I'm writing a short script to put as a cronjob. The function of the script should be kicking all ssh-entries (all hosts that are connected via ssh on a machine), except a special host (mostly localhost or the host where I'm sitting at). My idea was:
kill -9 $(pgrep -f ssh)
But this kicks all ssh-entries (including the host where I'm sitting at). How can I change the script so that it won't kick the localhost ?
What you can do is deny all ssh connections that are not coming from localhost. Go to /etc/ssh/sshd_config and add a line that says AllowUsers *#localhost, then restart the ssh server. This will allow only users that come from localhost to connect via ssh. You can also use DenyUsers youruser#yourdomain if you want to blacklist specific users or domains. If users that you blacklisted/that are not on your whitelist try to connect, they'll get a Permission denied message.
Related
I installed nodejs and created a sample app. When I run npm start I get a message saying that I can open my web browser to http://localhost:3000 to see the app in action, but this installation is on a web server - not my local computer, so, instead of localhost:3000 I want to get there using something like mydomain.com:3000
I can't find the answer, it's very likely I just don't know how to search for it... any ideas?
I'm following the tutorial here: https://facebook.github.io/react/tutorial/tutorial.html
I think I only needed to get away from this for a while. I got it working using ssh local forwarding.
I already used an ssh config file to log in to my server without having to remember the password, so I just added this line to my config file:
LocalForward localhost:3000 xxx.xxx.xxx.xxx:3000
where xxx.xxx.xxx.xxx is my server IP address.
Then, I connected to my server via ssh:
ssh -f -N mysite
Once connected, I open up the browser and go to localhost:3000 and there it is now.
I used my ssh config file, but it should also work without it.
ssh -f -N -R 3000:localhost:3000 mydomain.com
I found this command that eventually led me to solve my problem in this link: http://stuff-things.net/2016/01/20/tunneling-to-localhost/
I am trying to access my Linux machine from anywhere in the world. I have tried originally port forwarding and then ssh'ing in; however, I believe my school's WiFi won't allow port forwarding (every time I ran it, it would tell me connection refused). I have setup an account with ngrok and I can remotely SSH in, but now I am wondering if it is possible to RDP. I tried connecting via the Microsoft Remote Desktop app on Mac, but it instantly crashes. I have also looked at trying to connect with localhost, but it's not working. So far, I have tried (with xxxx being the port):
ssh -L xxxx:localhost:xxxx 0.tcp.ngrok.io
and
ssh -L xxxx:localhost:xxxx <user>#0.tcp.ngrok.io
but my computer won't allow it and after about 2 or 3 times, it warns me of a possible DNS Spoofing. Is there anyway that I can run a remote desktop of my linux machine that I have ssh tunneled to (from my mac) on ngrok? Thank you!
First you'll need to sign up with ngrok if you haven't already and you'll be given an authtoken. You'll need to install this by running
./ngrok authtoken <insert your token here>
This will save your token to a file located ../username/.ngrok/ngrok.yml
Then you'll need to ask ngrok to create a TCP tunnel from their servers to your local machine's Remote Desktop port which should be 3389 by default
ngrok tcp 3389
Give it 30 seconds or so then jump to http://localhost:4040/status to see what the tcp address ngrok has allocated you. It should look something like tcp://1.tcp.ngrok.io:158764
Now you should be able to remote into your machine using address 1.tcp.ngrok.io:158764
I have a host that starts a reverse ssh tunnel upon bootup like this:
ssh -N -R 2222:localhost:22 root#10.1.2.6
It works great and the reverse tunnel is formed. But whenever I reboot the host, the remote server that the tunnel is built to says this:
Sep 28 13:13:59 kali sshd[4547]: error: bind: Address already in use
Sep 28 13:13:59 kali sshd[4547]: error: channel_setup_fwd_listener_tcpip: cannot listen to port: 2222
In order for me to resolve this I have to wait a few minutes for the old ssh tunnel to timeout, then find the new ssh connection and kill it, then when I rebuild the ssh tunnel it works fine.
Is there an ssh command or autossh command that does something like checks if the remote host can bind that port, if not, try again in a few seconds?
I believe I have run into the same issue as the original poster. I seem to have found the solution at the end of the accepted answer of this question:
If the client reconnect before the connection has terminated on the server, you can end up in a situation where the new ssh connection is live, but has no port forwardings. In order to avoid that, you need to use the ExitOnForwardFailure keyword on the client side.
I have thus added the following line to my /etc/ssh/ssh_config file at the client side:
ExitOnForwardFailure yes
According to the ssh man page, this option will cause "a client started with -f [to] wait for all remote port forwards to be successfully established before placing itself in the background".
This seems to cause ssh to fail when attempting to start an ssh tunnel immediately after killing one. The option thus enables repeating the attempt until the tunnel is correctly re-established.
In a linux-based system¹, I would like to be able to log on using ssh. I need to launch two (or possibly three) different executables, ideally by connecting to different ports.
Ideally I would like to open a couple of different ports, and have sshd launch different executables² depending on which port. How do I set this up? I have looked through the sshd_config, but without finding anything that looks applicable.
Another alternative that came up was to set up different users, and set up the different applications I want to launch as their respective shells.
(What I do not want to do is to have the remote user specify the executable, as in ssh user#host executable.)
Or have I missed any obvious solution?
¹It's a BuildRoot-based embedded system, running on fairly meager resources, but it's a fully-fledged recent Linux kernel and I have a working ssh connection.
²They are interactive CLI-based programs.
Most linux systems use the OpenSSH server. It looks like you can get this behavior using the Match directive. Documentation for the SSH server configuration file is here.
First, you have to make sshd listen for connections on the additional ports that you want to use. You can do this through either the Port or ListenAddress directives.
Port 22 -- Listen on the normal port 22
Port 42 -- Also listen on port 42
ListenAddress 1.2.3.4:62 -- Also listen on address 1.2.3.4, port 62
Then, you can use the Match and ForceCommand directives to take special actions for users connecting to a particular port:
Match LocalPort 42
ForceCommand /usr/local/bin/the-42-app
Match LocalPort 62
ForceCommand /usr/local/bin/the-62-app
For people who don't want to set the ssh server to listen on multiple ports, there are two other ways to make the server run "canned" apps depending on how the the user connects.
Subsystems
A subsystem is a command that's pre-configured into the server. Clients request to run the subsystem by name, and the server runs the command associated with the subsystem. This avoids the client having to know the exact command to run.
You configure subsystems in sshd by adding a line like this to sshd_config:
Subsystem someApp /usr/local/bin/someApp
Then the client calls it like this:
ssh user#host -s someApp -- "-s" means to request a subsystem
Forced Commands on Keys
For key-based authentication, sshd permits you to force a particular command to run when a particular key is used. This is done in the authorized_keys file which is documented here.
Each line of an authorized_keys file normally starts like this:
ssh-rsa AAAAB3N...
You can prepend an options field to the line. One of the options you can specify is a command to run when the key is used to authenticate:
command="/usr/local/bin/someApp" ssh-rsa AAAAB3N...
When that key is used to authenticate, the server will ignore whatever command the client requests to run, and run the specified command instead.
You can configure SSH server to listen on multiple ports. Just add additional ports in sshd_config like this:
Port 22
Port 1111
Port 2222
i've got another question for you.
I have Amazon EC2 instance with mondodb installed.
It works great except one thing - i can't access (connect to) it from outside (my PC).
I think the problem with Security Groups. It's some sort of default firewall.
Does anyone know how to configure EC2 instance to have access to mongodb?
Thanks in advance.
Think carefully before doing this. If you open the ports, make sure you restrict the IP numbers that can access it, otherwise anyone will be able to access your database. You can enable authentication in MongoDB, but it's not particularly safe, just a username and password. You should not have your database open to the internet, it is not a good idea.
A better way than opening up ports in the EC2 firewall is to open an SSH tunnel an forward the port, this makes sure that only you can access the database, and only while the SSH tunnel is active.
Open up a new terminal and run this command (replacing user and host with the user you use when SSH'ing to your server and the name of the server):
ssh user#host -N -L 27017:127.0.0.1:27017
The command will forward the port 27017 on your computer to the same port on the server. To connect to the MongoDB instance simply run mongo in a terminal (if that doesn't work, try mongo --host 127.0.0.1 or even mongo --host 127.0.0.1 --port 27017).
If you run MongoDB on your local machine you will have to change the first port, since the local server is already using it. In that case run this command instead:
ssh user#host -N -L 27018:127.0.0.1:27017
and then connect with
mongo --port 27018
(possibly adding --host 127.0.0.1 if it doesn't work).
When you're done working with the database, exit mongo and press ctrl-C in the terminal with the SSH command.
You need to add a security group exception for the port 27017 if you are using default config for you to access it from outside. For security group configuration, please check the amazon EC2 documentation. And if you are using a different port on Mongo, change the security group port accordingly.
--Sai
Is your EC2 instance a Windows server by any chance? If so, in addition to EC2's Security Groups you also need to configure Windows Firewall to allow the incoming connection.
Go To Administrative Tools, Windows Firewall with Advanced Security, and configure a new Rule that allows incoming connections on port 27017 (the default mongo port) or whatever port you've chosen.