Gateway node 1 is a LW box Via mini atx etc, temp is always under 20c
 
so I don't think the fans are packing up, and this slowness can happen even
 
when there is very little usage.
  
 
=================================
  
web browser via ssh
  
 
ssh -L 80:192.168.1.254:81 1.2.3.4
  
Which will allow you to access the web server of 192.168.1.254 via an
 
ssh tunnel to 1.2.3.4 (which can presumably access 192.168.1.254
 
directly). You access the server by pointing your browser to
  
http://127.0.0.1:81
  
==============================
  
WEBBROWSER VIA SSH
  
 
OK, this is what I need to do.
  
I'm testing wtr54gs, and would like to have remote access to them via
 
the mesh box. I have two mesh networks over 80 square miles. I can vpn to the main gateway nodes and access clients of the back of the GW's, but I can not VPN to the Host mapped address's of the repeater
 
nodes from ether host mapped LAN address or WAN address, the host mapped address
  
work fine for ssh.
  
 
======================
  
 
vpn directly to a wireles node wont work past the gateway unless you nuse the qorvus code because then standard locustworld code blocks gre 47 pptp traffic past the gateway. But you shouldnt need hsotmap if yu just remotly vpn into gateway and then surf to the 1. address for the wireles nodes,
 
or maybe i dont understand what yoiur trying to do?
  
==========================================
  
web browser via ssh
  
Great Tim, that works for local connections but I can not get it to
 
work over host mapped routes. vpn is the way to do this. set up your gateway to act aas vpn host th
 
you can surf tothe 1.1.1.1 addresses behinf the gateway. thisis how e
 
manage our qorvus boxes remotely.
  
 
==================================
  
WEB BROWSER VIA SSH
  
Great Tim, that works for local connections but I can not get it to
 
work over host mapped routes.
  
ANSW:
  
vpn is the way to do this. set up your gateway to act aas vpn host th
 
you can surf tothe 1.1.1.1 addresses behinf the gateway. thisis how e
 
manage our qorvus boxes remotely.
  
==============
  
Ques:
  
This may work fine with a linux desktop but wouldn't work with a
 
windows machine running putty, no socket betwee the browser and the
 
putty seesion
  
 
Answ:
  
However, since everyone (presumably) has access to a meshbox, you
 
could set the tunnel up on your local meshbox, and then connect to
 
the relevant port on your local meshbox which will forward it through
 
to the remote meshbox. You can run tunnels within tunnels if you need
 
to.
  
===========
  
}}}
  
 
 
 
 
=== SSH into box behind router ===
  
{{{
  
 
I have a static ip on a dsl line and I just forward port 22 to my
 
gateway node. Then you fire up putty or a Linux box, put in the static ip and
 
you ssh right into the gateway node. Then you can ssh into any node on your
  
network or you can setup ssh tunneling on your original connection. If
 
you want a little more security you can pick some way out port number and
  
forward it to port 22 on you first node and get the same results. This
 
all can be done from a dynamic IP also but you have the pain of keeping up
 
with IP changes.
  
 
> Most DSL routers have the ability to setup a DMZ address. Assign
 
your
  
> gateway box a static private IP (10.x.x.x) and set that as your DMZ
  
> address. Then use your public IP provided by your DSL provider to
  
> access it. This become difficult to do if your public address isn't
  
> static. This is also a danger because it open that IP to the world
 
with
  
> little or no firewall protection. If you must, it is advisable to do
 
it
  
> by port mapping and not leave all ports open on it. Read your router
  
> manual for more information. The topics of DMZ and port mapping will
  
> guide you.
  
>
  
> Your mileage may vary by manufacturer both in functionality and
 
quality.
  
>
  
> Ertan Atay wrote:
  
>
  
> >Hi everybody,
  
> >
  
> >How can I ssh into my gateway box from internet which is connected
 
thru
  
an
  
> >ADSL router? Router hands out 10.x.x.x IP to the gateway. If I can
 
do it,
  
> >hopefully I will be able to wormhole two networks, too.
  
> >
  
> >Some says I need to port mapping but wiana is not very helpful on
 
this
  
for
  
> >someone who is not an expert.
  
 
> Most DSL routers have the ability to setup a DMZ address. Assign
 
your
 
> gateway box a static private IP (10.x.x.x) and set that as your DMZ
 
> address. Then use your public IP provided by your DSL provider to
 
> access it. This become difficult to do if your public address isn't
 
> static. This is also a danger because it open that IP to the world
 
> with little or no firewall protection.
 
 
FWIW, add this to your sshd_config:
  
 
AllowUsers yourname@1.2.3.4
  
 
For each place/user you will be connecting from/as.
  
}}}
  
   
 
=== SSH ===
  
=== SSH ===

Revision as of 14:52, 25 February 2021

Reverse port forwarding

https://www.howtoforge.com/reverse-ssh-tunneling and http://cb.vu/unixtoolbox.xhtml

Ssh into another pc via a VPS from a client pc behind a NAT or router where the ports are blocked. The idea is for the target pc to create a SSH tunnel to either a server or directly to the client pc. Because we don't wish to expose the client pc's ports to the world a server is used as an intermediary. From the client pc we are finally able to create a ssh session back to the target through this tunnel.

Reverse SSH from the Target PC to the middleman:

ssh -R {PortOnMiddlePC}:localhost:{PortOnTargetPC} {UserOnMiddlePC}@{IPofMiddlePC}

ssh -R 19999:localhost:22 middleman@188.88.88.88

ssh -R remoteport:localport middleman@188.88.88.88 forward whatever connects to the remote host:port on the middleman pc back to the localhost:port from which the ssh -R command is executed(target pc in the context of this example). If you were physically on the server you would ssh to the target pc via the tunnel created by the targetpc with ssh targetusername@localhost -p 19999

But because you're not on the middelman pc you have to pull down port 19999 from it:

ssh -L {PortOnClientPC}:localhost:{PortOnMiddlePC} {UserOnMiddlePC}@{IPofMiddlePC}

ssh -L 19999:localhost:19999 middleman@188.88.88.88

ssh -L localport:remoteport middleman@188.88.88.88 Forward whatever connects to the localhost:port on client pc to the localhost:port on the middleman pc.

ssh the Target PC from the Client PC in another terminal:

ssh target@localhost -p {PortForwardedFromTargetPC}

ssh targetusername@localhost -p 19999

Using ssh localhost -p 19999 instead will attempt to login as client pc user, instead of as the user on the target pc. /var/log/auth.log flagged that I attempted to login as the wrong user. In other words what we attempted to do on the server pc with ssh targetusername@localhost -p 19999 is now executed on the client pc via local port forwarding from the client pc.

Enable GateWayPorts in the sshd_config file under /etc/ssh on the target pc. The client pc doesn't need sshd_config enabled. As an additional security measure use the -x flag (ssh -x target@localhost -p 19999) if you don't wish to run a X11 session, preventing the target pc from attacking the client pc. Use (ssh -X target@localhost -p 19999) for X11 session.


gatewayports

https://github.com/sumup-oss/gocat socat alternative

make ssh tunnel publicly accessible Warning: if you set GatewayPorts to yes this will make sshd bind your forwardings to any interface - regardless of the client configuration (-R, etc.). This can become quite a security issue if the client assumes he has limited his forwardings to f.e. localhost. Therefore, setting GatewayPorts to clientspecified is usually what you want.

Here's my answer for completion: 

I ended up using ssh -R ... for tunneling, and using socat on top of 
that for redirecting network traffic to 127.0.0.1:
tunnel binded to 127.0.0.1:
ssh -R mitm:9999:<my.ip>:8084 me@mitm
socat TCP-LISTEN:9090,fork TCP:127.0.0.1:9999
Other option is to do a local-only tunnel on top of that, but i
find this much slower
ssh  -L<mitm.ip.address>:9090:localhost:9999 localhost

ssh keys

create private public keys https://medium.com/risan/upgrade-your-ssh-key-to-ed25519-c6e8d60d3c54

ssh-keygen -o -a 100 -t ed25519 -f ~/.ssh/id_ed25519 -C "john@example.com" Only a quantum mechanics type source of indeterminacy(not randomness, which doesn't exist) enables a enough entropy(nobody knows what this word means) seed. Your computer's random number generator isn't connected to a Geiger counter measuring radioactive decay(source of quantum indeterminacy), hence no entropy. All those garbled numbers in your private and public keys only seem garbled, they are actually an easily cracked pattern. If you do use a Geiger counter, the minix operating system on which all OS install will flag you as a high value target back to CIA headquarters. In this numberphile video, the mathematician was unable to define what randomness is because it doesn't exist. He flails around , using analogous reasoning but of course you can't solve problem you can't even define which is why for example https://en.wikipedia.org/wiki/Theory_of_Evolution redirects to https://en.wikipedia.org/wiki/Evolution: there is no such thing as a theory of evolution because nobody knows what is the Lagrangian that maps polypeptide space into frog space. If pigs had wheels mounted on ball bearings instead of trotters, on what scale of porcine fitness would they be?

https://en.wikipedia.org/wiki/Evolution...Evolution is change in the heritable characteristics of biological populations over successive generations...

If Wikipedia had written: Evolution is change in the heritable characteristics of biological populations over successive generations as the Lagrangian maps the quantum entangled DNA super computed calculations from polypeptide dinosaur space into chicken space... then at least the statement would enter the domain of Popper falsifiability but not though escape Agrippian circularity.

notes

https://www.ettercap-project.org/

https://raymii.org/s/tutorials/Limit_access_to_openssh_features_with_the_Match_keyword.html

https://bugzilla.mindrot.org/show_bug.cgi?id=match

https://bbs.archlinux.org/viewtopic.php?id=121945

https://www.linuxquestions.org/questions/linux-security-4/ssh-deny-all-users-except-one-277288/ allow deny

https://github.com/g0tmi1k/debian-ssh

http://web.archive.org/web/20110723091928/http://digitaloffense.net/tools/debian-openssl

https://security.stackexchange.com/questions/127346/ssh-keygen-how-is-the-seed-generated

https://github.com/openssh/openssh-portable/blob/master/sshkey.c#L1652 static int ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap)

https://www.youtube.com/watch?v=EjARnLxSqOg metasploit https://github.com/rapid7/metasploit-framework create reverse shell.


SSH


ssh

http://www.revsys.com/writings/quicktips/ssh-tunnel.html

http://www.amazon.com/gp/product/0596008953?ie=UTF8&tag=revosystblog-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0596008953


links

MeshNetworking main page documenting the locustworld.com mesh networking technology.

Ftp

Community content is available under CC-BY-SA unless otherwise noted.