Reverse SSH is a technique that can be used to access systems (that are behind a firewall) from the outside world.
As you already know SSH is a network protocol that supports cryptographic communication between network nodes. Using this protocol, you can do a secure remote login, secure copy from/to a remote machine etc.
You’ll typically do the following to connect to a remote server securely using ssh command.
$ ssh [your-account-login]@[server-ip]
What is Reverse SSH?
SSH is very good tool to access remote machine or server securely. But, the problem arises when you try to connect to a remote server which is behind a firewall and this firewall denies any incoming connection or data transfer request that has no prior outgoing request. This means that only those connections would be allowed which are initiated by the remote server machine. This is a real problem for those who want to access this server machine remotely. Lire la suite…
Si vous possédez un serveur avec ssh opérationnel, vous ne serez pas long à avoir des messages tels que ceux ci dans le fichier /var/log/auth.log:
...
Mar 11 12:48:21 serv sshd[12956]: Failed password for invalid user root from 64.71.148.162 port 47270 ssh2
Mar 11 15:45:04 serv sshd[6954]: Did not receive identification string from 210.21.30.72
Mar 11 15:46:48 serv sshd[7041]: Did not receive identification string from 81.93.188.5
Mar 11 15:47:50 serv sshd[7106]: User root from 210.21.30.72 not allowed because none of user s groups are listed in AllowGroups
Mar 11 15:47:50 serv sshd[7106]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=210.21.30.72 user=root
Mar 11 15:47:52 serv sshd[7106]: Failed password for invalid user root from 210.21.30.72 port 54346 ssh2
Mar 11 15:49:33 serv sshd[7241]: User root from 81.93.188.5 not allowed because none of user s groups are listed in AllowGroups
Mar 11 15:49:33 serv sshd[7241]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=81.93.188.5 user=root
Mar 11 15:49:35 serv sshd[7241]: Failed password for invalid user root from 81.93.188.5 port 44663 ssh2
Mar 12 00:51:18 serv sshd[22229]: User root from host.ongamemarketing.com not allowed because none of user s groups are listed in AllowGroups
Mar 12 00:51:18 serv sshd[22229]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.ongamemarketing.com user=root
Mar 12 00:51:20 serv sshd[22229]: Failed password for invalid user root from 174.133.12.130 port 48089 ssh2
Mar 12 00:51:22 serv sshd[22236]: User root from host.ongamemarketing.com not allowed because none of user s groups are listed in AllowGroups
Mar 12 00:51:22 serv sshd[22236]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.ongamemarketing.com user=root
Mar 12 00:51:24 serv sshd[22236]: Failed password for invalid user root from 174.133.12.130 port 48521 ssh2
Mar 12 01:47:10 serv sshd[30827]: Did not receive identification string from 114.200.199.144
Mar 12 01:53:17 serv sshd[31227]: Invalid user staff from 114.200.199.144
Mar 12 01:53:17 serv sshd[31227]: pam_unix(sshd:auth): check pass; user unknown
Mar 12 01:53:17 serv sshd[31227]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=114.200.199.144
Mar 12 01:53:19 serv sshd[31227]: Failed password for invalid user staff from 114.200.199.144 port 35343 ssh2
Mar 12 01:53:27 serv sshd[31234]: Invalid user sales from 114.200.199.144
...
Vous avez besoin de pouvoir vous connecter en ssh depuis le réseau local, depuis l’extérieur, mais vous voulez limiter les risques. Il existe plusieurs solutions, qui peuvent être cumulées: Lire la suite…
SSH est l’acronyme de Secure SHell. Il s’agit historiquement du remplaçant de Telnet. Telnet est l’outil utilisé pour dialoguer simplement avec un serveur. Sa force : il peut se connecter à n’importe quoi ou presque. Ainsi, un fou utilisant telnet peut envoyer des emails (protocole SMTP), lire des pages Web (protocole HTTP), remettre sa montre à l’heure (protocole NTP), etc… Son inconvénient majeur : toutes les informations circulent en clair sur le réseau, mots de passes compris. A une époque, telnet était utilisé pour ouvrir une session à distance sur un serveur… imaginez le cauchemard. SSH est un outil dédié à l’ouverture de sessions à distances via une connexion sécurisée. Pour faire simple, SSH est à telnet ce que HTTPS est à HTTP : une version chiffrée et sécurisée. Cet article présente certaines des subtilités de SSH. Lire la suite…
Many times it can be convenient to tunnel your web traffic through a proxy, particularly an encrypted one. This web page shows how to easily tunnel your traffic through an ssh-encrypted proxy on Mac OS X. This allows your traffic to traverse your local network without being visible to snoopers, even when visiting unencrypted sites.
It also allows you to appear to come from a different IP address, allowing you to defeat geolocation schemes. In particular, some credit card processors try to make sure that your credit card billing address is correlated with your IP address, which can be hard on us expatriates. Another example is the free credit report web site which doesn’t seem to work from outside the United States. There are undoubtedly many other practical, legitimate uses for this sort of redirection. Lire la suite…
Both netfilter and pf provides rate-limit option to perform simple throttling on incoming connections on port # 22.
Iptables Example
The following example will drop incoming connections which make more than 5 connection attempts upon port 22 within 60 seconds:
#!/bin/bash
inet_if=eth1
ssh_port=22
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent --set
$IPT -I INPUT -p tcp --dport ${ssh_port} -i ${inet_if} -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
Call above script from your iptables scripts. Another config option:
$IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state NEW -m limit --limit 3/min --limit-burst 3 -j ACCEPT
$IPT -A INPUT -i ${inet_if} -p tcp --dport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o ${inet_if} -p tcp --sport ${ssh_port} -m state --state ESTABLISHED -j ACCEPT
# another one line example
# $IPT -A INPUT -i ${inet_if} -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 22 -m limit --limit 5/minute --limit-burst 5-j ACCEPT
See iptables man page for more details.
*BSD PF Example
The following will limits the maximum number of connections per source to 20 and rate limit the number of connections to 15 in a 5 second span. If anyone breaks our rules add them to our abusive_ips table and block them for making any further connections. Finally, flush keyword kills all states created by the matching rule which originate from the host which exceeds these limits.
sshd_server_ip="202.54.1.5"
table <abusive_ips> persist
block in quick from <abusive_ips>
pass in on $ext_if proto tcp to $sshd_server_ip port ssh flags S/SA keep state (max-src-conn 20, max-src-conn-rate 15/5, overload <abusive_ips> flush)
