WARNING: ifconfig is deprecated!
- checking status of network interfaces using
iptool:
$ ip address
$ ip link
- checking status of network interfaces using
networkctltool:
$ networkctl status IFNAME
- checking status of ntework using
systemdtool:
$ sudo service systemd-networkd status
- checking detailed physical capabilities of network interface using ethtool:
$ sudo ethtool IFNAME
NOTE: ethtool uses set of ioctl's (such as SIOCETHTOOL for media physical speed)
to get additional information which can't be provided by any other default tools.
- list open tcp ports using
ss:$ sudo ss -ntlp - list open tcp ports using
netstat(DEPRECATED):$ sudo netstat -ntlp- -n / --numeric : show IP address instead of resolved host name
- -t / --tcp : show TCP ports only
- -l / --listening : show listening / open ports only
- -p / --programs : show PID / app name
/etc/netplan/01-network-manager-all.yaml/etc/udev/rules.d//var/lib/udev/
- add
net.ifnames=0 biosdevname=0options toGRUB_CMDLINE_LINUX_DEFAULTvariable inside/etc/default/grubconfiguration file - optionally, to name interface based on MAC address, add
udevrule like:
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="__:__:__:__:__:__", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="em0"
To listen traffic (aka "sniffing"), these two steps should be performed:
- set packet forwarding:
$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
- set promisc mode for network interface:
$ sudo ip link set IFNAME promisc on
- run
tcpdumpto capture packets fully:
$ sudo tcpdump -i IFNAME -nn -XX -vvv -s0 -S [-e FILTER RULE(S)]
$ sudo iptables -I INPUT -p ${PROTO} --dport ${PORT} -j ACCEPT
$ sudo iptables -I OUTPUT -p ${PROTO} --sport ${PORT} -j ACCEPT
- PROTO - protocol: tcp or udp
- PORT - port number
-i: /path/to/private/key-C: enable data compression-f: run in background-N: do not execute [remote shell] command-n: disable reading from STDIN-q: enable quite output and show only fatal errors-T: disable pseudo-terminal allocation-D: [bind_host:]port
-o HostKeyAlgorithms= :opts- use the host key algorithms that the client wants to use in order of preference (usessh -Q key` to check available opts)1-o PubkeyAuthentication=:yes/no- use keys' pair authentication method-o PasswordAuthentication=:yes/no- use password authentication method-o StrictHostKeyChecking=:yes/no- use interactive request (yes) or just add host toknown_hosts(no)-o IdentityFile=:priv key- use file as private key to connect (same as-i)-o UserKnownHostsFile=:hosts- use file as known hosts fingerprint (set as/dev/nullto skip the error)2-o ServerAliveInterval=:N- useNseconds keep-alive "heart beat"-o ConnectTimeout=:N- useNseconds as timeout during connection
Permissions for files in ~/.ssh directory3:
drwxr-xr-x / 755 ..
drwx------ / 700 .
-rw------- / 600 config
-rw------- / 600 authorized_keys
-rw------- / 600 known_hosts
-rw------- / 600 *.priv
-rw-r--r-- / 644 *.pub
$ ssh-keygen [-H] -F example.com
- locally detect fingerprint line for
example.comhost in~/.ssh/known_hostsconfig file and print it (if any) -H: hide the line number info
`$ ssh-keygen -R exampe.com
- remove fingerprint line for
exampe.comhost from~/.ssh/known_hostsconfig file (if any)
$ ssh-keyscan [-H] example.com
- remotely scan
example.comhost for fingerprint line and print it (if any) -H: hash host name
- pick port number for proxy and set it:
$ PORT=1234
- set packet forwarding:
$ echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
- optionally, set
iptablesrules for IP client address only:
$ sudo iptables -A INPUT --src ${IP} -p tcp --dport ${PORT} -j ACCEPT
$ sudo iptables -A INPUT -p tcp --dport ${PORT} -j REJECT
- run
sshsession:
$ ssh -N -D 0.0.0.0:${PORT} localhost
- optionally, to get IP address of a server:
$ curl ifconfig.me
- set web proxy setting in browser/environment on client IP as
IP/HOSTNAME:PORT
- pick port number for route and set it:
$ PORT_ROUTE=1234
- pick port number for proxy and set it:
$ PORT_PROXY=5678
- run
sshsession on NAT gateway host:
$ ssh -R ${PORT_ROUTE}:localhost:22 user@example.com
- run
sshsession on example host:
$ ssh -p ${PORT_ROUTE} localhost -D ${PORT_PROXY}
- test the connection from example host:
$ curl http://portquiz.net
Port 80 test successful!
Your IP: <IP address of example.com>
$ curl --socks5 localhost:${PORT_PROXY} http://portquiz.net
Port 80 test successful!
Your IP: <IP address of NAT gateway>
- pick port number for tunnel and set it:
$ PORT_TUNNEL=4321
- run
sshsession on NAT gateway host:
$ ssh -N -R ${PORT_TUNNEL}:localhost:22 user@example.com -p 22
- run
sshclient connecting back to NAT gateway host from example host:
$ ssh client@localhost -p ${PORT_TUNNEL}
DRAFT
- add user:
$ sudo useradd -m mysshuser - set password
- populate .ssh & set permissions
- add section to sshd:
AllowUsers mysshuser
Match User mysshuser
AllowTcpForwarding yes
PermitTunnel yes
GatewayPorts yes
AllowAgentForwarding no
PermitOpen localhost:8080
ForceCommand echo 'No no no!'
- restart sshd and test local ssh login using keys:
$ sudo service ssh restart ; ssh mysshuser@localhost -i /home/mysshuser/.ssh/id_rsa - edit etc/passwd to set bin/false
mysshuser:...:/bin/false
- edit etc/shadow to disable password
mysshuser:!:1...`
- install required package:
$ sudo apt install libpam-google-authenticator - configure authentication setup:
- run:
$ google-authenticator make tokens to be time-based? y- scan QR code using TOTP app like Google Authenticator or FreeOTP
- enter TOTP code from app to terminal when requested
- provide the answers to configure TOTP:
update your config file? ydisallow multiple uses? yincrease the login window? nenable login rate-limit? y
- run:
- configure
sshdfor TOTP setup:/etc/ssh/sshd_config: add/enableUsePAM yesandChallengeResponseAuthentication yes/etc/pam.d/sshd: add/enableauth required pam_google_authenticator.soright after@include common-authblock- optionally: add
nullokoption for the lineauth required pam_google_authenticator.soto disable TOTP for users without TOTP configured
- now this configuration will be working in the following way:
- if login user uses valid & authorized ssh key file, then sshd will accept connection unconditionaly
- if login user uses valid password, then sshd will ask for password first and for TOTP verification code right after password before accepting connection
As a quick'n'dirty solution:
- on server:
- install & run any web server, i.e.:
$ python3.8 -m http.server 8080 -d www/html - go to its
www/htmldirectory - run (tweak command for desirable size to test):
$ sudo touch file.bin && sudo truncate -s 1GB file.bin
- install & run any web server, i.e.:
- on client:
- run
$ wget -v -O /dev/null https://server/file.binor$ curl -o /dev/null http://server:8080/file.bin
- run
Proxy Auto Configuration file is a special server-side file which allows redirecting client requests for particular hosts. To use this feature:
- create & put sample file like
inet.pactowww/htmldirectory on server with this content:
function FindProxyForURL(url, host) {
alert("url = " + url);
alert("host = " + host);
if (
shExpMatch(host, "*test.org*") ||
shExpMatch(host, "*example.com*")
) {
return "SOCKS host:port";
} else {
return "DIRECT";
}
}
- configure browser on client to use proxy autoconfiguration and provide the setting line as
https://server/inet.pac
Footnotes
-
this option is useful when the error message like "Unable to neotiate with HOST port NUMBER: no matching host key type found. Their offer: [...]" displayed. ↩
-
set
-o UserKnownHostsFile=/dev/nullonly if you're fully aware of what & why you're doing this exactly since this is VERY INSECURE. ↩ -
https://superuser.com/questions/215504/permissions-on-private-key-in-ssh-folder ↩