SSH

SSH copy via sudo root

ssh patoche@asterisk.nomblot.com sudo -S tar -czf - /var/lib/asterisk/sounds/ | tar -xvf - -C Sounds

SSHFS : mount remote FS other ssh

$ sshfs -o idmap=user user@hostname:/home/user ~/Remote

SSH tunnel mysql listening on localhost via ssh

from your client system, run :

ssh -4 -Y -L 10200:localhost:3306 testlink.besancon.parkeon.com

SSH tunnel to system A from where system B:80 is accessible

from your client system, run :

ssh -4 -Y -L 10200:server-B:80 server-A

SSH without password

• http://doc.ubuntu-fr.org/ssh

First step, generating the keys on the client side. This will generate your id_rsa and id_rsa.pub in the .ssh directory in your home directory. Empty paraphrase will make shh working without password (be sure you really need this !).

client$ cd $HOME/.ssh client$ ssh-keygen -b 1024 -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/oalbiez/.ssh/id_dsa): <ret> Enter passphrase (empty for no passphrase): <ret> Enter same passphrase again: <ret> Your identification has been saved in /home/oalbiez/.ssh/id_dsa. Your public key has been saved in /home/oalbiez/.ssh/id_dsa.pub. The key fingerprint is: 8f:b2:3f:16:41:2e:9e:bb:8a:27:9a:4c:cb:b0:31:ef oalbiez@ratp-albiez.besancon.parkeon.com

warning this method is not secure because your private key is in clear text!!!!Second step, put the public key on the server side:

ssh-copy-id <user>@<server>

Or manualy :

client$ scp id_dsa.pub <user>@<server>:.ssh

log on the server and:

server$ cd .ssh server$ cat id_dsa.pub >> authorized_keys

you can now log on the server without password. It's a pretty good idea to protect your private key with an according permission...

Interdire l'identification via un mot de passe :

/etc/ssh/sshd_config --> PasswordAuthentication no

Interdire à root de se connecter :

/etc/ssh/sshd_config --> PermitRootLogin no

Tunneler X11 via ssh :

ssh -Y <user>@<server>

Send a mail on login

Add a script in pamd/common-session :

session optional pam_exec.so /usr/local/bin/send-mail-on-ssh-login.sh #!/bin/sh if [ "$PAM_SERVICE" ] then { echo "User: $PAM_USER" echo "Remote Host: $PAM_RHOST" echo "Service: $PAM_SERVICE" echo "TTY: $PAM_TTY" echo "Date: `date`" echo "Server: `uname -a`" echo "." echo "." echo "" echo "" } | mail -s "$PAM_SERVICE login on `hostname -s` for account $PAM_USER" me@gmail.com fi exit 0

Proteger SSH contre les attaques réseau

avec FAIL2BAN

sudo aptitude install fail2ban

Lister les services et clients banis

sudo fail2ban-client status sudo fail2ban-client status sshd

lever le ban sur une IP / service

sudo fail2ban-client set sshd unbanip 1.2.3.4

avec le Firewall iptable

• • limiter à 8 connect par minute

sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH sudo iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 8 --rttl --name SSH -j DROP

• • flusher les règles de temps en temps via la cron pour re-ouvrir

*/10 * * * * /sbin/iptables -F