Limiting the forwardable ports for ssh/sshd

Quote from the Ubuntu forums:

http://ubuntuforums.org/showthread.php?t=618733

------------------------------------------------

In the end, I've opted for Pub key authentication.
If it helps anyone, here's what I did...
If yall haver a Better Way (tm), feel free to post.

To configure :
1) Create keys : ssh-keygen -t rsa
2) Make sure they are stored in proper place for ssh to read them
( ex.: On my wrt, /etc/ssh/authorized_keys )
:: Security concern : If the keys are in /etc/ssh/authorized_keys as opposed to ~/.ssh/authorized_keys,
that file must be readable by everyone that connects ( chmod, and possibly chgrp ). Having the keys in the user's homes is potentially safer.
3) cat .pub >> /etc/ssh/authorized_keys
chmod 0600 /etc/ssh/authorized_keys
4) modify key line in /etc/ssh/authorized_keys with :
no-port-forwarding,no-agent-forwarding,permitopen=":",permitopen="...another one..." ssh-dss
5) If you want the key to be used only for forwarding, while denying the ssh console, add command="/bin/false" to the beginning of the line in 4). This command will be executed first thing as soon as the session is established.

To test :
1) Copy the key ( not the .pub ) to the client home's ~/.ssh/
2) Establish a connection :
ssh -v -L :: :
Note : If using command="/bin/false" as detailed above, you need to add a -N switch to the ssh command, else the ssh session will terminate.
Note : Through me off at first that you DO get a bash prompt on destination machine. With "-v" you'll see that forwarding is disabled.

3) Test the connection : ( in another terminal ) :
ssh -p localhost

Note : Attempting to connect to anything NOT in permitopen returns : ssh_exchange_identification: Connection closed by remote host

------------------------------------------------

Fail2Ban - CentOS - Devcot

After looking at my logs I noticed that someone is trying to crack devcot, here is what you need todo to setup fail2ban to block the ips of the attacker.

You will need to create a filter file for dovecot, the first regex rule I got from the fail2ban wiki, and the second is something I came up with:

=========/etc/fail2ban/filter.d/dovecot.conf==========

# Fail2Ban configuration file
#
# Author: Maxim Badran
#
# $Revision: 1 $
#

[Definition]

# Option: failregex
# Notes.: regex to match the password failures messages in the logfile. The
# host must be matched by a group named "host". The tag "" can
# be used for standard IP/hostname matching and is only an alias for
# (?:::f{4,6}:)?(?P<host>\S+)
# Values: TEXT
#
failregex = dovecot.*auth\(default\): pam\(.*,<host>\): pam_authenticate\(\) failed:
dovecot.*authentication failure.*rhost\=<host>

# Option: ignoreregex
# Notes.: regex to ignore. If this regex matches, the line is ignored.
# Values: TEXT
#
ignoreregex =

=======================================

Now you need to add a new jail to /etc/fail2ban/jail.conf

===================

[dovecot-iptables]

enabled = true
filter = dovecot
action = iptables[name=Dovecot, port=110, protocol=tcp]
sendmail-whois[name=Dovecot, dest=you@yourdomain.com, sender=fail2ban@yourdomain.com]
logpath = /var/log/secure
maxretry = 5

===================
Note if pop3 is not using port 110, edit the section above and replace 110 with the pop3 port.

The last step is to reload the fail2ban rules:
fail2ban-client reload

Fail2Ban - CentOS

Well a couple of days ago I had to setup fail2ban on a centos 5.2 server. Here is a quick how to:

First you need to install the program, you can do it with yum:

yum update
yum install fail2ban

Set it to startup automatically with the system:

chkconfig --levels 235 fail2ban on


Ok now just edit /etc/fail2ban/jail.conf

enable the jails, and be sure to set the to and from addresses (as you do want to get the reports).

To start it up without a reboot:

/etc/init.d/fail2ban start

So now you have everything setup.

For more details please see:
http://www.fail2ban.org

Tar

Here is a little tip about using Tar. If you want to exclude multiple files or folders and are using a wildcard "*" , then you should put --exclude in front of every "path/to/file/*".

tar -zPcf /media/sda4/test/bkp/1.tar.gz /media/sda4/test/ --exclude "/media/sda4/test/d1/*" --exclude "/media/sda4/test/1/*"

The above would tar a the test folder to the backup folder, without the contents of d1 and 1.

planned move to ubuntu...

i am starting my migration from arch to ubuntu, as the later has better out of the box support for different things that i dont want to be bothered with configuring. For this i need to wait for my new external hdd, as so that i fully reformat my system, my 2 largest partitions are still fat32 (from XP).

What I want to do is divide the hdd into root (system 5g), home (were i keep my documents 4g), the rest will be just one giant partition with all of my media.

This move will help me concentrate on my work more , as i wont have to tinker with the system that mush .

Archlinux

If you want to learn about linux this is the way to go, it is (relatively) easy to use, and it would teach you the linux basics. The best part is at the end you get a stable OS running on your pc with the applications that you use and nothing more. Everything is kept updated thanks to a little thing called pacman. This is not a technical review about Arch, just a little something for more info take a look at their site.

Have fun

Back to Linux.....

I have moved back to Linux ... after a long stay with windows... I got Zenwalk up and running on my PC and it is great... everything is as good as it gets... only one problem.... I have to keep windows as the program that came with my phone needs widows (explorer) to copy files to and from my phone... I will see if I can get it running under wine, if i could that I would not even need windows. The only thing needed right now is a spare hard drive so that I can copy my files to it and reformat the whole system .

You can read more about Zenwalk on www.zenwalk.org