Libre Things

CV Diaspora
fr

Tag - SSH

Entries feed - Comments feed

Wednesday 29 December 2010

Rsync command restriction over SSH

By dooblem on Wednesday 29 December 2010, 18h36

You have 2 systems and you want to set up a secure backup with rsync + SSH of one system to the other.

Very simply, you can use:

backup.example.com# rsync -avz --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/

To do the backup, you have to be root on the remote server, because some files are only root readable.

Problem: you will allow backup.example.com to do anything on myserver.example.com, where just read only access on the directory is sufficient.

To solve it, you can use the command="" directive in the authorized_keys file to filter the command.

To find this command, start rsync adding the -e'ssh -v' option:

rsync -avz -e'ssh -v' --numeric-ids --delete root@myserver.example.com:/path/ /backup/myserver/ 2>&1 | grep "Sending command"

You get a result like:

debug1: Sending command: rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/

Now, just add the command before the key in /root/.ssh/authorized_keys:

command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/" ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

And for even more security, you can add an IP filter, and other options:

from="backup.example.com",command="rsync --server --sender -vlogDtprze.iLsf --numeric-ids . /path/",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding ssh-rsa AAAAB3NzaC1in2EAAAABIwAAABio......

Now try to open a ssh shell on the remote server.. and try some unauthorized rsync commands...

Notes:

  • Beware that if you change rsync command options, change also the authorized_keys file.
  • No need for complex chroot anymore. Forget my previous article: /post/SFTP-chroot-rsync

See also:

  • man ssh #/AUTHORIZED_KEYS FILE FORMAT
  • man rsync
  • view /usr/share/doc/rsync/scripts/rrsync.gz (restricted rsync, allows you to manage allowed options precisely)

no comment

Sunday 20 June 2010

Reverse SSH Tunnel for SSH connection to a NATed machine

By dooblem on Sunday 20 June 2010, 23h48

This is how to open a SSH connexion to a serveur hidden behind a NAT gateway.

We use a reverse SSH tunnel:

nated-host$ ssh -R 2222:localhost:22 anyuser@public-host
anyuser@public-host$

This command opens 2222 port on public-host, forwarding it to local 22 port on nated-host.

Finally, from public-host we connect to 2222 local port with SSH, to end on nated-host:

public-host$ ssh -p2222 localhost
nated-host$

References:

no comment

Thursday 10 December 2009

[SSH] Change directory while connecting

By dooblem on Thursday 10 December 2009, 21h09 - Linux

Problem:

I want to create a server-www alias that connects me to the SSH server and change the directory to /var/www/ right after the connection.

There it is :

ssh -t server 'cd /var/www && $SHELL'

And for the alias, add this in your ~/.bashrc:

alias server-www="ssh -t server 'cd /var/www && $SHELL'"
server-www # test it !

References :

2 comments

Monday 3 August 2009

Fail2ban

By dooblem on Monday 3 August 2009, 14h20 - Linux

If you discover lots of ssh connection tries in your /var/log/auth.log (bots testing users/passwords), you have to do something.

The simpler is to use an IP restriction rule in your iptables firewall, or in /etc/hosts.deny

If you don't want or can't use this restriction, use Fail2ban:

aptitude install fail2ban

The default install blocks SSH connection tries.

You can tune the config a bit or activate Fail2ban for other services. Example:

vi /etc/fail2ban/jail.conf
bantime  = 86400
maxretry = 10 # pour ssh
enabled  = true # pour vsftpd
maxretry = 10 # pour vsftpd

Then, the iptables -L command gives you all banned IP addresses.

no comment