Comments on: Secure Remote Access from Your Desktop http://www.linux-mag.com/id/4523/ Open Source, Open Standards Sun, 06 Jul 2008 00:38:16 +0000 http://wordpress.org/?v=2.0.11 by: Indra Tjahjono http://www.linux-mag.com/id/4523/#comment-675 Wed, 12 Dec 2007 04:34:25 +0000 http://www.linux-mag.com/id/4523/#comment-675 Here is the script that I use to connect to my client. #!/bin/sh # $REMOTE_HOST is the name of the remote system CLIENT=linux.client.com # $REMOTE_PORT is the remote port number that will be used to tunnel # back to this system REMOTE_PORT=5000 # $COMMAND is the command used to create the reverse ssh tunnel COMMAND="ssh -N -R $REMOTE_PORT:localhost:22 $CLIENT" # Is the tunnel up? Perform two tests: # 1. Check for relevant process ($COMMAND) pgrep -f -x "$COMMAND" || $COMMAND # 2. Test tunnel by looking at "netstat" output on $CLIENT ssh $CLIENT netstat -an | egrep "tcp.*:$CLIENT.*LISTEN" \ > /dev/null 2>&1 if [ $? -ne 0 ] ; then pkill -f -x "$COMMAND" $COMMAND fi Here is the script that I use to connect to my client.

#!/bin/sh

# $REMOTE_HOST is the name of the remote system
CLIENT=linux.client.com

# $REMOTE_PORT is the remote port number that will be used to tunnel
# back to this system
REMOTE_PORT=5000

# $COMMAND is the command used to create the reverse ssh tunnel
COMMAND=”ssh -N -R $REMOTE_PORT:localhost:22 $CLIENT”

# Is the tunnel up? Perform two tests:

# 1. Check for relevant process ($COMMAND)
pgrep -f -x “$COMMAND” || $COMMAND

# 2. Test tunnel by looking at “netstat” output on $CLIENT
ssh $CLIENT netstat -an | egrep “tcp.*:$CLIENT.*LISTEN” \
> /dev/null 2>&1
if [ $? -ne 0 ] ; then
pkill -f -x “$COMMAND”
$COMMAND
fi

]]> by: yossis http://www.linux-mag.com/id/4523/#comment-674 Tue, 11 Dec 2007 07:31:14 +0000 http://www.linux-mag.com/id/4523/#comment-674 Thx All Very Useful Thx All Very Useful

]]> by: kuri0s http://www.linux-mag.com/id/4523/#comment-673 Mon, 10 Dec 2007 19:19:11 +0000 http://www.linux-mag.com/id/4523/#comment-673 Hi, About changing the port number... Is there a real threat in brute-force atacks trhough ssh? I mean if you have a strong md5 password, nobody knows your username and root access is denied... By the other side, unless you have tons of ports opened (which is the least probable in a secured system) you can figure out the ssh port in less than a minute. In my opinion, that is pointless. By the way, I use x11vnc -usepw -display :0 to stablish a tunneled vnc connection to my default KDM opened X-session. Thank you, very nice article. Hi,

About changing the port number… Is there a real threat in brute-force atacks trhough ssh? I mean if you have a strong md5 password, nobody knows your username and root access is denied… By the other side, unless you have tons of ports opened (which is the least probable in a secured system) you can figure out the ssh port in less than a minute. In my opinion, that is pointless.

By the way, I use

x11vnc -usepw -display :0

to stablish a tunneled vnc connection to my default KDM opened X-session.

Thank you, very nice article.

]]> by: wcw http://www.linux-mag.com/id/4523/#comment-672 Sat, 08 Dec 2007 06:01:54 +0000 http://www.linux-mag.com/id/4523/#comment-672 Thanks! It's very useful. Thanks! It’s very useful.

]]> by: John Little http://www.linux-mag.com/id/4523/#comment-671 Fri, 07 Dec 2007 13:48:23 +0000 http://www.linux-mag.com/id/4523/#comment-671 donatello, I am firewalled with masquerading using iptables. Most firewalls allow port forwarding. Simply forward the ssh port that you are using to the ssh server to which you want to connect. That way you can log into your network and then ssh to any of the other computers that you need to access. donatello,

I am firewalled with masquerading using iptables. Most firewalls allow port forwarding. Simply forward the ssh port that you are using to the ssh server to which you want to connect. That way you can log into your network and then ssh to any of the other computers that you need to access.

]]> by: geertvc http://www.linux-mag.com/id/4523/#comment-670 Fri, 07 Dec 2007 07:40:44 +0000 http://www.linux-mag.com/id/4523/#comment-670 Title of Figure Three should be: "How to configure a session in Putty", not "FreeNx". Next to this, it would have been nice if there was also explained how to set up a public/private key using Putty and Puttygen (the app from the Putty suite that allows you to generate both the private and public keys). Otherwise, nice article and overview! Title of Figure Three should be:

“How to configure a session in Putty”, not “FreeNx”.

Next to this, it would have been nice if there was also explained how to set up a public/private key using Putty and Puttygen (the app from the Putty suite that allows you to generate both the private and public keys).

Otherwise, nice article and overview!

]]> by: srart http://www.linux-mag.com/id/4523/#comment-669 Fri, 07 Dec 2007 03:38:55 +0000 http://www.linux-mag.com/id/4523/#comment-669 for you folks with brute force attacks on you ssh servers, try a nice little program called denyhosts it's a python program, very easy to setup, and it's aptitude (or apt-get) gettable from debian's main repository Description: an utility to help sys admins thwart ssh hackers DenyHosts is a program that automatically blocks ssh brute-force attacks by adding entries to /etc/hosts.deny. It will also inform Linux administrators about offending hosts, attacked users and suspicious logins. Syncronization with a central server is possible too. Differently from other software that do same work, denyhosts doesn't need support for packet filtering or any other kind of firewall in your kernel Tags: admin::configuring, admin::logging, implemented-in::python, interface::daemon, protocol::ssh, role::program, scope::utility, security::forensics for you folks with brute force attacks on you ssh servers, try a nice little program called denyhosts it’s a python program, very easy to setup, and it’s aptitude (or apt-get) gettable from debian’s main repository

Description: an utility to help sys admins thwart ssh hackers
DenyHosts is a program that automatically blocks ssh brute-force attacks by
adding entries to /etc/hosts.deny. It will also inform Linux administrators
about offending hosts, attacked users and suspicious logins.

Syncronization with a central server is possible too.

Differently from other software that do same work, denyhosts doesn’t need
support for packet filtering or any other kind of firewall in your kernel

Tags: admin::configuring, admin::logging, implemented-in::python,
interface::daemon, protocol::ssh, role::program, scope::utility,
security::forensics

]]> by: sigmon http://www.linux-mag.com/id/4523/#comment-668 Fri, 07 Dec 2007 02:34:35 +0000 http://www.linux-mag.com/id/4523/#comment-668 When I allow SSH into by Debian box every once in a while, it only takes 8 hours before the brute force attacks show up. I'd very very learly opening up 22. I like the idea of changing the port to something else. The bad guys will eventually find it, but if you only need it for a couple of days..... When I allow SSH into by Debian box every once in a while, it only takes 8 hours before the brute force attacks show up. I’d very very learly opening up 22. I like the idea of changing the port to something else. The bad guys will eventually find it, but if you only need it for a couple of days…..

]]> by: Guillermo Ruiz http://www.linux-mag.com/id/4523/#comment-667 Fri, 07 Dec 2007 00:08:22 +0000 http://www.linux-mag.com/id/4523/#comment-667 To prevent brute force attacks on the SSH server, I would recommend to change the default port 22 to something like, for example, port 2002. Also, you need to make sure that root access is disabled via ssh and use public/private key pair authentication instead of encrypted plain passwords to access the server remotely... My two cents... To prevent brute force attacks on the SSH server, I would recommend to change the default port 22 to something like, for example, port 2002. Also, you need to make sure that root access is disabled via ssh and use public/private key pair authentication instead of encrypted plain passwords to access the server remotely… My two cents…

]]> by: Thomas Baumann http://www.linux-mag.com/id/4523/#comment-666 Thu, 06 Dec 2007 21:32:49 +0000 http://www.linux-mag.com/id/4523/#comment-666 donatello, if you look at my article at <a href="http://inhalt.serviert.de/wissen/security/ssh/reverse_tunnel" rel="nofollow">inhalt.serviert.de</a> you see that this might not be a restriction if you use the feature of SSH Reverse Tunneling. Any further Questions via <a href="www.tiri.li" rel="nofollow">tiri.li - our company</a>. donatello, if you look at my article at inhalt.serviert.de
you see that this might not be a restriction if you use the feature of SSH Reverse Tunneling.
Any further Questions via tiri.li - our company.

]]>