Linux / Unix‎ > ‎


SSH copy via sudo root

 ssh sudo -S tar -czf -  /var/lib/asterisk/sounds/ | tar -xvf - -C Sounds

SSHFS   : mount remote FS other ssh

$ sshfs -o idmap=user user@hostname:/home/user ~/Remote

SSH tunnel mysql listening on localhost via ssh

from your client system, run :
ssh -4 -Y -L 10200:localhost:3306

SSH tunnel to system A from where system B:80 is accessible

from your client system, run :

ssh -4 -Y -L  10200:server-B:80 server-A

SSH without password

First step, generating the keys on the client side. This will generate your id_rsa and in the .ssh directory in your home directory. Empty paraphrase will make shh working without password (be sure you really need this !).
client$ cd $HOME/.ssh

client$ ssh-keygen -b 1024 -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/oalbiez/.ssh/id_dsa): <ret> 
Enter passphrase (empty for no passphrase): <ret>
Enter same passphrase again: <ret>
Your identification has been saved in /home/oalbiez/.ssh/id_dsa.
Your public key has been saved in /home/oalbiez/.ssh/
The key fingerprint is:
warning this method is not secure because your private key is in clear text!!!!Second step, put the public key on the server side:
ssh-copy-id <user>@<server>
Or manualy :
client$ scp <user>@<server>:.ssh
log on the server and:
server$ cd .ssh

server$ cat >> authorized_keys
you can now log on the server without password. It's a pretty good idea to protect your private key with an according permission...

Interdire l'identification via un mot de passe :

 /etc/ssh/sshd_config --> PasswordAuthentication no

Interdire à  root de se connecter :

 /etc/ssh/sshd_config --> PermitRootLogin no

Tunneler X11 via ssh :

ssh -Y <user>@<server>

Send a mail on login

Add a script in pamd/common-session :
session optional /usr/local/bin/

if [ "$PAM_SERVICE" ] 
then  {
    echo "User: $PAM_USER"
    echo "Remote Host: $PAM_RHOST"
    echo "Service: $PAM_SERVICE"
    echo "TTY: $PAM_TTY"
    echo "Date: `date`"
    echo "Server: `uname -a`"
    echo "."
    echo "."
    echo ""
    echo ""
  } | mail -s "$PAM_SERVICE login on `hostname -s` for account $PAM_USER"
exit 0

Proteger SSH contre les attaques réseau


sudo aptitude install fail2ban 

Lister les services et clients banis

sudo fail2ban-client status
sudo fail2ban-client status sshd

lever le ban sur une IP / service

sudo fail2ban-client set sshd unbanip

avec le Firewall iptable

  • limiter à 8 connect par minute
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP
  • flusher les règles de temps en temps via la cron pour re-ouvrir
*/10 * * * * /sbin/iptables -F