WARNING: ifconfig
is deprecated!
- checking status of network interfaces using
ip
tool:
$ ip address
$ ip link
- checking status of network interfaces using
networkctl
tool:
$ networkctl status IFNAME
- checking status of ntework using
systemd
tool:
$ sudo service systemd-networkd status
- checking detailed physical capabilities of network interface using ethtool:
$ sudo ethtool IFNAME
NOTE: ethtool
uses set of ioctl
's (such as SIOCETHTOOL
for media physical speed)
to get additional information which can't be provided by any other default tools.
- list open tcp ports using
ss
:$ sudo ss -ntlp
- list open tcp ports using
netstat
(DEPRECATED):$ sudo netstat -ntlp
- -n / --numeric : show IP address instead of resolved host name
- -t / --tcp : show TCP ports only
- -l / --listening : show listening / open ports only
- -p / --programs : show PID / app name
/etc/netplan/01-network-manager-all.yaml
/etc/udev/rules.d/
/var/lib/udev/
- add
net.ifnames=0 biosdevname=0
options toGRUB_CMDLINE_LINUX_DEFAULT
variable inside/etc/default/grub
configuration file - optionally, to name interface based on MAC address, add
udev
rule like:
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="__:__:__:__:__:__", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="em0"
To listen traffic (aka "sniffing"), these two steps should be performed:
- set packet forwarding:
$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
- set promisc mode for network interface:
$ sudo ip link set IFNAME promisc on
- run
tcpdump
to capture packets fully:
$ sudo tcpdump -i IFNAME -nn -XX -vvv -s0 -S [-e FILTER RULE(S)]
$ sudo iptables -I INPUT -p ${PROTO} --dport ${PORT} -j ACCEPT
$ sudo iptables -I OUTPUT -p ${PROTO} --sport ${PORT} -j ACCEPT
- PROTO - protocol: tcp or udp
- PORT - port number
-i
: /path/to/private/key-C
: enable data compression-f
: run in background-N
: do not execute [remote shell] command-n
: disable reading from STDIN-q
: enable quite output and show only fatal errors-T
: disable pseudo-terminal allocation-D
: [bind_host:]port
-o HostKeyAlgorithms= :
opts- use the host key algorithms that the client wants to use in order of preference (use
ssh -Q key` to check available opts)1-o PubkeyAuthentication=
:yes
/no
- use keys' pair authentication method-o PasswordAuthentication=
:yes
/no
- use password authentication method-o StrictHostKeyChecking=
:yes
/no
- use interactive request (yes
) or just add host toknown_hosts
(no
)-o IdentityFile=
:priv key
- use file as private key to connect (same as-i
)-o UserKnownHostsFile=
:hosts
- use file as known hosts fingerprint (set as/dev/null
to skip the error)2-o ServerAliveInterval=
:N
- useN
seconds keep-alive "heart beat"-o ConnectTimeout=
:N
- useN
seconds as timeout during connection
Permissions for files in ~/.ssh
directory3:
drwxr-xr-x / 755 ..
drwx------ / 700 .
-rw------- / 600 config
-rw------- / 600 authorized_keys
-rw------- / 600 known_hosts
-rw------- / 600 *.priv
-rw-r--r-- / 644 *.pub
$ ssh-keygen [-H] -F example.com
- locally detect fingerprint line for
example.com
host in~/.ssh/known_hosts
config file and print it (if any) -H
: hide the line number info
`$ ssh-keygen -R exampe.com
- remove fingerprint line for
exampe.com
host from~/.ssh/known_hosts
config file (if any)
$ ssh-keyscan [-H] example.com
- remotely scan
example.com
host for fingerprint line and print it (if any) -H
: hash host name
- pick port number for proxy and set it:
$ PORT=1234
- set packet forwarding:
$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
- optionally, set
iptables
rules for IP client address only:
$ sudo iptables -A INPUT --src ${IP} -p tcp --dport ${PORT} -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport ${PORT} -j REJECT
- run
ssh
session:
$ ssh -N -D 0.0.0.0:${PORT} localhost
- optionally, to get IP address of a server:
$ curl ifconfig.me
- set web proxy setting in browser/environment on client IP as
IP/HOSTNAME:PORT
- pick port number for route and set it:
$ PORT_ROUTE=1234
- pick port number for proxy and set it:
$ PORT_PROXY=5678
- run
ssh
session on NAT gateway host:
$ ssh -R ${PORT_ROUTE}:localhost:22 [email protected]
- run
ssh
session on example host:
$ ssh -p ${PORT_ROUTE} localhost -D ${PORT_PROXY}
- test the connection from example host:
$ curl http://portquiz.net
Port 80 test successful!
Your IP: <IP address of example.com>
$ curl --socks5 localhost:${PORT_PROXY} http://portquiz.net
Port 80 test successful!
Your IP: <IP address of NAT gateway>
- pick port number for tunnel and set it:
$ PORT_TUNNEL=4321
- run
ssh
session on NAT gateway host:
$ ssh -N -R ${PORT_TUNNEL}:localhost:22 [email protected] -p 22
- run
ssh
client connecting back to NAT gateway host from example host:
$ ssh client@localhost -p ${PORT_TUNNEL}
DRAFT
- add user:
$ sudo useradd -m mysshuser
- set password
- populate .ssh & set permissions
- add section to sshd:
AllowUsers mysshuser
Match User mysshuser
AllowTcpForwarding yes
PermitTunnel yes
GatewayPorts yes
AllowAgentForwarding no
PermitOpen localhost:8080
ForceCommand echo 'No no no!'
- restart sshd and test local ssh login using keys:
$ sudo service ssh restart ; ssh mysshuser@localhost -i /home/mysshuser/.ssh/id_rsa
- edit etc/passwd to set bin/false
mysshuser:...:/bin/false
- edit etc/shadow to disable password
mysshuser:!:1...`
- install required package:
$ sudo apt install libpam-google-authenticator
- configure authentication setup:
- run:
$ google-authenticator
make tokens to be time-based? y
- scan QR code using TOTP app like Google Authenticator or FreeOTP
- enter TOTP code from app to terminal when requested
- provide the answers to configure TOTP:
update your config file? y
disallow multiple uses? y
increase the login window? n
enable login rate-limit? y
- run:
- configure
sshd
for TOTP setup:/etc/ssh/sshd_config
: add/enableUsePAM yes
andChallengeResponseAuthentication yes
/etc/pam.d/sshd
: add/enableauth required pam_google_authenticator.so
right after@include common-auth
block- optionally: add
nullok
option for the lineauth required pam_google_authenticator.so
to disable TOTP for users without TOTP configured
- now this configuration will be working in the following way:
- if login user uses valid & authorized ssh key file, then sshd will accept connection unconditionaly
- if login user uses valid password, then sshd will ask for password first and for TOTP verification code right after password before accepting connection
As a quick'n'dirty solution:
- on server:
- install & run any web server, i.e.:
$ python3.8 -m http.server 8080 -d www/html
- go to its
www/html
directory - run (tweak command for desirable size to test):
$ sudo touch file.bin && sudo truncate -s 1GB file.bin
- install & run any web server, i.e.:
- on client:
- run
$ wget -v -O /dev/null https://server/file.bin
or$ curl -o /dev/null http://server:8080/file.bin
- run
Proxy Auto Configuration file is a special server-side file which allows redirecting client requests for particular hosts. To use this feature:
- create & put sample file like
inet.pac
towww/html
directory on server with this content:
function FindProxyForURL(url, host) {
alert("url = " + url);
alert("host = " + host);
if (
shExpMatch(host, "*test.org*") ||
shExpMatch(host, "*example.com*")
) {
return "SOCKS host:port";
} else {
return "DIRECT";
}
}
- configure browser on client to use proxy autoconfiguration and provide the setting line as
https://server/inet.pac
Footnotes
-
this option is useful when the error message like "Unable to neotiate with HOST port NUMBER: no matching host key type found. Their offer: [...]" displayed. ↩
-
set
-o UserKnownHostsFile=/dev/null
only if you're fully aware of what & why you're doing this exactly since this is VERY INSECURE. ↩ -
https://superuser.com/questions/215504/permissions-on-private-key-in-ssh-folder ↩