SearchThis got realized with /etc/ssh/sshd_config:
...
Subsystem sftp internal-sftp
Match user USER
PasswordAuthentication yes
AllowAgentForwarding no
X11Forwarding no
ForceCommand internal-sftp
PermitOpen localhost:22
ChrootDirectory /home/USER
"PermitOpen"restricts portforward to localhost:22 (remote port forward is not restricted)
But if the client needs a login shell this failes.
Well you could tell the client to not use a login shell:
ssh -N -L2222:IP:22 USER@SERVER
putty: SSH / Protocol Option enable "Don't start a shell or command at all"
or use an own loginshell where the user can only press return to disconnect:
/etc/ssh/sshd_config:
...
Subsystem sftp internal-sftp
Match user USER
PasswordAuthentication yes
AllowAgentForwarding no
X11Forwarding no
PermitOpen 127.0.0.1:2222
ChrootDirectory /home/USER
sudo touch /home/USER/.hushlogin
sudo cp own_loginshell /home/USER/
/etc/passwd:USER:x:ID:ID::/:/own_loginshell
own_loginshell.c:
/*
simple program to print to stdout and read from stdin without libc
taken from http://crazychenz.com/archives/107
(http://stackoverflow.com/questions/2548486/compiling-without-libc)
modified 2011 by Peter Holik (peter@holik.at)
gcc -nostdlib -nostartfiles -fno-builtin own_loginshell.c -o own_loginshell
*/
/* Types - I've defined these just to match the kernel's macros, typedefs, and structs */
typedef unsigned int size_t;
/* Syscalls */
exit(int error_code) {
/* The asm call is a GCC thing that allows us to put assembly
* inline with our C code. This particular use is the extended version,
* which provides a very clean and easy way to map variables in
* our code with registers in the assembly code.
*/
asm("int $0x80"
: // no output registers
: "a" (1), "b" (error_code)
);
}
size_t read(unsigned int fd, char * buf, size_t count) {
size_t ret;
/* In this call, we have a return value, which know will be
* of type size_t, so we put the value of %eax into ret.
*/
asm("int $0x80"
: "=a" (ret)
: "a" (3), "b" (fd), "c" (buf), "d" (count)
);
return ret;
}
size_t write(unsigned int fd, const char * buf, size_t count) {
size_t ret;
asm("int $0x80"
: "=a" (ret)
: "a" (4), "b" (fd), "c" (buf), "d" (count)
);
return ret;
}
/* Notice that there is no main in this code, that is because
* main is not _really_ required. All that is _really_ required
* is the entry point for Linux to execute. I'd suggest
* always using a main() for compatibility reasons.
*/
void _start() {
char *buf = "press enter to close connection";
write(1, buf, 31);
read(0, buf, 1);
exit(0);
}
[ view entry ] ( 2989 views ) | print article
useradd -s /bin/false -m SFTPUSER
mkdir /home/SFTPUSER/.ssh
ssh-keygen -t rsa -b 2048 -N '' -f /home/SFTPUSER/.ssh/id_rsa
chown -R SFTPUSER:SFTPUSER /home/SFTPUSER/.ssh
chmod 600 /home/SFTPUSER/.ssh/id_rsa
/etc/ssh/sshd_config:
Subsystem sftp internal-sftpchown root:root /chroot
Match user SFTPUSER
PasswordAuthentication no
AllowTcpForwarding no
X11Forwarding no
ForceCommand internal-sftp
ChrootDirectory /chroot
mkdir /chroot/SFTPUSERDIR
chown SFTPUSER:SFTPUSER /chroot/SFTPUSERDIR
echo "put FILENAME" | \
sftp -oIdentityFile=/home/SFTPUSER/.ssh/id_rsa \
-oTCPKeepAlive=no -oServerAliveInterval=15 \
SFTPUSER@localhost:SFTPUSERDIR
[ view entry ] ( 2468 views ) | print article
I want to rsync to a remote host to a given directory.
local-host:
ssh-keygen -t rsakeyfilename: ~/.ssh/rsync
ssh-copy-id -i .ssh/rsync rsyncuser@remote-host
rsync files with ssh:
rsync -vaHxr --delete \
-e "ssh -i ~/.ssh/rsync -c arcfour -o Compression=no -x" \
LOCALDIR rsyncuser@remote-host:
remote-host
/home/rsyncuser/.ssh/authorized_keys:
from="192.168.0.2,",command="/home/rsyncuser/validate-rsync.sh",limit access with from (optional).
no-pty,no-agent-forwarding,no-port-forwarding
ssh-dss 012345678...
On sucessfully ssh login command is executed.
Read More...
[ view entry ] ( 2486 views ) | print article
With iptables module recent you can limit the count of tcp connection attempts. In my case i allow only 3 ssh connection attempts per minute. This stops script kiddies doing ssh brute force attacs.
iptables -N synflood
iptables -A synflood -p tcp --dport ssh -m recent --set --name SSH
iptables -A synflood -p tcp --dport ssh -m recent --update \
--seconds 60 --hitcount 4 --name SSH -j DROP
iptables -A INPUT -p tcp -m state --state NEW -j synflood
iptables -A FORWARD -i $OUT -p tcp -m state --state NEW -j synflood
[ view entry ] ( 808 views ) | print article
apache
NameVirtualHost *:80lighttpd
NameVirtualHost *:443
<VirtualHost *:443>
ServerName one.domain.at
SSLEngine on
SSLCertificateFile /etc/ssl/certs/domain.at.pem
SSLCertificateKeyFile /etc/ssl/private/domain.at.key
CustomLog /var/log/apache2/one.access.log combined
ErrorLog /var/log/apache2/one.errors.log
.
.
.
</VirtualHost>
<VirtualHost *:443>
ServerName two.domain.at
SSLEngine on
SSLCertificateFile /etc/ssl/certs/domain.at.pem
SSLCertificateKeyFile /etc/ssl/private/domain.at.key
CustomLog /var/log/apache2/two.access.log combined
ErrorLog /var/log/apache2/two.errors.log
.
.
.
</VirtualHost>
$SERVER["socket"] == "0.0.0.0:443" {
ssl.engine = "enable"
ssl.use-sslv2 = "disable"
ssl.pemfile = "/etc/lighttpd/ssl/domain.at.pem"
ssl.ca-file = "/etc/lighttpd/ssl/cacert.pem"
$HTTP["host"] == "one.domain.at" {
server.name = "one.domain.at"
server.errorlog = "/var/log/lighttpd/one_error.log"
accesslog.filename = "/var/log/lighttpd/one_access.log"
server.document-root = "/var/www/one"
}
$HTTP["host"] == "two.domain.at" {
server.name = "two.domain.at"
server.errorlog = "/var/log/lighttpd/two_error.log"
accesslog.filename = "/var/log/lighttpd/two_access.log"
server.document-root = "/var/www/two"
}
}[ view entry ] ( 871 views ) | print article
<<First <Back | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | Next> Last>>