Practical tips, examples, and SSH tunnels

Practical examples of SSH that will bring your remote system administrator skills to a new level. Teams and tips will help not only use SSH , but also more competently navigate the network.

Knowing a few ssh tricks is useful to any system administrator, network engineer, or security specialist.

Case Studies SSH

First basics

SSH command line parsing

The following example uses common parameters that are often encountered when connecting to a remote SSH server.

 localhost:~$ ssh -v -p 22 -C neo@remoteserver

-v : debug output is especially useful when analyzing authentication problems. Can be used several times to display additional information.
- p 22 : port for connecting to a remote SSH server. 22 is not necessary to specify, because this is the default value, but if the protocol is on some other port, then we specify it with the help of the -p parameter. The listening port is specified in the sshd_config file in the format Port 2222 .
-C : compression for connection. If you have a slow channel or you view a lot of text, it can speed up the connection.
neo@ : the line before the symbol @ denotes the username for authentication on the remote server. If you do not specify it, the default will be the username of the account you are currently logged in to (~ $ whoami). The user can also be specified with the -l option.
remoteserver : the name of the host to which ssh connected, this can be a fully qualified domain name, IP address or any host in the local hosts file. To connect to a host that supports both IPv4 and IPv6, you can add the -4 or -6 option to the command line for proper resolution.

All of the above parameters are optional, except for remoteserver .
')

Using a configuration file

Although many are familiar with the sshd_config file, there is also a client configuration file for the ssh command. The default is ~/.ssh/config , but it can be defined as a parameter for the -F option.

 Host * Port 2222 Host remoteserver HostName remoteserver.thematrix.io User neo Port 2112 IdentityFile /home/test/.ssh/remoteserver.private_key

In the sample ssh configuration file above, there are two host entries. The first one denotes all the hosts, the Port 2222 configuration parameter is used for all. The second one says that for the remoteserver host you should use a different username, port, FQDN and IdentityFile.

The configuration file can save a lot of time on entering characters, allowing you to automatically apply advanced configuration when connecting to specific hosts.

Copying files over SSH using SCP

The SSH client comes with two other very handy tools for copying files over an encrypted ssh connection . See below for an example of the standard use of the scp and sftp commands. Note that many of the parameters for ssh apply to these commands.

 localhost:~$ scp mypic.png neo@remoteserver:/media/data/mypic_2.png

In this example, the file mypic.png is copied to remoteserver in the folder / media / data and renamed to mypic_2.png .

Do not forget about the difference in the port parameter. On this come across many who run scp from the command line. Here the port parameter is -P , and not -p , as in the ssh client! You will forget, but do not worry, everyone will forget.

For those familiar with console ftp , many of the commands are similar in sftp . You can push , put, and ls as your heart desires.

 sftp neo@remoteserver

Practical examples

In many of these examples, you can achieve results using different methods. As in all our textbooks and examples, preference is given to practical examples that just do their job.

1. SSH socks proxy

The SSH Proxy feature is number 1 for a good reason. It is more powerful than many people assume, and gives you access to any system that a remote server has access to using almost any application. The ssh client can tunnel traffic through a SOCKS proxy with one simple command. It is important to understand that traffic to remote systems will come from a remote server, as will be indicated in the logs of the web server.

 localhost:~$ ssh -D 8888 user@remoteserver localhost:~$ netstat -pan | grep 8888 tcp 0 0 127.0.0.1:8888 0.0.0.0:* LISTEN 23880/ssh

Here we run a socks proxy on TCP port 8888, the second command checks that the port is active in listening mode. 127.0.0.1 indicates that the service works only on localhost. We can use a slightly different command to listen on all interfaces, including ethernet or wifi, this will allow other applications (browsers, etc.) on our network to connect to the proxy service via ssh socks proxy.

 localhost:~$ ssh -D 0.0.0.0:8888 user@remoteserver

Now we can configure the browser to connect to socks-proxy. In Firefox, select Settings | Basic | Network settings . Specify the IP address and port for the connection.

Pay attention to the option at the bottom of the form, so that the browser's DNS requests also go through the SOCKS proxy. If you are using a proxy server to encrypt web traffic on a local network, then you probably want to select this option so that DNS queries are tunneled over an SSH connection.

Activate socks proxy in Chrome

Running Chrome with certain command line parameters activates socks proxies, as well as tunneling DNS requests from the browser. Trust but check. Use tcpdump to verify that DNS queries are no longer visible.

 localhost:~$ google-chrome --proxy-server="socks5://192.168.1.10:8888"

Using other applications with proxies

Keep in mind that many other applications can also use socks-proxies. A web browser is simply the most popular one. Some applications have configuration options for activating the proxy server. Others need a little help with an ancillary program. For example, proxychains allows you to run through Microsoft socks-proxy RDP, etc.

 localhost:~$ proxychains rdesktop $RemoteWindowsServer

Socks-proxy configuration parameters are specified in the proxychains configuration file.

Hint: if using remote desktop from linux to windows? Try the FreeRDP client. This is a more modern implementation than rdesktop , with much smoother interaction.

The option of using SSH through socks-proxy

You are sitting in a cafe or hotel - and you have to use rather unreliable WiFi. From a laptop, locally run ssh-proxy and set up an ssh-tunnel to the home network on the local Rasberry Pi. Using a browser or other applications configured for socks-proxy, we can access any network services in our home network or access the Internet through a home connection. Everything between your laptop and your home server (via Wi-Fi and the Internet to your home) is encrypted in the SSH tunnel.

2. SSH Tunnel (Port Forwarding)

In its simplest form, an SSH tunnel simply opens up a port on your local system that connects to another port on the other end of the tunnel.

 localhost:~$ ssh -L 9999:127.0.0.1:80 user@remoteserver

Let's analyze the -L parameter. It can be thought of as the local listening side. Thus, in the example above, port 9999 is tapped on the localhost side and forwarded via port 80 to remoteserver. Please note that 127.0.0.1 refers to localhost on a remote server!

We will rise on the step. In the following example, the listening ports are associated with other nodes on the local network.

 localhost:~$ ssh -L 0.0.0.0:9999:127.0.0.1:80 user@remoteserver

In these examples, we connect to a port on a web server, but this can be a proxy server or any other TCP service.

3. SSH tunnel to a third-party host

We can use the same parameters to connect the tunnel from a remote server to another service running on the third system.

 localhost:~$ ssh -L 0.0.0.0:9999:10.10.10.10:80 user@remoteserver

In this example, we are redirecting the tunnel from the remoteserver to the web server running on 10.10.10.10. Traffic from remoteserver to 10.10.10.10 is no longer in the SSH tunnel . The web server on 10.10.10.10 will consider the remoteserver source of web requests.

4. Reverse SSH Tunnel

Here we set up a listening port on a remote server that will connect back to the local port on our localhost (or another system).

 localhost:~$ ssh -v -R 0.0.0.0:1999:127.0.0.1:902 192.168.1.100 user@remoteserver

In this SSH session, a connection is established from port 1999 on the remoteserver to port 902 on our local client.

5. Reverse SSH Proxy

In this case, we set up a socks proxy on our ssh connection, however, the proxy listens on the remote end of the server. Connections to this remote proxy now appear from the tunnel as traffic from our localhost.

 localhost:~$ ssh -v -R 0.0.0.0:1999 192.168.1.100 user@remoteserver

Troubleshooting problems with remote SSH tunnels

If you have problems with the operation of remote SSH options, check with netstat what other interfaces the listening port is connected to. Although we specified 0.0.0.0 in the examples, but if the value of GatewayPorts in sshd_config is set to no , then the listener will be bound to localhost (127.0.0.1) only.

Safety warning

Please note that when opening tunnels and socks-proxies, internal network resources may be accessed by unreliable networks (for example, the Internet!). This can be a serious security threat, so make sure you understand what the listener is and what it has access to.

6. Installing VPN over SSH

The general term among specialists in attack methods (pentesters, etc.) is “a point of support in a network”. After establishing a connection in one system, this system becomes a gateway for further access to the network. The fulcrum that allows you to move in breadth.

For such a foothold, we can use SSH proxies and proxychains , however there are some limitations. For example, it will not be possible to work directly with sockets, so we will not be able to scan ports within the network through Nmap SYN .

Using this more advanced VPN option, the connection drops to level 3 . Then we can simply send traffic through the tunnel using standard network routing.

The method uses ssh , iptables , tun interfaces and routing.

First you need to set these parameters in sshd_config . Since we are making changes to the interfaces of both the remote and client systems, we need root rights on both sides .

 PermitRootLogin yes PermitTunnel yes

Then we establish an ssh connection using the parameter that requests the initialization of tun devices.

 localhost:~# ssh -v -w any root@remoteserver

Now we should have a tun device when showing interfaces ( # ip a ). The next step is to add IP addresses to the tunnel interfaces.

SSH client side:

 localhost:~# ip addr add 10.10.10.2/32 peer 10.10.10.10 dev tun0 localhost:~# ip tun0 up

SSH server side:

 remoteserver:~# ip addr add 10.10.10.10/32 peer 10.10.10.2 dev tun0 remoteserver:~# ip tun0 up

Now we have a direct route to another host ( route -n and ping 10.10.10.10 ).

You can route any subnet through a host on the other side.

 localhost:~# route add -net 10.10.10.0 netmask 255.255.255.0 dev tun0

On the remote side, you must enable ip_forward and iptables .

 remoteserver:~# echo 1 > /proc/sys/net/ipv4/ip_forward remoteserver:~# iptables -t nat -A POSTROUTING -s 10.10.10.2 -o enp7s0 -j MASQUERADE

Boom! VPN over SSH tunnel at network level 3 . This is already a victory.

If there are any problems, use tcpdump and ping to determine the cause. Since we are playing at level 3, our icmp packages will go through this tunnel.

7. Copy SSH key (ssh-copy-id)

There are several ways, but this command saves time, so as not to copy files manually. It simply copies ~ / .ssh / id_rsa.pub (or the default key) from your system to ~/.ssh/authorized_keys on the remote server.

 localhost:~$ ssh-copy-id user@remoteserver

8. Remote command execution (non-interactive)

The ssh command can be linked to other commands for a normal user-friendly interface. Just add the command you want to run on the remote host as the last parameter in quotes.

 localhost:~$ ssh remoteserver "cat /var/log/nginx/access.log" | grep badstuff.php

In this example, grep is executed on the local system after the log has been downloaded via the ssh channel. If the file is large, it is more convenient to run grep on the remote side simply by enclosing both commands in double quotes.

Another example performs the same function as ssh-copy-id from example 7.

 localhost:~$ cat ~/.ssh/id_rsa.pub | ssh remoteserver 'cat >> .ssh/authorized_keys'

9. Remote packet capture and viewing in Wireshark

I took one of our tcpdump examples . Use it to remotely intercept packets and output the result directly to the local Wireshark GUI.

 :~$ ssh root@remoteserver 'tcpdump -c 1000 -nn -w - not port 22' | wireshark -k -i -

10. Copying a local folder to a remote server via SSH

A beautiful trick that compresses a folder with bzip2 (this is the -j parameter in the tar command) and then extracts the bzip2 stream on the other side, creating a duplicate folder on the remote server.

 localhost:~$ tar -cvj /datafolder | ssh remoteserver "tar -xj -C /datafolder"

11. Remote GUI applications with SSH X11 redirection

If “X's” are installed on the client and remote server, then you can remotely execute the GUI command, with a window on your local desktop. This feature exists a long time ago, but is still very useful. Launch a remote web browser or even a VMWawre Workstation console, as I do in this example.

 localhost:~$ ssh -X remoteserver vmware

The string X11Forwarding yes in the sshd_config file is required.

12. Remote file copying using rsync and ssh

rsync is much more convenient than scp if periodic backup of a directory, a large number of files or very large files is required. There is a recovery function after the failure of the transfer and copy only the modified files, which saves traffic and time.

This example uses gzip (-z) compression and archive mode (-a), which includes recursive copying.

 :~$ rsync -az /home/testuser/data remoteserver:backup/

13. SSH over the Tor network

The anonymous Tor network can tunnel SSH traffic using the torsocks . The following command will proxy ssh-proxy through Tor.

 localhost:~$ torsocks ssh myuntracableuser@remoteserver

Torsocks will use proxy port 9050 on localhost. As always, when using Tor, you need to seriously check what traffic is being tunneled and other operational security issues (opsec). Where do your DNS queries go?

14. SSH to EC2 instance

To connect to an EC2 instance, you need a private key. Download it (the .pem extension) from the Amazon EC2 control panel and change the permissions ( chmod 400 my-ec2-ssh-key.pem ). Keep the key in a safe place or place it in your ~/.ssh/ folder.

 localhost:~$ ssh -i ~/.ssh/my-ec2-key.pem ubuntu@my-ec2-public

The -i option simply tells the ssh client to use this switch. The ~/.ssh/config file is ideal for automatically configuring key usage when connected to the ec2 host.

 Host my-ec2-public Hostname ec2???.compute-1.amazonaws.com User ubuntu IdentityFile ~/.ssh/my-ec2-key.pem

15. Editing text files using VIM via ssh / scp

For all vim lovers, this advice will save some time. With vim files are edited for scp with one command. This method simply creates the file locally in /tmp , and then copies it back as soon as we save it from vim .

 localhost:~$ vim scp://user@remoteserver//etc/hosts

Note: The format is slightly different from regular scp . After the host we have a double // . This is a link to an absolute path. One slash will be the path relative to the users home folder.

 **warning** (netrw) cannot determine method (format: protocol://[user@]hostname[:port]/[path])

If you see such an error, double check the format of the command. This usually means a syntax error.

16. Mounting Remote SSH as a Local Folder with SSHFS

With sshfs , the ssh file system client, we can connect a local directory to a remote location with all file interactions in an encrypted ssh session.

 localhost:~$ apt install sshfs

On Ubuntu and Debian, install the sshfs package, and then simply accept the remote location to our system.

 localhost:~$ sshfs user@remoteserver:/media/data ~/data/

17. SSH Multiplexing with ControlPath

By default, if there is an existing connection to a remote server using ssh second connection using ssh or scp establishes a new session with additional authentication. The ControlPath option allows you to use an existing session for all subsequent connections. This will significantly speed up the process: the effect is noticeable even in the local network, and even more so when connected to remote resources.

 Host remoteserver HostName remoteserver.example.org ControlMaster auto ControlPath ~/.ssh/control/%r@%h:%p ControlPersist 10m

ControlPath specifies the socket to check for new connections for an active ssh session. The last option means that even after logging out of the console, the existing session will remain open for 10 minutes, so during this time you can reconnect over the existing socket. See the ssh_config man help for more information.

18. Streaming video over SSH using VLC and SFTP

Even long-time users of ssh and vlc (Video Lan Client) are not always aware of this convenient option, when you really need to watch videos over the network. In the settings File | Open Network Stream vlc programs can be entered as sftp:// . If a password is required, a prompt will appear.

 sftp://remoteserver//media/uploads/myvideo.mkv

19. Two-factor authentication

The same two-factor authentication as your bank account or Google account applies to the SSH service.

Of course, ssh initially has a two-factor authentication function, which means a password and an SSH key. The advantage of a hardware token or Google Authenticator application is that it is usually a different physical device.

See our 8-minute guide to using Google Authenticator and SSH .

20. Jumping to hosts with ssh and -J

If, because of network segmentation, you have to go through several ssh hosts to get to the destination destination network, you will save time with the -J shortcut.

 localhost:~$ ssh -J host1,host2,host3 user@host4.internal

The main thing here is to understand that this is not similar to the ssh host1 , then user@host1:~$ ssh host2 and so on. The -J parameter cleverly uses redirection so that localhost establishes a session with the next host in the chain. Thus, in the example above, our localhost is authenticated to host4. That is, our localhost keys are used, and the session from localhost to host4 is fully encrypted.

To do this, specify the ProxyJump configuration option in ssh_config . If you regularly have to go through several hosts, then automation through the config will save a lot of time.

21. Blocking SSH brute-force attempts using iptables

Anyone who ran the SSH service and looked through the logs knows about the number of bruteforce attempts that occur every hour every day. A quick way to reduce noise in the logs is to transfer SSH to a non-standard port. Edit the sshd_config file using the Port ## configuration parameter.

Using iptables , you can also easily block attempts to connect to a port when a certain threshold is reached.The easiest way to do this is to use OSSEC , since it not only blocks SSH, but performs a bunch of other intrusion detection measures based on the host name (HIDS).

22. SSH Escape to change port forwarding

And our last example is sshintended to change the port forwarding on the fly within an existing session ssh. Imagine such a scenario. You are deep in the net; you may have jumped through half a dozen hosts and you need a local port on the workstation that is redirected to the Microsoft SMB of the old Windows 2003 system (does anyone remember ms08-67?).

Clicking enter, try typing in console ~C. This is a control sequence in a session that allows you to make changes to an existing connection.

 localhost:~$ ~C ssh> -h Commands: -L[bind_address:]port:host:hostport Request local forward -R[bind_address:]port:host:hostport Request remote forward -D[bind_address:]port Request dynamic forward -KL[bind_address:]port Cancel local forward -KR[bind_address:]port Cancel remote forward -KD[bind_address:]port Cancel dynamic forward ssh> -L 1445:remote-win2k3:445 Forwarding port.

, 1445 Windows 2003, . msfconsole , (, ).

Completion

, ssh ; ( man ssh , man ssh_config , man sshd_config ).

. ssh , .

Source: https://habr.com/ru/post/435546/

All Articles