The document discusses various SSH tricks and configurations, including setting up port forwarding tunnels for a "poor man's VPN", configuring SSH keys and host fingerprints, and using the ~/.ssh/config file to define SSH connection settings and aliases. It also covers enabling SSH autocompletion and disabling host key checking for automated deployments.
Jaime Piña, @variadico, Software Engineer at Apcera
Microservice issues are networking issues. Fixing code in your app is easy, but the hard part of using microservices is the networking. How do you actually know if you're sending what you think you are? Why does this request fail in my app, but not when I use curl? Is this service very slow or is it up at all?
This talk will help demystify some common problems you might experience while building out your collection of microservices. Once you can find the issue, it becomes way easier to fix.
Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb
Overview of the SSH protocol.
SSH (Secure SHell) is a secure replacement for TELNET, rcp, rlogin, rsh (for login, remote execution of
commands, file transfer).
Security-wise SSH provides confidentiality (nobody can read the message content), integrity (guarantee that data is unaltered in transit) and authentication (of client and server). This provides protection against many of the possible attack vectors like IP spoofing, DNS spoofing, Password interception and eavesdropping.
SSH exists in 2 versions. SSH-2 fixes some of the shortcomings of SSH-1 so it should be used in place of SSH-1.
SSH also comes with features that in itself raise security concerns like tunneling and port forwarding.
Jaime Piña, @variadico, Software Engineer at Apcera
Microservice issues are networking issues. Fixing code in your app is easy, but the hard part of using microservices is the networking. How do you actually know if you're sending what you think you are? Why does this request fail in my app, but not when I use curl? Is this service very slow or is it up at all?
This talk will help demystify some common problems you might experience while building out your collection of microservices. Once you can find the issue, it becomes way easier to fix.
Apresentação na Pós-Graduação em Segurança da Informação:
- Sniffer de senhas em plain text;
- Ataque de brute-force no SSH;
- Proteção: Firewall, IPS e/ou TCP Wrappers;
- Segurança básica no sshd_config;
- Chaves RSA/DSA para acesso remoto;
- SSH buscando chaves no LDAP;
- Porque previnir o acesso: Fork Bomb
Overview of the SSH protocol.
SSH (Secure SHell) is a secure replacement for TELNET, rcp, rlogin, rsh (for login, remote execution of
commands, file transfer).
Security-wise SSH provides confidentiality (nobody can read the message content), integrity (guarantee that data is unaltered in transit) and authentication (of client and server). This provides protection against many of the possible attack vectors like IP spoofing, DNS spoofing, Password interception and eavesdropping.
SSH exists in 2 versions. SSH-2 fixes some of the shortcomings of SSH-1 so it should be used in place of SSH-1.
SSH also comes with features that in itself raise security concerns like tunneling and port forwarding.
6. Enter ~/.ssh/config
$ cat /home/lotr/.ssh/config
Host moria.middle.earth
User gandalf
Port 1234
Host mordor.middle.earth
User gollum
IdentityFile ~/.ssh/smeagol.rsa
Port 666
Host *.middle.earth
User hobbits
KexAlgorithms diffie-hellman-group1-sha1
7. Enter ~/.ssh/config
$ cat /home/lotr/.ssh/config
Host moria.middle.earth
User gandalf
Port 1234
Host mordor.middle.earth
User gollum
IdentityFile ~/.ssh/smeagol.rsa
Port 666
Host *.middle.earth
User hobbits
KexAlgorithms diffie-hellman-group1-sha1
You can put almost any ssh config option in there, and use wildcard
expansion. It’s respected by scp and ssh and anything using libssh
8. Enter ~/.ssh/config
$ cat /home/lotr/.ssh/config
Host moria.middle.earth
User gandalf
Port 1234
Host mordor.middle.earth
User gollum
IdentityFile ~/.ssh/smeagol.rsa
Port 666
Host *.middle.earth
User hobbits
KexAlgorithms diffie-hellman-group1-sha1
You can put almost any ssh config option in there, and use wildcard
expansion. It’s respected by scp and ssh and anything using libssh
This is just the beginning of what you can do in .ssh/config
17. ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f
user@remote host: . . .
8000: port opened on MY machine
18. ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f
user@remote host: . . .
8000: port opened on MY machine
127.0.0.1:9091: address referred to the REMOTE network
19. ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f
user@remote host: . . .
8000: port opened on MY machine
127.0.0.1:9091: address referred to the REMOTE network
-N: don’t execute anything on remote host
20. ssh user@remote_host -L 8000:127.0.0.1:9091 -N -f
user@remote host: . . .
8000: port opened on MY machine
127.0.0.1:9091: address referred to the REMOTE network
-N: don’t execute anything on remote host
-f: execute in background
21. The other way round
ssh user@remote_host -R 8111:127.0.0.1:80 -N -f
25. >THIS< fingerprint
The authenticity of host ’178.36.62.115 (178.36.62.115)’ can’t b
ECDSA key fingerprint is SHA256:F0B6XIdcukwjjkI+edez42aQt6W73f+O
Are you sure you want to continue connecting (yes/no)
26. >THIS< fingerprint
The authenticity of host ’178.36.62.115 (178.36.62.115)’ can’t b
ECDSA key fingerprint is SHA256:F0B6XIdcukwjjkI+edez42aQt6W73f+O
Are you sure you want to continue connecting (yes/no)
This is a great security feature, protecting against MITM attacks, but
can be a real PITA especially when automatically deploying/copying
something and maybe remote server got reinstalled without preserving
the old keys
29. Solution?
ssh -o UserKnownHostsFile=/dev/null
-o StrictHostKeyChecking=no
somebody@somewhere
This line will disable fingerprint checking (StrictHostKeyChecking=no)
and route to the void content directed to the Known Hosts file
(UserKnownHostsFile=/dev/null)