Linux / Unix‎ > ‎

SSH

SSH copy via sudo root


 ssh  patoche@asterisk.nomblot.com sudo -S tar -czf -  /var/lib/asterisk/sounds/ | tar -xvf - -C Sounds


SSHFS   : mount remote FS other ssh


$ sshfs -o idmap=user user@hostname:/home/user ~/Remote


SSH tunnel mysql listening on localhost via ssh

from your client system, run :
ssh -4 -Y -L 10200:localhost:3306 testlink.besancon.parkeon.com


SSH tunnel to system A from where system B:80 is accessible

from your client system, run :

ssh -4 -Y -L  10200:server-B:80 server-A



SSH without password

First step, generating the keys on the client side. This will generate your id_rsa and id_rsa.pub in the .ssh directory in your home directory. Empty paraphrase will make shh working without password (be sure you really need this !).
client$ cd $HOME/.ssh

client$ ssh-keygen -b 1024 -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oalbiez/.ssh/id_dsa): <ret> 
Enter passphrase (empty for no passphrase): <ret>
Enter same passphrase again: <ret>
Your identification has been saved in /home/oalbiez/.ssh/id_dsa.
Your public key has been saved in /home/oalbiez/.ssh/id_dsa.pub.
The key fingerprint is:
8f:b2:3f:16:41:2e:9e:bb:8a:27:9a:4c:cb:b0:31:ef oalbiez@ratp-albiez.besancon.parkeon.com
warning this method is not secure because your private key is in clear text!!!!Second step, put the public key on the server side:
ssh-copy-id <user>@<server>
Or manualy :
client$ scp id_dsa.pub <user>@<server>:.ssh
log on the server and:
server$ cd .ssh

server$ cat id_dsa.pub >> authorized_keys
you can now log on the server without password. It's a pretty good idea to protect your private key with an according permission...

Interdire l'identification via un mot de passe :

 /etc/ssh/sshd_config --> PasswordAuthentication no

Interdire à  root de se connecter :

 /etc/ssh/sshd_config --> PermitRootLogin no

Tunneler X11 via ssh :

ssh -Y <user>@<server>

Send a mail on login

Add a script in pamd/common-session :
session optional        pam_exec.so /usr/local/bin/send-mail-on-ssh-login.sh

#!/bin/sh
if [ "$PAM_SERVICE" ] 
then  {
    echo "User: $PAM_USER"
    echo "Remote Host: $PAM_RHOST"
    echo "Service: $PAM_SERVICE"
    echo "TTY: $PAM_TTY"
    echo "Date: `date`"
    echo "Server: `uname -a`"
    echo "."
    echo "."
    echo ""
    echo ""
  } | mail -s "$PAM_SERVICE login on `hostname -s` for account $PAM_USER" me@gmail.com
fi
exit 0

Proteger SSH contre les attaques réseau

avec FAIL2BAN

sudo aptitude install fail2ban 

Lister les services et clients banis

sudo fail2ban-client status
sudo fail2ban-client status sshd


lever le ban sur une IP / service

sudo fail2ban-client set sshd unbanip 1.2.3.4


avec le Firewall iptable

  • limiter à 8 connect par minute
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
  • flusher les règles de temps en temps via la cron pour re-ouvrir
*/10 * * * * /sbin/iptables -F

Comments