Re: reverse ssh
1. only refer to non-privileged ports 2. btw, ssh will warn you if the server cert changes, so if someone takes the port for it's ssh server, you will know i'll still stick with a non standard privileged port. On Tue, Jul 22, 2014 at 3:47 PM, Guy Gold guy1g...@gmail.com wrote: On 22 July 2014 00:52, Guy Gold guy1g...@gmail.com wrote: Hi Erez, On Mon, Jul 21, 2014 at 4:18 AM, Erez D erez0...@gmail.com wrote: it is not even a dynamic ip, it is a private ip behind a dynamic one Then, what Eliyahu wrote should serve you a perfect solution. Although this can become a flame-war :) Source: https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/ ==Begin quote == But there are more reasons why this is a bad idea and one of the most important reason has to do with a bit of the (Linux) way of handling TCP/IP ports. When you are logged onto a system as a non-root user (anyone not being uid 0), you cannot create a listing TCP or UDP port below 1024. This is because port numbers below 1024 are so-called privileged ports and can only be opened by root or processes that are running as root. So for instance, when your webserver (apache, nginx etc) will start, it will do so as the privileged root user in order to open up a listening connection to port 80 (the port that by default will be used for HTTP traffic). Now, as soon as the port is opened and everything that needs to be done as root is done, the webserver will fall back to a non-privileged user (either the www-data, apache, or nobody user). From that point, when something bad is happening, it is only limited to the rights that that user has. Now, back to SSH: when we start SSH on port 22, we know for a fact that this is done by root or a root-process since no other user could possibly open that port. But what happens when we move SSH to port ? This port can be opened without a privileged account, which means I can write a simple script that listens to port and mimics SSH in order to capture your passwords. And this can easily be done with simple tools commonly available on every linux system/server. So running SSH on a non-privileged port makes it potentially LESS secure, not MORE. You have no way of knowing if you are talking to the real SSH server or not. This reason, and this reason alone makes it that you should NEVER EVER use a non-privileged port for running your SSH server. ==End quote== Reading the whole page is recommended. Though, some of Joshua Thijssen's points can be argued against (not by myself, but I'm sure some folks can find some caveats in his article). I tend to agree with what he points out. I do acknowledge that SBO (security by...) divides quite a bit sysadmins apart. Some live by it, and some, well, ridicule it, and for them, seeing another sysadmin use such method is a tell sign of anachronism. The beauty is that we can all choose, and what is important is being informed. -- Guy Gold ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
and i forgot: what if my router redirect any port to my computer's port 22 ? this can be a non priviledge port if only i have access to the router settings ... On Wed, Jul 23, 2014 at 11:44 AM, Erez D erez0...@gmail.com wrote: 1. only refer to non-privileged ports 2. btw, ssh will warn you if the server cert changes, so if someone takes the port for it's ssh server, you will know i'll still stick with a non standard privileged port. On Tue, Jul 22, 2014 at 3:47 PM, Guy Gold guy1g...@gmail.com wrote: On 22 July 2014 00:52, Guy Gold guy1g...@gmail.com wrote: Hi Erez, On Mon, Jul 21, 2014 at 4:18 AM, Erez D erez0...@gmail.com wrote: it is not even a dynamic ip, it is a private ip behind a dynamic one Then, what Eliyahu wrote should serve you a perfect solution. Although this can become a flame-war :) Source: https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/ ==Begin quote == But there are more reasons why this is a bad idea and one of the most important reason has to do with a bit of the (Linux) way of handling TCP/IP ports. When you are logged onto a system as a non-root user (anyone not being uid 0), you cannot create a listing TCP or UDP port below 1024. This is because port numbers below 1024 are so-called privileged ports and can only be opened by root or processes that are running as root. So for instance, when your webserver (apache, nginx etc) will start, it will do so as the privileged root user in order to open up a listening connection to port 80 (the port that by default will be used for HTTP traffic). Now, as soon as the port is opened and everything that needs to be done as root is done, the webserver will fall back to a non-privileged user (either the www-data, apache, or nobody user). From that point, when something bad is happening, it is only limited to the rights that that user has. Now, back to SSH: when we start SSH on port 22, we know for a fact that this is done by root or a root-process since no other user could possibly open that port. But what happens when we move SSH to port ? This port can be opened without a privileged account, which means I can write a simple script that listens to port and mimics SSH in order to capture your passwords. And this can easily be done with simple tools commonly available on every linux system/server. So running SSH on a non-privileged port makes it potentially LESS secure, not MORE. You have no way of knowing if you are talking to the real SSH server or not. This reason, and this reason alone makes it that you should NEVER EVER use a non-privileged port for running your SSH server. ==End quote== Reading the whole page is recommended. Though, some of Joshua Thijssen's points can be argued against (not by myself, but I'm sure some folks can find some caveats in his article). I tend to agree with what he points out. I do acknowledge that SBO (security by...) divides quite a bit sysadmins apart. Some live by it, and some, well, ridicule it, and for them, seeing another sysadmin use such method is a tell sign of anachronism. The beauty is that we can all choose, and what is important is being informed. -- Guy Gold ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On 2014-07-22 20:35, Oleg Goldshmidt wrote: I am not arguing for or against using a non-standard port. Just pointing out that "non-standard" and "non-privileged" are two different things. Yep, but now you are back to scanning only 1024 ports, instead of 65536, is there any gain? On a PC/SOHO setup -- where most data is "held by the user anyway"-- user root are "closer", so you probably gain security by a random high port. In a large network maybe not. (setups in between have some hard thinking to do, and/or test with a honey-pot what is mostly scanned :-) You can always port foreword a high non-privileged port on a router to 22 on the server. see: http://stackoverflow.com/questions/10182798/why-are-ports-below-1024-privileged/ ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
although port scanners can scan every port, it takes x 65536 times more than scanning only port 22 and there are enough available port 22s, so using a non-standard port is a smart move as long as it is not the only one. On Tue, Jul 22, 2014 at 3:07 AM, Amos Shapira amos.shap...@gmail.com wrote: Whatever. I'm speaking from personal experience that I didn't find this necessary. On 22 July 2014 08:21, E.S. Rosenberg esr+linux...@g.jct.ac.il wrote: Any decent port scanner (nmap for instance) will find the SSH service regardless of the port its' on, while the likelihood of a firewall blocking access to random non-standard ports is very high. I use fail2ban to prevent brute forcing and generally also try to have some form of port knocking (knockd and fwknop are good options) to prevent initial access to the SSH server to unidentified machines. 2014-07-22 1:11 GMT+03:00 Amos Shapira amos.shap...@gmail.com: On 22 July 2014 00:52, Guy Gold guy1g...@gmail.com wrote: Hi Erez, On Mon, Jul 21, 2014 at 4:18 AM, Erez D erez0...@gmail.com wrote: it is not even a dynamic ip, it is a private ip behind a dynamic one Then, what Eliyahu wrote should serve you a perfect solution. Also, there's not much advantage in the point of hiding behind the security by obscurity method (i.e serve SSH at port 9000. or whichever). The increase to security by using that method is in doubt - when taking under consideration tools used by bad guys (and girls) nowadays . If you must do it, that's fine, but don't let it be a reason for not using much better methods, as Eliyahu suggested. From personal experience - there is a huge advantage in picking a random port for external SSH (and external HTTP). I always had port scanners on my standard, dynamic ISP ADSL addresses until I moved them to different non-standard ports. Since then my logs are clean, and I'm talking about over 5 years of experience (I don't remember exactly when I did the switch). This is of course not the only measure I take for security. I still treat them as vulnerable etc. But after years of not having a single probe on the new ports I have to say that it removed the threat of pretty much 100% of the probes on my home network. Perhaps they are more thorough on static ip addresses, known targets etc., but in my experience this is a very successful step. -- Guy Gold ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- [image: View my profile on LinkedIn] http://www.linkedin.com/in/gliderflyer ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- [image: View my profile on LinkedIn] http://www.linkedin.com/in/gliderflyer ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On 22 July 2014 00:52, Guy Gold guy1g...@gmail.com wrote: Hi Erez, On Mon, Jul 21, 2014 at 4:18 AM, Erez D erez0...@gmail.com wrote: it is not even a dynamic ip, it is a private ip behind a dynamic one Then, what Eliyahu wrote should serve you a perfect solution. Although this can become a flame-war :) Source: https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/ ==Begin quote == But there are more reasons why this is a bad idea and one of the most important reason has to do with a bit of the (Linux) way of handling TCP/IP ports. When you are logged onto a system as a non-root user (anyone not being uid 0), you cannot create a listing TCP or UDP port below 1024. This is because port numbers below 1024 are so-called privileged ports and can only be opened by root or processes that are running as root. So for instance, when your webserver (apache, nginx etc) will start, it will do so as the privileged root user in order to open up a listening connection to port 80 (the port that by default will be used for HTTP traffic). Now, as soon as the port is opened and everything that needs to be done as root is done, the webserver will fall back to a non-privileged user (either the www-data, apache, or nobody user). From that point, when something bad is happening, it is only limited to the rights that that user has. Now, back to SSH: when we start SSH on port 22, we know for a fact that this is done by root or a root-process since no other user could possibly open that port. But what happens when we move SSH to port ? This port can be opened without a privileged account, which means I can write a simple script that listens to port and mimics SSH in order to capture your passwords. And this can easily be done with simple tools commonly available on every linux system/server. So running SSH on a non-privileged port makes it potentially LESS secure, not MORE. You have no way of knowing if you are talking to the real SSH server or not. This reason, and this reason alone makes it that you should NEVER EVER use a non-privileged port for running your SSH server. ==End quote== Reading the whole page is recommended. Though, some of Joshua Thijssen's points can be argued against (not by myself, but I'm sure some folks can find some caveats in his article). I tend to agree with what he points out. I do acknowledge that SBO (security by...) divides quite a bit sysadmins apart. Some live by it, and some, well, ridicule it, and for them, seeing another sysadmin use such method is a tell sign of anachronism. The beauty is that we can all choose, and what is important is being informed. -- Guy Gold ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
Guy Gold guy1g...@gmail.com writes: https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port- than-22-is-bad-idea/ Should be titled, Why Putting SSH on a Non-Privileged Port is a Bad Idea. Nothing there is relevant to SSH on port 234 (just picking something easy to remember and not in /etc/services) or similar. [NB: The poor corporate sysadmin who does not want to deal with every machine running SSH on a different port - another problem mentioned there - is a non-issue. In a corporate setting, if a non-standard port is chosen for anything at all, it will be uniform and documented. And not every Tom, Dick, and Harry will have root access to modify sshd_config without adult supervision.] I am not arguing for or against using a non-standard port. Just pointing out that non-standard and non-privileged are two different things. -- Oleg Goldshmidt | p...@goldshmidt.org ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On Sun, Jul 20, 2014 at 11:54 PM, E.S. Rosenberg esr+linux...@g.jct.ac.il wrote: I think we need to reset here for a minute... Is your goal to connect to a machine with a IP on a private range where there exists a gateway machine or router with a (known) public IP? In that case the solution is very simple: port-forwarding However I would not do that without also running fail2ban and maybe also fwknop so that evil SSH traffic would have a harder time at getting at my server. Or is your goal to connect to a machine reachable via a dynamic IP and you have a machine with a fixed IP that you can route via? In that case solutions are more complex, most of the solutions above related to that scenario I think. it is not even a dynamic ip, it is a private ip behind a dynamic one So please clear up for us what your exact goal is. Regards, Eliyahu - אליהו 2014-07-20 18:46 GMT+03:00 Erez D erez0...@gmail.com: On Sun, Jul 20, 2014 at 3:36 PM, E.S. Rosenberg e...@g.jct.ac.il wrote: You can have something running on the machine you want to SSH to that updates the machine with a fixed IP what its' IP is and have a firewall rule or some other way to redirect specific traffic like for instance traffic to TCP:2 from that machine to the IP that it was updated to be still do not understand what you mean, and how it will let me connect to a machine with a private ip 2014-07-20 14:33 GMT+03:00 Erez D erez0...@gmail.com: On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David linux...@didi.bardavid.org wrote: If you just want an ssh connection you can simply redirect connection attempts to some port on the Internet-accessible machine to port 22 on the private-ip one - using whatever tool that fits you best - iptables, xinetd, redir, probably many others. -- Didi i do not understand what do you mean 2014-07-20 13:31 GMT+03:00 Erez D erez0...@gmail.com: looks a little complicated - extra ssh server, firewall with port knocking all this for a ssh connection ... On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe ra...@rabin.io wrote: you can add a port-knocking tool like fwknop to add a dynamic rule to forward your connection into the privet machine. -- Rabin On Sun, Jul 20, 2014 at 12:16 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan kaplanl...@gmail.com wrote: Didn't check it, but login in with a user who has /bin/true might do the trick. you are correct, it works. however it is still a security risk, as this means the client may listen on unused port ... Kaplan On Sun, Jul 20, 2014 at 12:03 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
Hi Erez, On Mon, Jul 21, 2014 at 4:18 AM, Erez D erez0...@gmail.com wrote: it is not even a dynamic ip, it is a private ip behind a dynamic one Then, what Eliyahu wrote should serve you a perfect solution. Also, there's not much advantage in the point of hiding behind the security by obscurity method (i.e serve SSH at port 9000. or whichever). The increase to security by using that method is in doubt - when taking under consideration tools used by bad guys (and girls) nowadays . If you must do it, that's fine, but don't let it be a reason for not using much better methods, as Eliyahu suggested. -- Guy Gold ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On 22 July 2014 00:52, Guy Gold guy1g...@gmail.com wrote: Hi Erez, On Mon, Jul 21, 2014 at 4:18 AM, Erez D erez0...@gmail.com wrote: it is not even a dynamic ip, it is a private ip behind a dynamic one Then, what Eliyahu wrote should serve you a perfect solution. Also, there's not much advantage in the point of hiding behind the security by obscurity method (i.e serve SSH at port 9000. or whichever). The increase to security by using that method is in doubt - when taking under consideration tools used by bad guys (and girls) nowadays . If you must do it, that's fine, but don't let it be a reason for not using much better methods, as Eliyahu suggested. From personal experience - there is a huge advantage in picking a random port for external SSH (and external HTTP). I always had port scanners on my standard, dynamic ISP ADSL addresses until I moved them to different non-standard ports. Since then my logs are clean, and I'm talking about over 5 years of experience (I don't remember exactly when I did the switch). This is of course not the only measure I take for security. I still treat them as vulnerable etc. But after years of not having a single probe on the new ports I have to say that it removed the threat of pretty much 100% of the probes on my home network. Perhaps they are more thorough on static ip addresses, known targets etc., but in my experience this is a very successful step. -- Guy Gold ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- [image: View my profile on LinkedIn] http://www.linkedin.com/in/gliderflyer ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
Any decent port scanner (nmap for instance) will find the SSH service regardless of the port its' on, while the likelihood of a firewall blocking access to random non-standard ports is very high. I use fail2ban to prevent brute forcing and generally also try to have some form of port knocking (knockd and fwknop are good options) to prevent initial access to the SSH server to unidentified machines. 2014-07-22 1:11 GMT+03:00 Amos Shapira amos.shap...@gmail.com: On 22 July 2014 00:52, Guy Gold guy1g...@gmail.com wrote: Hi Erez, On Mon, Jul 21, 2014 at 4:18 AM, Erez D erez0...@gmail.com wrote: it is not even a dynamic ip, it is a private ip behind a dynamic one Then, what Eliyahu wrote should serve you a perfect solution. Also, there's not much advantage in the point of hiding behind the security by obscurity method (i.e serve SSH at port 9000. or whichever). The increase to security by using that method is in doubt - when taking under consideration tools used by bad guys (and girls) nowadays . If you must do it, that's fine, but don't let it be a reason for not using much better methods, as Eliyahu suggested. From personal experience - there is a huge advantage in picking a random port for external SSH (and external HTTP). I always had port scanners on my standard, dynamic ISP ADSL addresses until I moved them to different non-standard ports. Since then my logs are clean, and I'm talking about over 5 years of experience (I don't remember exactly when I did the switch). This is of course not the only measure I take for security. I still treat them as vulnerable etc. But after years of not having a single probe on the new ports I have to say that it removed the threat of pretty much 100% of the probes on my home network. Perhaps they are more thorough on static ip addresses, known targets etc., but in my experience this is a very successful step. -- Guy Gold ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- [image: View my profile on LinkedIn] http://www.linkedin.com/in/gliderflyer ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
Whatever. I'm speaking from personal experience that I didn't find this necessary. On 22 July 2014 08:21, E.S. Rosenberg esr+linux...@g.jct.ac.il wrote: Any decent port scanner (nmap for instance) will find the SSH service regardless of the port its' on, while the likelihood of a firewall blocking access to random non-standard ports is very high. I use fail2ban to prevent brute forcing and generally also try to have some form of port knocking (knockd and fwknop are good options) to prevent initial access to the SSH server to unidentified machines. 2014-07-22 1:11 GMT+03:00 Amos Shapira amos.shap...@gmail.com: On 22 July 2014 00:52, Guy Gold guy1g...@gmail.com wrote: Hi Erez, On Mon, Jul 21, 2014 at 4:18 AM, Erez D erez0...@gmail.com wrote: it is not even a dynamic ip, it is a private ip behind a dynamic one Then, what Eliyahu wrote should serve you a perfect solution. Also, there's not much advantage in the point of hiding behind the security by obscurity method (i.e serve SSH at port 9000. or whichever). The increase to security by using that method is in doubt - when taking under consideration tools used by bad guys (and girls) nowadays . If you must do it, that's fine, but don't let it be a reason for not using much better methods, as Eliyahu suggested. From personal experience - there is a huge advantage in picking a random port for external SSH (and external HTTP). I always had port scanners on my standard, dynamic ISP ADSL addresses until I moved them to different non-standard ports. Since then my logs are clean, and I'm talking about over 5 years of experience (I don't remember exactly when I did the switch). This is of course not the only measure I take for security. I still treat them as vulnerable etc. But after years of not having a single probe on the new ports I have to say that it removed the threat of pretty much 100% of the probes on my home network. Perhaps they are more thorough on static ip addresses, known targets etc., but in my experience this is a very successful step. -- Guy Gold ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- [image: View my profile on LinkedIn] http://www.linkedin.com/in/gliderflyer ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- [image: View my profile on LinkedIn] http://www.linkedin.com/in/gliderflyer ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
reverse ssh
hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
Didn't check it, but login in with a user who has /bin/true might do the trick. Kaplan On Sun, Jul 20, 2014 at 12:03 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On 2014-07-20 12:03, Erez D wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Yes you can: http://stackoverflow.com/questions/8021/allow-user-to-set-up-an-ssh-tunnel-but-nothing-else http://serverfault.com/questions/56566/ssh-tunneling-only-access But, as it's a security issue, make sure you know what you are doing! :-) ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan kaplanl...@gmail.com wrote: Didn't check it, but login in with a user who has /bin/true might do the trick. you are correct, it works. however it is still a security risk, as this means the client may listen on unused port ... Kaplan On Sun, Jul 20, 2014 at 12:03 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
you can add a port-knocking tool like fwknop to add a dynamic rule to forward your connection into the privet machine. *--Rabin* On Sun, Jul 20, 2014 at 12:16 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan kaplanl...@gmail.com wrote: Didn't check it, but login in with a user who has /bin/true might do the trick. you are correct, it works. however it is still a security risk, as this means the client may listen on unused port ... Kaplan On Sun, Jul 20, 2014 at 12:03 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On 7/20/2014 12:03 PM, Erez D wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) What I did is to run a second SSH server listening on a port that no one would expect SSH connections and ONLY allow connections with key exchanges. So someone could connect to that port randomly or with a scan, but would be unable to do anything with it. The regular SSH server, which ran on port 22, allowed much looser connections, root connections, etc, but port 22 was NOT forwarded out the firewall. This allowed me to do RSYNC, etc locally as root or a user with no restrictions. Once the SSH connection is established, it can be used to tunnel anything. Geoff. -- Geoffrey S. Mendelson 4X1GM/N3OWJ Jerusalem Israel. ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On 20/07/2014 12:45, geoffrey mendelson wrote: On 7/20/2014 12:03 PM, Erez D wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) What I did is to run a second SSH server listening on a port that no one would expect SSH connections and ONLY allow connections with key exchanges. So someone could connect to that port randomly or with a scan, but would be unable to do anything with it. The regular SSH server, which ran on port 22, allowed much looser connections, root connections, etc, but port 22 was NOT forwarded out the firewall. This allowed me to do RSYNC, etc locally as root or a user with no restrictions. Once the SSH connection is established, it can be used to tunnel anything. Geoff. Well, that's the essence of port knocking, isn't it :) -- Moish ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
looks a little complicated - extra ssh server, firewall with port knocking all this for a ssh connection ... On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe ra...@rabin.io wrote: you can add a port-knocking tool like fwknop to add a dynamic rule to forward your connection into the privet machine. -- Rabin On Sun, Jul 20, 2014 at 12:16 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan kaplanl...@gmail.com wrote: Didn't check it, but login in with a user who has /bin/true might do the trick. you are correct, it works. however it is still a security risk, as this means the client may listen on unused port ... Kaplan On Sun, Jul 20, 2014 at 12:03 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
If you just want an ssh connection you can simply redirect connection attempts to some port on the Internet-accessible machine to port 22 on the private-ip one - using whatever tool that fits you best - iptables, xinetd, redir, probably many others. -- Didi 2014-07-20 13:31 GMT+03:00 Erez D erez0...@gmail.com: looks a little complicated - extra ssh server, firewall with port knocking all this for a ssh connection ... On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe ra...@rabin.io wrote: you can add a port-knocking tool like fwknop to add a dynamic rule to forward your connection into the privet machine. -- Rabin On Sun, Jul 20, 2014 at 12:16 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan kaplanl...@gmail.com wrote: Didn't check it, but login in with a user who has /bin/true might do the trick. you are correct, it works. however it is still a security risk, as this means the client may listen on unused port ... Kaplan On Sun, Jul 20, 2014 at 12:03 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David linux...@didi.bardavid.org wrote: If you just want an ssh connection you can simply redirect connection attempts to some port on the Internet-accessible machine to port 22 on the private-ip one - using whatever tool that fits you best - iptables, xinetd, redir, probably many others. -- Didi i do not understand what do you mean 2014-07-20 13:31 GMT+03:00 Erez D erez0...@gmail.com: looks a little complicated - extra ssh server, firewall with port knocking all this for a ssh connection ... On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe ra...@rabin.io wrote: you can add a port-knocking tool like fwknop to add a dynamic rule to forward your connection into the privet machine. -- Rabin On Sun, Jul 20, 2014 at 12:16 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan kaplanl...@gmail.com wrote: Didn't check it, but login in with a user who has /bin/true might do the trick. you are correct, it works. however it is still a security risk, as this means the client may listen on unused port ... Kaplan On Sun, Jul 20, 2014 at 12:03 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
Re:all You can have something running on the machine you want to SSH to that updates the machine with a fixed IP what its' IP is and have a firewall rule or some other way to redirect specific traffic like for instance traffic to TCP:2 from that machine to the IP that it was updated to be 2014-07-20 14:33 GMT+03:00 Erez D erez0...@gmail.com: On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David linux...@didi.bardavid.org wrote: If you just want an ssh connection you can simply redirect connection attempts to some port on the Internet-accessible machine to port 22 on the private-ip one - using whatever tool that fits you best - iptables, xinetd, redir, probably many others. -- Didi i do not understand what do you mean 2014-07-20 13:31 GMT+03:00 Erez D erez0...@gmail.com: looks a little complicated - extra ssh server, firewall with port knocking all this for a ssh connection ... On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe ra...@rabin.io wrote: you can add a port-knocking tool like fwknop to add a dynamic rule to forward your connection into the privet machine. -- Rabin On Sun, Jul 20, 2014 at 12:16 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan kaplanl...@gmail.com wrote: Didn't check it, but login in with a user who has /bin/true might do the trick. you are correct, it works. however it is still a security risk, as this means the client may listen on unused port ... Kaplan On Sun, Jul 20, 2014 at 12:03 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
On Sun, Jul 20, 2014 at 3:36 PM, E.S. Rosenberg e...@g.jct.ac.il wrote: You can have something running on the machine you want to SSH to that updates the machine with a fixed IP what its' IP is and have a firewall rule or some other way to redirect specific traffic like for instance traffic to TCP:2 from that machine to the IP that it was updated to be still do not understand what you mean, and how it will let me connect to a machine with a private ip 2014-07-20 14:33 GMT+03:00 Erez D erez0...@gmail.com: On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David linux...@didi.bardavid.org wrote: If you just want an ssh connection you can simply redirect connection attempts to some port on the Internet-accessible machine to port 22 on the private-ip one - using whatever tool that fits you best - iptables, xinetd, redir, probably many others. -- Didi i do not understand what do you mean 2014-07-20 13:31 GMT+03:00 Erez D erez0...@gmail.com: looks a little complicated - extra ssh server, firewall with port knocking all this for a ssh connection ... On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe ra...@rabin.io wrote: you can add a port-knocking tool like fwknop to add a dynamic rule to forward your connection into the privet machine. -- Rabin On Sun, Jul 20, 2014 at 12:16 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan kaplanl...@gmail.com wrote: Didn't check it, but login in with a user who has /bin/true might do the trick. you are correct, it works. however it is still a security risk, as this means the client may listen on unused port ... Kaplan On Sun, Jul 20, 2014 at 12:03 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
Re: reverse ssh
I think we need to reset here for a minute... Is your goal to connect to a machine with a IP on a private range where there exists a gateway machine or router with a (known) public IP? In that case the solution is very simple: port-forwarding However I would not do that without also running fail2ban and maybe also fwknop so that evil SSH traffic would have a harder time at getting at my server. Or is your goal to connect to a machine reachable via a dynamic IP and you have a machine with a fixed IP that you can route via? In that case solutions are more complex, most of the solutions above related to that scenario I think. So please clear up for us what your exact goal is. Regards, Eliyahu - אליהו 2014-07-20 18:46 GMT+03:00 Erez D erez0...@gmail.com: On Sun, Jul 20, 2014 at 3:36 PM, E.S. Rosenberg e...@g.jct.ac.il wrote: You can have something running on the machine you want to SSH to that updates the machine with a fixed IP what its' IP is and have a firewall rule or some other way to redirect specific traffic like for instance traffic to TCP:2 from that machine to the IP that it was updated to be still do not understand what you mean, and how it will let me connect to a machine with a private ip 2014-07-20 14:33 GMT+03:00 Erez D erez0...@gmail.com: On Sun, Jul 20, 2014 at 1:30 PM, Yedidyah Bar David linux...@didi.bardavid.org wrote: If you just want an ssh connection you can simply redirect connection attempts to some port on the Internet-accessible machine to port 22 on the private-ip one - using whatever tool that fits you best - iptables, xinetd, redir, probably many others. -- Didi i do not understand what do you mean 2014-07-20 13:31 GMT+03:00 Erez D erez0...@gmail.com: looks a little complicated - extra ssh server, firewall with port knocking all this for a ssh connection ... On Sun, Jul 20, 2014 at 11:38 AM, Rabin Yasharzadehe ra...@rabin.io wrote: you can add a port-knocking tool like fwknop to add a dynamic rule to forward your connection into the privet machine. -- Rabin On Sun, Jul 20, 2014 at 12:16 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 11:06 AM, Lior Kaplan kaplanl...@gmail.com wrote: Didn't check it, but login in with a user who has /bin/true might do the trick. you are correct, it works. however it is still a security risk, as this means the client may listen on unused port ... Kaplan On Sun, Jul 20, 2014 at 12:03 PM, Erez D erez0...@gmail.com wrote: On Sun, Jul 20, 2014 at 10:39 AM, Lior Kaplan kaplanl...@gmail.com wrote: ssh itself ? http://www.thegeekstuff.com/2013/11/reverse-ssh-tunnel/ nice, however this requires me to give access to my server, which i do not want ... (or, can i give people permission to ssh to my server only for reverse tunnels and no shell ?) Kaplan On Sun, Jul 20, 2014 at 11:36 AM, Erez D erez0...@gmail.com wrote: hello i have a linux machine with a private ip connected to the internet i have a public ip and need to ssh to the linux box any tools for that ? ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il ___ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
