OpenSUSE Linux Rants

OpenSUSE Linux Tips, tricks, how-tos, opinions, and news

My Resume  -  My LinkedIn Profile

October 21, 2009

SSH Tip for the Day

by @ 8:14 am. Filed under bash, command-line, Linux tips, ssh tips

When you are forwarding ports through a tunnel, either locally or remotely (i.e., with the -L or -R switches), you can modify the session real-time. The way that you do this is after you start the session, you press SHIFT + ` + c (The ` key also has a ~ in it, which is the actual keypress sent to the session). If it doesn’t work the first time, press ENTER a couple of times and try it again. Once you get the “ssh>” prompt, type “?” for the commands you can put in. Here’s an example session:

[0908][scott@dev:~]$ ssh -R 8080:suseblog.com:8080 scott@suseblog.com
Password:
Last login: Thu Oct 15 11:59:43 2009 from 67.214.232.162
Have a lot of fun...
[1109][scott@mail:~]$ [PRESS SHIFT + ` + c HERE]
ssh> ?
Commands:
      -L[bind_address:]port:host:hostport    Request local forward
      -R[bind_address:]port:host:hostport    Request remote forward
      -KR[bind_address:]port                 Cancel remote forward
[PRESS ENTER HERE]
[1110][scott@mail:~]$ [PRESS SHIFT + ` + c HERE]
ssh> -R8080:letslearnlinux.com:1080
Forwarding port.

[1110][scott@mail:~]$

OpenSSH has got to be one of the freakin’ sweetest tools *EVAR*. Anyway, enjoy!

October 16, 2009

[Linux] – Socks Proxy in One Command

by @ 3:54 pm. Filed under command-line, Linux tips, ssh tips

If you have difficulty browsing on your Linux workstation at work, say, because of filters and such, this will make your day. One other thing is that you need a Linux server that is outside your network at work. Once you have this, you can use ssh to create a socks proxy. Even as an un-privileged user, type in this command:

ssh -D 8080 <username>@<host>

Replace <username> with your username and <host> with your remote Linux server host name. Once that’s successful, pop open Firefox. Go to the EDIT Menu => Preferences. Select the ADVANCED button, then go to the “Network” tab. Click the “Settings” button. Select the “Manual Proxy Configuration” radio button. In the SOCKS Host, put in either the IP or the domain name of your remote Linux box. In the port, put in 8080, as that’s the one we used.

Click “OK” and close everything (except firefox). You should now be able to browse wherever your little heart desires.

One thing to note. NS queries are NOT proxied. So if your admins are looking at the name server lookup requests, you could still get nailed. Anyway, pretty neat little thing to know about ssh. Not sure that I’ve ever seen this capability on a Win32 platform. Yet another one of the many reasons that I really enjoy Linux.

Have a totally spectacular weekend.

July 16, 2009

SSH Attack Foghorn

by @ 6:20 am. Filed under bash, General Linux, Linux tips, ssh tips, sweet tools, Work-Related

I don’t like it when people try and hack my web servers. To make myself aware of people trying to access my ssh daemon, I wrote me a little script. Yup, I’m certainly aware of DenyHosts. Notwithstanding, in the hopes that this script may find use elsewhere, I post it here. Behold, enjoy, and chuckle a bit at how much better you could write it. Then, let me know how you’d improve it:

#!/bin/sh
LOGFILE=/root/hack_attempts
IFS=$'\n'
PATTERN="^"`date --date="1 minute ago" "+%b %e %H:%M:"`""
tail -n 1000 /var/log/messages | grep ""$PATTERN"" | grep sshd | grep -i "invalid user" | grep " from " > "$LOGFILE"
if [ $(stat -c%s "$LOGFILE") -gt 0 ] ; then
	echo "See the attached log for details" | mailx -a "$LOGFILE" -s "Possible hack attempt" YOUREMAIL@YOURDOMAIN.COM
fi
rm "$LOGFILE"

Copy it to your /root folder. Name it something cool like ‘ssh_foghorn’, and chmod +x it to make it executable. Put it in your /etc/crontab file to run once every minute. Make sure you set the system log to whatever your distro uses. And change the email address to your own. Doesn’t cure cancer, but for 8 lines of code, it does what it needs to.

Again, I’m sure there are better ways to do this, so let’s hear ’em!

March 18, 2008

ssh Without a Password

by @ 9:09 am. Filed under bash, command-line, Linux tips, ssh tips

If you use Linux for day-to-day computing, you likely use the secure shell, or ssh. If you are like me, you may grow weary of constantly having to type in passwords to access remote machines. Or maybe you have the perfect backup system, except that it uses ssh to transfer files, and requires you to type in a password (such as rsync or rdiff-backup). There is a way to access those machines without using a password. This technique should be used with care. I’d use it only on machines that I have access to, for example. You don’t want to set up passwordless access from a public machine to your production server, in other words. Use with caution.

The principle is that you generate a public and private key on the local machine. This will be whatever machine you are connecting from. You then transfer the public key to the remote machine. Then, when you ssh into the remote machine, it uses the keys to authenticate. You don’t type in a password, it just takes you straight to the shell prompt. How do we set this up?

Log into the machine you are going to connect from. Let’s say that your account is called ‘user’ and you are going to connect from a machine called ‘desktop’. Log in as ‘user’ on the ‘desktop’ machine and pull up a shell. Run this command. The stuff in red is what you do,not what you type:

[0218][user@desktop:~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa): [JUST PRESS ENTER HERE]
Enter passphrase (empty for no passphrase): [JUST PRESS ENTER HERE]
Enter same passphrase again: [JUST PRESS ENTER HERE]
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
a5:25:c0:aa:fe:f3:9f:46:7a:23:e3:6e:10:ec:6f:d3 user@desktop
[0218][user@desktop:~]$

Your keys are generated. On that machine, view /home/user/.ssh/id_dsa.pub. You will see something like this:

ssh-dss AAAAA3NzAC1kc3MAAACAANfnr9xkAks2u8Xd5I9nozzsXLKCYA8o9h3cMwL5QMcZGxz84Dyl3IyRwozv3I2xGwJAYyAHvJAS7AQmtFXtfmQts3dt2ZnlAmKj0TkC8pwDgvXJYzARJpCP2Zx7iwD/OCO3sTgT0wGwYtQrAcTeW5Tt6sSmQjEJ2rJj+Q5XA1xvAAAAFQDWcQ+OJRnk+jCYqESWqxHcyw74DwAAAIA9qAQyZrOJkjpzMSWAcliHvvuyCN8RInlgq+IwWynukOX7zYXcE2dJPopgpG3Aiiq/fxAQX5dUzXfSrL3KYftQOd/RNkAzMHAAzAJeQAA0wEt4uAjhGRwCOSg6wKMYJPYfVghnwIKARuSTUS8NjRXVKteHg7frOOHZwRGIm36pxgAAAIA8/CKLLn5QRctsvvvmvpOn2Xhek02z8K0YukYcXJOQ1FMTYWoHujA39sEAFsdx6Nq1t58lI2dsj6fpf7LOOvoYWtKQnTNRUptlOx27LTO9Q6DhKPV/93nLI/xFOFo/8twZ1TmpAgpAI3SQ9YCnX2A8H686OUwUPmY0kA+H8GKnug== user@desktop

What you need to do now, is determine the remote machine you are going to log into. Then, decide what user you are going to log in as on that machine. We are going to log in as a user called ‘admin’ on a server called ‘server’. First, we will ssh into ‘server’ as ‘admin’. Then, edit the file located at ~/.ssh/authorized_keys2. If it is not there, create it. All you need to do is paste the contents of the id_dsa.pub file from the ‘user’ account on the ‘desktop’ machine into the ~/.ssh/authorized_keys file for ‘admin’ on ‘server’.

For example:

I go to my desktop, log in as ‘user’. I run ‘ssh-keygen -t dsa’. It generates a ~/.ssh/id_dsa.pub file in my home directory.

I want to connect as ‘admin’ on a box called ‘server’. I ssh in normally as ‘admin’ into the ‘server’ machine. I edit the ~/.ssh/authorized_keys2 using my favorite text editor. I add the contents of the ~/.ssh/id_dsa.pub file from my desktop machine into the authorized_keys2 file on ‘server’. I then save and quit. I then close all connections to ‘server’. Then, I type ‘ssh admin@server’, and hit ENTER. It drops me straight to a shell prompt.

This is a nice way to access a machine without having to type in the password every time. Only do this from machines that only you or authorized personnel have access to. Otherwise, you could have a li’l security problem.

July 14, 2007

Opening up the Wallet for OpenSSH

by @ 4:06 am. Filed under General Linux, General SUSE, How-To, ssh tips, SUSE Tips & Tricks

One of the greatest tools that has ever been invented in the networking/connectivity/protocol/technician world is OpenSSH. Please, if you have found OpenSSH to be useful, or at least worth $25, go to the main OpenSSH page and buy a T-Shirt from them. Stop and think for a second whether your very job has been made easier kind of like breathing air makes things easier, just by having OpenSSH available. If so, I implore you to at least make a small donation of any kind to these great folks. They have made my life so much better just by that one program.

This is the T-Shirt that I just bought from them.

Let me tell you why.

Well, if the fact that it makes my very job possible weren’t enough, there is another small reason. Believe me, it is so insignificant, you’d be better off reading a blog post written by a doorknob to a dead snail than continuing to read this.

Oh, man, we just couldn’t drop it, could we… ? Since you are still reading, I can only assume that somehow you are interested in what made me just buy a $25 T-Shirt from the OpenSSH folks.

*rolls eyes and sighs irritatedly* (it is 4:00 am and you are keeping me up you know)

I have a firewall at my place of employment. This firewall terminates latent connections originating from within the company network to any outside machine. This means that if I leave my ssh connections open for more than 4 minutes without typing something, they all get reset. This thing I do not appreciate. In the words of one great Dr. Suess, “And we did not like it. Not one little bit.” I have hated this with some infinite amount of passion since the day I began work there, over a year ago, now.

Well tonight, I finally took 5.3 seconds and did a Google search on “ssh keepalive.” The very first page that came up suggested that I try something super easy. Create a file at $HOME/.ssh/config and put in it the line “ServerAliveInterval 60” and that this would keep my connection alive. Lo, and behold, I have had a connection open now for 8 hours without a single hiccup. That makes me so wonderfully excited that I could just give everyone on the entire planet $400.

Since obviously this is not possible, I decided that I would give the OpenSSH folks $25 because of my newfound happiness which they made possible by writing such a wonderfully cool application that makes my very livelihood possible.

August 23, 2006

Reverse Tunneling with SUSE Linux 10.1 and SSH

by @ 6:21 am. Filed under General SUSE, How-To, ssh tips, SUSE Tips & Tricks, Work-Related

So now, we can’t have personal computers on the company network. This “protects against viruses being introduced to the company network,” was the explanation given to me. Nevermind that I am running Linux which isn’t susceptible to them, and certainly doesn’t perpetuate them. So my desktop is on the regular old class C company subnet (192.168.0.x), and my laptop has to be on the wireless network, which is on a completely separate subnet (192.168.1.x). Obviously, there is no way to route traffic between the two computers. So what do you do? Time to whip out the SSH tunnel, again. Only this time, it’s a reverse tunnel.

The idea before is that we are setting up a machine inside the network to forward traffic to a computer outside the network, which then sends it to somewhere else. This time, we are setting up a computer outside the network to forward traffic to a computer inside the network. Then, we just connect to that computer, and the traffic is automatically forwarded in to the other computer.

As in my example, I set up a tunnel between my desktop machine on the 192.168.0.x subnet and my server. I told the server to forward all SSH connections that hit port 10000 to port 22 on the desktop computer. Then, I just SSH in to my server from my laptop, and my request actually ends up at my desktop computer. Because I’m using KDE and fish://, it’s essentially just like browsing a network fileshare on a local subnet, because Linux can do stuff like that.

Sounds exciting, and indeed it is. If you’d like to read the tutorial I used to set this all up, head on over here. Fun stuff, baby.

July 15, 2006

Filter piercing with Linux

by @ 7:15 am. Filed under General Linux, How-To, ssh tips, SUSE Tips & Tricks

The other day, I was given a challenge. My friend said to me, “I sure wish I knew how to get around this filter.” Of course, he was talking about a web content filtration system that was active on the network’s Internet connection. I thought about it for a second, looked around to see if anyone was listening, and whispered, “I can show you how to do that.”

What’s funny is that it is a one-line command, and uses the ssh command.

The idea is that you set up a tunnel between two computers. One is the computer that you are on, which is behind the filter (in a local network with the connection being filtered). The other computer is one accessible from the Internet to which you have ssh access. This might be your router box at home, or your web server, or whatever machine. As long as it is directly on the Internet and you can ssh into it.

The next thing you need is to know the hostname of the machine you are trying to access (which your filter is blocking). If this is a single webhost, you can just use that machine directly. If it is several webhosts, you are in a bit of a bind. This is because when you set up the tunnel, you can only forward the connection to a single host.

It’s probably a great time to start using examples. Alright, so I am on a machine which is in a local network. My machine will be called alpha. Now, I also have a router box at home. I am going to use this box to set up my tunnel. This machine is called homebox.

Now, I can create my ssh connection, but I still need to tell homebox to forward my HTTP requests to somewhere. The catch is that I can only tell it a single place. Therefore, if it is one webhost, I’m great. However, if there are multiple websites that I want to access, I would have to tell homebox to forward my HTTP requests to some kind of HTTP proxy server. Then, because the proxy server just forwards requests, it will be able to hit any and all websites, rather than just a single one.

I will call the proxy server notreal.proxyserver.com.

The cool part of the ssh tunnel is that I can tell the end on the local alpha machine to listen for connections. When something connects, that connection is forwarded to homebox, which is then forwarded to notreal.proxyserver.com, which makes the actual request to the site that we are trying to view. When the page is served, it first arrives at notreal.proxyserver.com, then gets sent to homebox, and finally arrives back at alpha.

Now, all we have to do is tell these machines which ports to do all this on, and we are SET! To do this, I will give you the syntax:

ssh -L [LOCAL PORT TO LISTEN ON]:[PROXY SERVER]:[PROXY SERVER PORT] [USERNAME]@[SSHSERVER]

OK, so my local port to listen on will be 8080. The proxy server is notreal.proxyserver.com. The proxy server port will be 8080. The username will obviously be a user that exists on your ssh server, which in this case is homebox. Thus, the final commandline will look like this:

ssh -L 8080:notreal.proxyserver.com:8080 scott@homebox

Once you have that connection established, do not close the window. As long as that window is open, your tunnel is active.

All you have to do now is set the proxy server in your browser to 127.0.0.1 and port to 8080, and you will have access to whatever websites your heart desires.

Ain’t Linux cool?!

April 5, 2006

Run GUI apps remotely in SUSE Linux 10.0

by @ 6:04 am. Filed under ssh tips, SUSE Tips & Tricks

Would you like to run a graphical application remotely? This is natively possible in SUSE Linux 10.0. It consists of two steps: 1) Connect to the remote server with an ssh client, and 2) Run the program.

1. Connect to remote server via ssh. In a shell, start up an ssh session, including the “-X” parameter:

ssh -X [username]@[server]

ex: ssh -X smorris@novell.com

2. Run the program. Run the application you wish to view remotely. You can even run YAST graphically in this manner if you are logged into the machine as root:

/sbin/yast2

Behold the application appear on your desktop, running remotely:

Now, you can see that it is running remotely, because I am ssh’ed into a machine called ‘router’, and the title of the YAST window indicates that it is, in fact, running on a machine called ‘router’.So there’s your cool tip of the day. Isn’t SUSE cool?

Here’s another one: M$ is now claiming that it is not possible to totally recover from some malware. Dude, I’d jump ship now!

When I first started using Linux, I used the Gnome desktop. I did this only until I knew of any other option, the main one being KDE. Gnome is fine for some, just not for me. However, I do use a ton of Gnome-based apps, such as gaim, the GIMP, etc. Recently, KDE has enabled users to render Gnome apps to look like the KDE widget theme that the user has selected. Very nice. However, a new project has surfaced that will integrate the two desktop environments even more closely. I’d have to check, but I’m pretty sure that’s the coolest thing I’ve heard all day.

I’ve updated the Linux news page, so be sure and take a look at it. I may adjust a few more things, but if it happened in the Tech world, you’ll see it on that page.

digg this!

OpenSUSE Linux Rants
Official OpenSUSE Linux Site

internal links:

categories:

SUSE Resources

search blog:

archives:

February 2018
S M T W T F S
« Mar    
 123
45678910
11121314151617
18192021222324
25262728  

64 queries. 2.106 seconds