Category Archives: Security

SSH tunnels on steroids

I have been using SSH tunnels for year, setting up a dynamic tunnel and configuring socks proxy in the browser has been my “way-to-go” tool for getting access to services at my home network, and to bypass geo blocking for varouis services in my home country.

This week i stumbled across sshuttle a tool that feels like traditional SSH tunnels on steriods. I have tried several solutions during the years, including tailscale and cloudflare, but i always ended up in going back to plain SSH because of simplicity and ease of use.

sshuttle is almost as easy as plain ssh, and it does not require anything (other than SSH and python) on the server side. The connection is initiated with pure SSH, and the serverside configuration is automatically done by the client copying the python script to the host, and setting everything up.

The application takes some parameters, and it can be seen with “sshuttle -h”
At first it seems a bit overwhelming, but have no fear, examples are available on github.

You need to let sshuttle know what subnets to route, you can use 0.0.0.0/0 for everytning, or limit it to do something similar to a “split tunnel VPN”. Just use the CIDR syntax to set the right network. I have created an alias in my ~/.profile file, and can now connect using “connect-home”

My alias looks like this:
alias connect-home='sshuttle -r username@home --dns 192.168.5.0/24 --to-ns=192.168.5.254 –-no-latency-control -D'

-r tells sshuttle about the remote host, you can use entries from your ssh config file.
–dns tells to use DNS on the remote end of the tunnel
192.168.5.0./24 specifies the network to route
–to-dns tells what IP to use for remote DNS lookups (default is the SSH server)
–no-latency-control speeds up the bandwidth but sacrifices latency
-D is for daemon mode = run in background

You can add or exclude DNS servers, subnets and specific hosts, and a lot more, check it out at https://github.com/sshuttle/sshuttle

BR Kasper

Looking for clear text authentication with tcpdump

Login services not using encryption, is unfortunately still often seen in the wild. I started out in the IT business around 2000, and even back then, clear text authentication was bad, but still we see it today.

Examples of services using clear text authentication is: HTTP, FTP and telnet. Don’t ever authenticate using any of these protocols, unless you know exactly what you are doing.

Sometimes you may want to verify, if the password is actually sent in clear text, and one of the tools to use is tcpdump. Tcpdump is the default network analyse tool on most Linux distributions, and it’s very easy to get started with. Maybe you just want to know if your network changes is routing traffic to your server, you can use tcpdump to verify.

When sniffing for clear text passwords, we need to give the parameters -s 0 and -A and then we can give the destination port the service is listening on with dst port. So the full command would look like this:

tcpdump -s 0 -A dst port xxx

You can also specify the interface to listen on, by using the -i option. If your interface is enp0s31f6, then it would look like.

tcpdump -i enp0s31f6 -s 0 -A dst port xxx

Another option is the “and” and the “not” keyword. Imagine you are logged in with SSH, and looking for ssh traffic, but you don’t want to see your own traffic. The you can use and not host ${your own IP address}, like this

tcpdump -i enp0s31f6 dst port 22 and not host xx.xx.xx.xx

In the last example i have removed the -s 0 and the -A option, since i don’t need it just to see if traffic is getting to my server.

Lidt mere om SSH tunneler

Jeg har tidligere skrevet lidt om hvoran man kan bruge SSH tunnel til at lave portforwarding, det kan være en løsning hvis man f.eks. ikke vil åbne sin webserver op mod internettet.

Netop denne situation stod jeg i da min bror havde brug for et regnskabsprogram og jeg tilbød ham at installere en webserver med det danske gratis regnskabsprogram Saldi.

Jeg kender ikke til sikkerheden i webapplikationen, og jeg er ikke sikker på hvor tit jeg lige får opdateret denne server (det skulle helst være en “install and forget”) Derfor ville jeg ikke åbne op for det store internet.

Jeg valgte istedet at installere tunnelier fra bitvise på min brors PC, og herefter konfigurere den til at oprette en tunnel og starte en browser op, der peger på den side han skal ind på.

Det er der jo i forhold til min tidligere post ikke noget nyt i, det nye kommer her:

For at sikre mig at min bror ikke laver rav i den fra den bash shell han som default får når jeg opretter ham på mit system, ændrede jeg hans shell fra /bin/bash til /bin/false i /etc/passwd filen. Nu har han ikke mulighed for at logge ind med en shell, men han kan stadig forwarde porte.

Husk derfor også, at /bin/false skal bruges med omtanke, da den altså giver visse muligheder udover bare at blokere for login. Brug istedet /bin/nologin hvis du vil spærre helt af for en brugers mulighed for at logge ind/bruge portforwarding.

Læs evt. mere om det her: http://www.semicomplete.com/articles/ssh-security/

Mvh.