How to restrict linux user to absolute minimal commands for SSH - linux

I have a linux box set up, and I have a user that I would like to use for a proxy only. That is, someone would SSH in with this user and do dynamic SOCKS5 port forwarding to their localhost, and then use that tunnel as a proxy for whatever they need on their system.
My question is, is there any simple way to make it so that this user can't do anything BUT use it as a proxy? i.e. make it so that once a user has connected with SSH, they can't run any commands at all on the remote computer?
Thanks!

You can do it with permissible commands in the authorized_keys file.
user would not log in via ssh but will have a restricted set of commands that would only be allowed to execute via ssh, for example "ssh somehost bin/programname"
more details here and here

I found where this has already been asked, and the solution to that worked perfectly.
https://serverfault.com/questions/56566/ssh-tunneling-only-access

Related

How do I remotely execute a prespecified command with authentication across a local network on Linux?

I have two Debian Linux servers on the same network. I would like server A to execute this command on server B: run.sh VARIABLE, and it needs to be able to process the output of said command. The script run.sh is on server B I do not want its contents to be visible to server A. I need there to be some kind of authentication between these two machines as well.
Your specs are somewhat vague. Assuming that run.sh exists somewhere on server B, the easiest would be to use an ssh forced command and using a key-pair for the ssh connection.
You define the forced command in the ~/.ssh/authorized_keys on server B and pull the VARIABLE out of SSH_ORIGINAL_COMMAND in run.sh.
server A never gets to see run.sh, is able to pass arguments to run.sh. and running run.sh is all it can ever do ...
Perhaps the easiest and fastest way you can accomplish this is to setup a standalone python REST server. On the client side you can use any client, even curl or python requests.
How to make a simple Python REST server and client?
As authentication it can be as simple as requiring a username and password in the JSON fields.

SSH interception - Linux

Really hoping someone here can point me in the right direction,
Expected result: SSH successfully into a remote device.
Challenge/Back story:
We have devices out in remote places around the country,
These devices do not have a fixed public IP address
(Using GSM as its internet breakout)
These devices are able to SSH and break out.
My thought, with regards to maintaining these devices is to (if possible) use a server in the cloud as a middle man, have these devices create some sort of a reverse tunnel to our middleman server then have us as admins intercept it or something to that effect.
Again to summarize, Device cannot be ssh'd into directly, but can breakout.
Aim to be able to hit their terminal from the office.
have been looking at mitmssh but not coming right on that front.
Server A (no fixed address, cannot SSH into it directly but has breakout)
Server B (standard server which can be used as a middle man
Server C (Us admins)
Tried something along the lines of "ssh user#serverA -R serverB:12345:ServerA:22"
Which creates the tunnel, but struggling with grabbing hold of that SSH connection.
I think I regularly use something very similar. My target machine connects to the machine with a stable address with:
ssh midpoint -R 2022:localhost:22
my ~/.ssh/config file knows the real HostName. My config file on my work machine defines a ProxyCommand option to use this tunnelled TCP connection. like:
Host target
ProxyCommand ssh -q midpoint nc localhost 2022
the reason for using netcat was to get ssh-agent behaving.
I've just been searching around and it seems OpenSSH now has specific handling for this (-W command line option, and JumpHost in the config file). E.g. https://stackoverflow.com/a/29176698/1358308

Somewhat convoluted ssh issue. Can ping, but not ssh, but only from on-site

I am trying to ssh into my server at work (CentOS) from my laptop (Ubuntu). When I am at home, I do it by running the following script on the server (I start it while I am physically at work):
ssh -R (port #):localhost:22 (name#home ip)
I do this because it doesn't accept connections from external IPs. Then, I can ssh into the specified port on my laptop, and it works fine.
However, when I am actually at work, I cant ssh to the server. The other people in my office can. They do this very simple command (only works while they are at work, since they need an IP from inside the system):
ssh (username)#(work ip)
And they are automatically logged in. When I do that, I get no response; no public key denial, no wrong username, no response at all. Eventually it times out. But I know the server has ssh running, because everyone else can do it.
Additionally, if I do this on my laptop, while at work:
ping (work ip)
I do get response packets, with no loss, almost no lag. But ssh doesn't work.
I can ssh to other places from my laptop, both while I am at home and at work. So my laptop is properly configured to ssh to things, it just doesn't reach the work server for some reason. I talked to the guy who set it up and he insists there is no whitelist; the only security from internal IPs (and I am physically on site, so I have an internal IP, so there should be no need to do the ssh -r like I do at home) is the private/public RSA key system, and I know the keys must be already set up, because it works when I do the ssh -R from home. Plus, if the keys were not set up, I would get a public key denial, instead of no response at all, right?
If I do ssh -vv, this is the last line before it times out:
debug1: Connecting to ccny6 [work ip] port 22.
I see other people have posted similar questions, but the responses they seem to generally be "is the server running the ssh service" etc, which I know it is as other people can ssh to do (as can I if I'm using the ssh -r tunnel), so none of those responses did me much good, unfortunately.
Summary: I can ssh to a server from OFF site via a ssh tunnel, but can't ssh to it while I am right next to it using direct ssh, even though I can ping it, and others can ssh to it.
The most possible reason for the same is your ISP. I too had this issue few months back. They had closed ssh ports. Ask them and get it released.
Just a confirmation, try to do ssh to other IP's as well. It wont work either if your ISP has blocked it.

linux command to connect to another server using hostname and port number

what is the Linux command to connect to another server using host name and port number?
how to connect to another server using only host name and port number then check if an existing process is running? the only way i see it working is to log in to the server and run the PS command. but is there a way to do it without logging in directly to the other server and connect only with host name and port number and check the running process?
If you just want to try an arbitrary connection to a given host/port combination, you could try one nmap, telnet or nc (netcat).
Note that you can't necessarily determine whether or not a process is running remotely - it might be running on that port, but simply ignore anything it sees over the port. To really be sure, you will need to run ps or netstat or etc. via ssh or etc.
If you want to use SSH from e.g. a script or, more generally, without typing in login information, then you will want to use public key authentication. Ubuntu has some good documentation on how to set this up, and it's very much applicable to other distrobutions as well: https://help.ubuntu.com/community/SSH/OpenSSH/Keys.
If you have no access to the server you're trying to list processes on at all, then I'm afraid there isn't a way to list running processes remotely (besides remote tools like nmap and so on, as mentioned earlier - you can always probe public ports without authentication [although you might make people angry if you do this to servers you don't own]). This is a feature, not a problem.
telnet connects to most of services. With it you can ensure that port is open and see hello message (if any). Also nc is more low level.
eri#eri-macro ~ $ telnet smtp.yandex.ru 25
Trying 87.250.250.38...
Connected to smtp.yandex.ru.
Escape character is '^]'.
220 smtp16.mail.yandex.net ESMTP (Want to use Yandex.Mail for your domain? Visit http://pdd.yandex.ru)
helo
501 5.5.4 HELO requires domain address.
HELO ya.ru
250 smtp16.mail.yandex.net
MAILĀ FROM: <someusername#somecompany.ru>
502 5.5.2 Syntax error, command unrecognized.
If there is plain text protocol you cat talk with service by keyboard. If connection is secured try openssl.
openssl s_client -quiet -connect www.google.com:443
depth=1 /C=ZA/O=Thawte Consulting (Pty) Ltd./CN=Thawte SGC CA
verify error:num=20:unable to get local issuer certificate
verify return:0
GET /
<HTML><HEAD>
If protocol is not known you may see much of hieroglyphs or just Connected to ... message.
Try this :
ssh <YOUR_HOST_NAME> 'ps auxwww'
Like Dark Falcon said in the comments, you need a protocol to communicate with the server, a port alone is useless in this case.
By default on unix (and unix like) servers, ssh is the way to go.
Remote Shell with this command. Example is cat a file on the remote machine.
rsh host port 'cat remotefile' >> localfile
host and port self explainitory
remotefile: name of some file on the machine remote logging to in home directory
localfile: name of file cat information to.
Use monitoring software (like Nagios). It looks at your processes, sensors, load and thatever you configured to watch. It continuously stores log. It alerts you by email\sms\jabber if something fails. You can access it with browser or by HTTP API.

Noob questions for SVN checkout and network issues regading it

We have a local server with SVN installed on it that we are using for development/testing purpouses. We would like to checkout the data from it to the live server that is somewhere out there.
The only way to do that which I thought of was to use "svn checkout" from the live server, right? This way we do not need to FTP the changes to it, that may cause problems is we forget to upload some of the changes. And if we found a problem we can alway go back to previous stable version, right? Correct me if I am wrong about any of these.
The problem is that our local server (Ubuntu) does not have a IP that is reachable from outside. We have a router from out ISP, but we can not use that to access the local server from the live. We are willing to ask the ISP provider to setup a second IP for the local server, but for security sake they want to setup a separate machine with Windows and windows base security software (firewall - http://www.kerio.com/control/ and antivirus) that will cost us a lot. Can we just setup a free firewall on the local server (Ubuntu as I said) and solve the problem without spending additional money?
I hope I was clear.
It's always hard to comment without knowing the exact situation, but this sounds a bit crazy.
What you would usually do is set up port forwarding for one port to the local server. The server would then be reachable (for example) through 123.45.67.89:3690
That's a three-minute task to set up in a normal household router.
As long as the Ubuntu server is closed otherwise, and Subversion or whatever you are using for authentication is properly configured and up to date, this should not create security issues.
In any case, putting a Windows machine in between to act as a firewall sounds really unnecessary. Ubuntu comes with everything necessary to secure the setup properly.
If the remote server has an ssh server, then you can use ssh forwarding.
From the internal svn server:
ssh -R 7711:localhost:3690 {REMOTE_SERVER}
7711 is an arbitrary port (you can use any free port on the remote system) that will be forwarded from the remote system to port 3690 (svn) on the svn server.
3690 is the port on the internal svn server that you want to talk to (via svn://).
If you are using subversion over http:// then use port 80 instead of 3690.
If you are using subversion over https:// then use port 443 instead of 3690.
After setting up the forward, then you can do this on the remote system:
svn checkout {SCHEME}://localhost:7711/{PATH}
{SCHEME} is svn, http, https, etc.
{PATH} is the normal svn path you want to check out.
Notes:
the forwarded traffic is tunneled through the ssh connection (on a different "channel") so it is also encrypted which is a nice benefit.
by default, the remote end of the forward will listen on the loopback interface so only processes on that system will be able to use the port forwarded port.
As soon as you close the ssh session, the forwarded port will also close. It only lasts the duration of the ssh connection.
ssh forwarding is very powerful. If you can ssh between two systems, then you can get around any sort of connection problem like this.
Do man ssh and read about the -L and -R options.
Useful links about ssh forwarding:
http://www.rzg.mpg.de/networkservices/ssh-tunnelling-port-forwarding:
http://www.walkernews.net/2007/07/21/how-to-setup-ssh-port-forwarding-in-3-minutes/
check if your ISP router provide some port forwarding abilities,
You should probably forward the ssh port ( after ensuring that everyone password is secure/or enforcing login with ssh keys file), and use SVN+SSH protocol to access your repository.
You should be able to open up and forward a single port (3690 by default) on your existing IP to the local server, as pointed out by Pekka. This depends on your router, and your ability to access the configuration interface on the router.
Instead of having to deal with SSH and worry about people trying to access your local server from anywhere, you could setup a firewall to only allow incoming traffic from your single remote server. Depending on the router setup, you could simply use the builtin firewall on the local server. It would still be advisable to have some svn authentication, though.
The SSH forwarding method described by kanaka prevents the entire issue about remote access to the local machine, but it requires you to execute the forwarding command from the local server every time you need to access svn on the remote server.

Resources