Develop Reference

SSH interception - Linux

Really hoping someone here can point me in the right direction,
Expected result: SSH successfully into a remote device.
Challenge/Back story:
We have devices out in remote places around the country,
These devices do not have a fixed public IP address
(Using GSM as its internet breakout)
These devices are able to SSH and break out.
My thought, with regards to maintaining these devices is to (if possible) use a server in the cloud as a middle man, have these devices create some sort of a reverse tunnel to our middleman server then have us as admins intercept it or something to that effect.
Again to summarize, Device cannot be ssh'd into directly, but can breakout.
Aim to be able to hit their terminal from the office.
have been looking at mitmssh but not coming right on that front.
Server A (no fixed address, cannot SSH into it directly but has breakout)
Server B (standard server which can be used as a middle man
Server C (Us admins)
Tried something along the lines of "ssh user#serverA -R serverB:12345:ServerA:22"
Which creates the tunnel, but struggling with grabbing hold of that SSH connection.

I think I regularly use something very similar. My target machine connects to the machine with a stable address with:
ssh midpoint -R 2022:localhost:22
my ~/.ssh/config file knows the real HostName. My config file on my work machine defines a ProxyCommand option to use this tunnelled TCP connection. like:
Host target
ProxyCommand ssh -q midpoint nc localhost 2022
the reason for using netcat was to get ssh-agent behaving.
I've just been searching around and it seems OpenSSH now has specific handling for this (-W command line option, and JumpHost in the config file). E.g. https://stackoverflow.com/a/29176698/1358308

Getting "I won't open a connection to" when connecting to FTP server from Google Compute Engine

I ssh'ed to my Google Compute Engine's VM. And want to ftp to another server from there. It asked my username and password, I could login without problem. But when I do ls or get, I receive this error:
500 I won't open a connection to 10.240.XX.XX (only to XX.XX.XX.XX)
ftp: bind: Address already in use
That 10.240.XX.XX is my internal IP address I saw in ifconfig result.
How can I transfer files from another server using FTP?
System: Debian7

You are using the active mode of FTP to connect to a server running Pure-FTPd. In the active mode, a server has to connect back to a client to open a data transfer connection (for file transfers or directory listing). For that, the client sends its IP address to the FTP server in the PORT command.
If the FTP server is outside of the GCE private network, it obviously cannot connect back to the client machine, as the machine is behind a firewall and NAT.
And actually the Pure-FTPd explicitly checks that the IP address in the PORT command matches the client IP address of the FTP control connection. It won't match, if the client sends its internal IP address within the GCE network. If this case, the Pure-FTPd server rejects the transfer outright (without even trying to connect) with the error message, you are getting:
I won't open a connection to ... (only to ...)
(where the first ... is the IP address provided by the client in the PORT command [the local address within the GCE private network), and the second ... is the external [NATed] IP address of the client, as known by the server).
Even if the client reported the external [NATed] address in the PORT command, it still won't work as the connection attempt won't get past the NAT and firewall.
For this reason, the passive FTP mode exists, in which the client connects to the server to open the data transfer connection. Actually, none uses the active mode nowadays.
See (my article) FTP connection modes for details about the modes.
So, switch to the passive mode. How this is done is client-specific.
In most common *nix ftp command-line clients, use the -p command-line switch, though the passive mode is used by default anyway:
-p Use passive mode for data transfers. Allows use of ftp in environments where a firewall prevents
connections from the outside world back to the client machine. Requires that the ftp server sup-
port the PASV command. This is the default now for all clients (ftp and pftp) due to security
concerns using the PORT transfer mode. The flag is kept for compatibility only and has no effect
anymore.
Some clients also support passive command.
If you are on Windows, you cannot use the built-in command-line ftp.exe client, as it does not support the passive mode at all. You have to install a third-party client. See How to use passive FTP mode in Windows command prompt?

Enable your FTP with passive mode, if you have already connected please type
ftp> passive
Passive mode on.
You are currently using FTP in passive mode.

if you use wsl2 linux subsystem in windows 10:use
pftp

If you use PsPad editor and you have the same issue, try to set this configuration for your connection:

Debug smtp connection

I am using the perl module Net::Smtp_auth to send a mail to myself using the web.de SMTP server on port 25 (no encryption). It works well my computer. But I would like to use the same script to send notification messages about finished jobs on a different machine where I don't have root privileges. On this machine I get a timeout for the connection. I wonder in which way the connection is blocked, what might be the reason to block it (prevent spamers?) and if there might be a way to circumvent the problem. I have some linux tools available but no nmap.
Might the connection be influenced by proxy settings and, if yes, how do I tell it to SMTP_auth?
The perl script is basically the SMTP_auth example from cpan. But I do not expect that it is relevant here:
#!/usr/bin/perl -w
use Net::SMTP_auth;
$message=$ARGV[0];
$smtp = Net::SMTP_auth->new('smtp.web.de') or die "Failed to open SMTP connection: $!";
$smtp->auth('CRAM-MD5', 'adress', 'password');
$smtp->mail('adress#web.de');
$smtp->to('adress#web.de');
$smtp->data();
$smtp->datasend("To: adress\#web.de\n");
$smtp->datasend("From: adress\#web.de\n");
$smtp->datasend("\n");
$smtp->datasend("$message\n");
$smtp->dataend();
$smtp->quit;

If the other machines are in a different network than your home machine, it may well be that the ISP there is blocking outgoing port 25 to anything but their own SMTP servers, as that is a common spam-mitigation technique. The established convention is that for outgoing mail across networks, one should use port 587 (the SMTP submission-only port) instead.
An easy way to verify if the problem is your program or not is to try to telnet to that host and port. If telnet doesn't connect but other services do, your ISP is filtering port 25.

Noob questions for SVN checkout and network issues regading it

We have a local server with SVN installed on it that we are using for development/testing purpouses. We would like to checkout the data from it to the live server that is somewhere out there.
The only way to do that which I thought of was to use "svn checkout" from the live server, right? This way we do not need to FTP the changes to it, that may cause problems is we forget to upload some of the changes. And if we found a problem we can alway go back to previous stable version, right? Correct me if I am wrong about any of these.
The problem is that our local server (Ubuntu) does not have a IP that is reachable from outside. We have a router from out ISP, but we can not use that to access the local server from the live. We are willing to ask the ISP provider to setup a second IP for the local server, but for security sake they want to setup a separate machine with Windows and windows base security software (firewall - http://www.kerio.com/control/ and antivirus) that will cost us a lot. Can we just setup a free firewall on the local server (Ubuntu as I said) and solve the problem without spending additional money?
I hope I was clear.

It's always hard to comment without knowing the exact situation, but this sounds a bit crazy.
What you would usually do is set up port forwarding for one port to the local server. The server would then be reachable (for example) through 123.45.67.89:3690
That's a three-minute task to set up in a normal household router.
As long as the Ubuntu server is closed otherwise, and Subversion or whatever you are using for authentication is properly configured and up to date, this should not create security issues.
In any case, putting a Windows machine in between to act as a firewall sounds really unnecessary. Ubuntu comes with everything necessary to secure the setup properly.

If the remote server has an ssh server, then you can use ssh forwarding.
From the internal svn server:
ssh -R 7711:localhost:3690 {REMOTE_SERVER}
7711 is an arbitrary port (you can use any free port on the remote system) that will be forwarded from the remote system to port 3690 (svn) on the svn server.
3690 is the port on the internal svn server that you want to talk to (via svn://).
If you are using subversion over http:// then use port 80 instead of 3690.
If you are using subversion over https:// then use port 443 instead of 3690.
After setting up the forward, then you can do this on the remote system:
svn checkout {SCHEME}://localhost:7711/{PATH}
{SCHEME} is svn, http, https, etc.
{PATH} is the normal svn path you want to check out.
Notes:
the forwarded traffic is tunneled through the ssh connection (on a different "channel") so it is also encrypted which is a nice benefit.
by default, the remote end of the forward will listen on the loopback interface so only processes on that system will be able to use the port forwarded port.
As soon as you close the ssh session, the forwarded port will also close. It only lasts the duration of the ssh connection.
ssh forwarding is very powerful. If you can ssh between two systems, then you can get around any sort of connection problem like this.
Do man ssh and read about the -L and -R options.
Useful links about ssh forwarding:
http://www.rzg.mpg.de/networkservices/ssh-tunnelling-port-forwarding:
http://www.walkernews.net/2007/07/21/how-to-setup-ssh-port-forwarding-in-3-minutes/

check if your ISP router provide some port forwarding abilities,
You should probably forward the ssh port ( after ensuring that everyone password is secure/or enforcing login with ssh keys file), and use SVN+SSH protocol to access your repository.

You should be able to open up and forward a single port (3690 by default) on your existing IP to the local server, as pointed out by Pekka. This depends on your router, and your ability to access the configuration interface on the router.
Instead of having to deal with SSH and worry about people trying to access your local server from anywhere, you could setup a firewall to only allow incoming traffic from your single remote server. Depending on the router setup, you could simply use the builtin firewall on the local server. It would still be advisable to have some svn authentication, though.
The SSH forwarding method described by kanaka prevents the entire issue about remote access to the local machine, but it requires you to execute the forwarding command from the local server every time you need to access svn on the remote server.

How can I programmatically detect ssh authentication types available?

I'd like to write a monitoring plugin that checks various hosts on my network to make sure that password or interactive SSH authentication is not enabled. That is, I need to write code that:
Connects to an SSH port.
Enumerates available authentication methods.
Verifies that only key based authentication is possible.
Methods using either python or bourne sh code (using ssh) is most interesting to me, but other languages, libraries or hints are appreciated too.

I'm currently building one myself, however, you can force ssh to output (to STDERR) the supported methods by using the PreferredAuthentications option. This can easily be parsed with grep/python/language of choice.
HostA$ ssh -o PreferredAuthentications=none HostB
Permission denied (publickey,gssapi-with-mic).
HostA$ ssh -o PreferredAuthentications=none HostC
Permission denied (publickey,gssapi-with-mic,password,keyboard-interactive,hostbased).

RFC 4252, which defines authentication in SSH, says the following:
Authentication methods are identified by their name, as defined in
[SSH-ARCH]. The "none" method is reserved, and MUST NOT be listed as
supported. However, it MAY be sent by the client. The server MUST
always reject this request, unless the client is to be granted access
without any authentication, in which case, the server MUST accept
this request. The main purpose of sending this request is to get the
list of supported methods from the server.
So you can send a request for none authentication to get the list of supported ones.
However, authentication itself occurs after certain lower-level actions take place (key exchange is one of them) so you might need to write a part of SSH protocol in sh script, which is probably a non-trivial task.

You can now use the nmap built-in NSE script called ssh-auth-methods to do this:
# nmap -p 22 --script ssh-auth-methods 192.168.1.2
Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-26 00:56 GMT
Nmap scan report for 192.168.1.2
Host is up (0.027s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-auth-methods:
| Supported authentication methods:
| publickey
|_ keyboard-interactive
MAC Address: AA:BB:CC:DD:EE:FF (Apple)
Nmap done: 1 IP address (1 host up) scanned in 2.40 seconds
In addition, someone has made a similar python3 script.

If you need *nix solution, you can also hook into OpenSSH sources.
If Windows suitable for you - you can also try some .NET commercial libraries, they are much handier than OpenSSH sources :)