Limiting the forwardable ports for ssh/sshd

Quote from the Ubuntu forums:

http://ubuntuforums.org/showthread.php?t=618733

------------------------------------------------

In the end, I've opted for Pub key authentication.
If it helps anyone, here's what I did...
If yall haver a Better Way (tm), feel free to post.

To configure :
1) Create keys : ssh-keygen -t rsa
2) Make sure they are stored in proper place for ssh to read them
( ex.: On my wrt, /etc/ssh/authorized_keys )
:: Security concern : If the keys are in /etc/ssh/authorized_keys as opposed to ~/.ssh/authorized_keys,
that file must be readable by everyone that connects ( chmod, and possibly chgrp ). Having the keys in the user's homes is potentially safer.
3) cat .pub >> /etc/ssh/authorized_keys
chmod 0600 /etc/ssh/authorized_keys
4) modify key line in /etc/ssh/authorized_keys with :
no-port-forwarding,no-agent-forwarding,permitopen=":",permitopen="...another one..." ssh-dss
5) If you want the key to be used only for forwarding, while denying the ssh console, add command="/bin/false" to the beginning of the line in 4). This command will be executed first thing as soon as the session is established.

To test :
1) Copy the key ( not the .pub ) to the client home's ~/.ssh/
2) Establish a connection :
ssh -v -L :: :
Note : If using command="/bin/false" as detailed above, you need to add a -N switch to the ssh command, else the ssh session will terminate.
Note : Through me off at first that you DO get a bash prompt on destination machine. With "-v" you'll see that forwarding is disabled.

3) Test the connection : ( in another terminal ) :
ssh -p localhost

Note : Attempting to connect to anything NOT in permitopen returns : ssh_exchange_identification: Connection closed by remote host

------------------------------------------------

Fail2Ban - CentOS - Devcot

After looking at my logs I noticed that someone is trying to crack devcot, here is what you need todo to setup fail2ban to block the ips of the attacker.

You will need to create a filter file for dovecot, the first regex rule I got from the fail2ban wiki, and the second is something I came up with:

=========/etc/fail2ban/filter.d/dovecot.conf==========

# Fail2Ban configuration file
#
# Author: Maxim Badran
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = dovecot.*auth\(default\): pam\(.*,<host>\): pam_authenticate\(\) failed:
dovecot.*authentication failure.*rhost\=<host>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

=======================================

Now you need to add a new jail to /etc/fail2ban/jail.conf

===================

[dovecot-iptables]

enabled = true
filter = dovecot
action = iptables[name=Dovecot, port=110, protocol=tcp]
sendmail-whois[name=Dovecot, dest=you@yourdomain.com, sender=fail2ban@yourdomain.com]
logpath = /var/log/secure
maxretry = 5

===================
Note if pop3 is not using port 110, edit the section above and replace 110 with the pop3 port.

The last step is to reload the fail2ban rules:
fail2ban-client reload

Fail2Ban - CentOS

Well a couple of days ago I had to setup fail2ban on a centos 5.2 server. Here is a quick how to:

First you need to install the program, you can do it with yum:

yum update
yum install fail2ban

Set it to startup automatically with the system:

chkconfig --levels 235 fail2ban on


Ok now just edit /etc/fail2ban/jail.conf

enable the jails, and be sure to set the to and from addresses (as you do want to get the reports).

To start it up without a reboot:

/etc/init.d/fail2ban start

So now you have everything setup.

For more details please see:
http://www.fail2ban.org

Tar

Here is a little tip about using Tar. If you want to exclude multiple files or folders and are using a wildcard "*" , then you should put --exclude in front of every "path/to/file/*".

tar -zPcf /media/sda4/test/bkp/1.tar.gz /media/sda4/test/ --exclude "/media/sda4/test/d1/*" --exclude "/media/sda4/test/1/*"

The above would tar a the test folder to the backup folder, without the contents of d1 and 1.

A new mic...

I just got myself a new Mic... It was something that I took for granted a while before.... But know I see well actually hear the difference... Those Skype certified mic's are something :)

Btw it was a Logitech USB mic...

Google Map zooooooooooooooooom , bday day, and linux

This is great, by playing with the url you wont have to install google earth to get the super zoom feature. I can't believe it that no one thought of this...

or on the other hand to day two of my friends had their birthdays, so that was fun.

at university we starting a new course, that seams to be easy and fun.... it is part of a course but well...

With linux i am playing with virtualization, the best part is that I can play with the system without screwing up my base, and the fun on playing with different operating systems... now i can try out a bsd thinking of openbsd , as it is something nice as they say... but i dont think i will stray away from ubuntu as it is making my life easier by the minute ... as in no more software problems and config files... everything just works... :)

.........as for the weather well yesterday (11/03/07) was sunny, alas had to spend the day home... as for today it was a tad chilly but nice... over and out

planned move to ubuntu...

i am starting my migration from arch to ubuntu, as the later has better out of the box support for different things that i dont want to be bothered with configuring. For this i need to wait for my new external hdd, as so that i fully reformat my system, my 2 largest partitions are still fat32 (from XP).

What I want to do is divide the hdd into root (system 5g), home (were i keep my documents 4g), the rest will be just one giant partition with all of my media.

This move will help me concentrate on my work more , as i wont have to tinker with the system that mush .

Archlinux

If you want to learn about linux this is the way to go, it is (relatively) easy to use, and it would teach you the linux basics. The best part is at the end you get a stable OS running on your pc with the applications that you use and nothing more. Everything is kept updated thanks to a little thing called pacman. This is not a technical review about Arch, just a little something for more info take a look at their site.

Have fun