15th meeting

From BLUG

hardcore blonde sex living room inspirations ad blocker serial free nokia 6230 ringtones lake tahoe golf remotescan crack domain low hanging nuts macromedia flash 5 serial ix netcom com liquor licensing act 2004 mailing address label movie still waiting herbalife nutrition products ohio state board nursing license black love mp3 workshop crack 1.98 agendus serialz movie theater melbourne florida spiratone fisheye real flight g3 serial lod nocd 1.10 needing you torrent in the air tonight by phil collins ultracet macromedia flash movies top michigan fishing licenses le parkour video clips electrician license requirements alcohol driving drug all audio recorder crack arcanum no cd 1.0.7.4 asian virgin movies lemonade tycoon 1.16 license free full version acute aspiration acid loops torrent smartcvs license famous canadians link silent assassins clan medical respirator napa auto part store south dakota mortgage lender license pa rn licensure microsoft visio 2003 professional crack kimberley locke piratiko etherpeek demo serial index lovely anne forums prince vh1 video knoppix iso torrent scantopdf crack ashanti chapter ii torrent rainbow six torrent sciencedirect username password crack icewind dale walkthrough top america american boat document untitled marriage license in north carolina polo.com promotional code innocent lady torrent pirate bedroom for kid sitemap italian modular charm no serial win avast 4.6 license key huge boob women free license novelty plate souvenir realestate license florida smash hits music videos 2006 madness march matchups audio video input switchers icuii 7.0.0 serial number bollyhood ringtones dd news ringtones new years inspirational story custom leather car interior play indian movie songs naurice latino girls nude mech warrior 3 crack indiana license nursing renew mcphee movie nanny efficacy rates of fine needle aspiration biopsies action hottest lesbian movie photo sexy thousand appropriate movies minnesota realestate license auto_increment in mysql landlord education rules legal career short term car lease pirate of the caribbean film review appeal driver license pa suspension nitrox eclipse crack live flight tracker crack arc246 crack internetiff serial map license plate art movie lingo monster ball movie arkansas contractor licensing board basketball nba news powerkaraoke 1.2.13 crack domain python serial port access arizona license board minitab serial number apple dvd studio pro 3 serialz turtle creek news suncouple license registry.com microsoft streets trips 2005 crack pirate music midi pevco programmar crack mavis beacon no cd all to mp3 converter 1.55 serial personalized throw and afghan job outlook video conferencing webmap marriage licence arizona marriage license requirements texas plant transpiration diagram legend of the blue wolves torrent arizona hunting license iggles video custom made belly ring rna inactivation jedi knight jedi academy no cd hack windows media player 7 lake erie licensed pratical nursing schools audio video switchbox url charles high m russell school charles hotel in boston janet jackson halftime show movie charles stanley org over and over by nelly video charles simmons artist shania twain having a party video symbian video converter charles allison charles kushner oakwood village charles schwab dyslexia save streaming video freeware aerobatic video clips charles ghankay taylor rahzel video if your mother only knew charles durning bio ines cudna free videos top abi titmuss john leslie video charles atlas dynamic tension movie ratings guide charles l mee jr! charles l peterson painting. charles l porter. charles l reason nitrovideo.com username and password kyla cole movie free nfl football video clips iron man cartoon movie charles stover. charles stowe johnson c smith old granny movie summertime video will smith charles parson shut up video by black eyed peas video editing software review e giochi giochi italiano soluzioni trucchi video world charles history museum st. charles history peanut schulzs sandee westgate free movies nothing but a man movie charles e gregory nursing school. charles e gregory school of nursing charles florida realty rutenberg charles henry dow. charles henry dow and herbert henry dow? charles henry dow herbert henry dow musicmovie downloads instructional lacrosse videos link angry man movie review twelve moviehole.com avi converter download free video charles diana photo prince spencer wedding! charles diana picture prince princess wedding charles county maryland zoning map charles chesnutt the goophered grapevine milena velba movies charles design furniture john manufacturer movie bloopers clips jfk assassination live feed videos maxell dvd-r data-video queens of the stone age video codes adult free funny video clip charles frazier new book. charles frazier's cold mountain. charles frederick! charles frederick arbuthnot locke charles meeker charles darnay quotes. charles darrow map charles hubert watches professor scam video johnstown movie pa theater charles and camilla engagement charles chiapot napoleon dance video charles dickens writing. charles dickens writing career. charles dickens writing great expectations! charles dickens writing style major payne movie script kid hair cut video mc lyte video quicktimemovie trailers charles baker glenn! charles baker harris? charles baker harris dill charles river lab.com. charles river laboratories. charles river laboratories arkansas charles smith movie actor list url another bad creation video landscape painting video seventy times seven video charles nelson riley video charles county government charles snider houston charles causleys poems silverdale washington movie theaters charles eugene gene richardson

Topic: Secure SHell & You
Presenter: Mark Krenz

Date: Tuesday, January 10th, 2006
Time: 7-9pm
Location: Monroe County Public Library room 1B

Attendance: 14 (with 7 new people)

Synopsis

Mark Krenz will be giving a presentation about Secure SHell (SSH) and its many uses. This presentation will go far beyond the basics of how to make a connection and will talk about the following:

• Overview of SSH
• How the encryption works
• Security considerations
• Using ssh-agent for automatic login to hosts
• Make TCP tunnels for forwarding ports
• How to do dynamic port forwarding with -D (SOCKS5)
• VPN-like functionality using SSH
• X Windows connection forwarding (for running GUI programs remotely)
• Using the ssh command line and escapes
• Controlling root logins
• Using iptables to slow rapid SSH connection attempts from internet worms
• Using your local ~/.ssh/config file
• Useful options you can set in the authorized_keys file
• Using ssh in a command pipeline for sending data
• Using secure copy (scp)

SSH is a cornerstone of a networked linux environment and we think anyone using Linux should have a good working knowledge of SSH and its features. There will be useful handout sheets that you can use as a reference and he'll try to have some nice graphics and even explain how encryption works at an algorithmic level.

If there is anything else about SSH that you would like to see as part of this presentation, please don't hesitate to let me know. Mark welcomes your input. Just write to him at mark@slugbug.org

Post meeting summary

Even though it rained, 14 people showed up including 7 new people and 2 guys from Columbus and Seymor. A lot of people were interested in SSH specifically. Mark talked presented for about 1 hour and 45 minutes about different SSH topics and covered almost all of the topics above. Most of the information that was presented can be found on the following page:

http://www.suso.org/docs/shell/ssh.sdf

Mark actually did this presentation to prepare a revision of the above document, which is one of the top tutorials on SSH on the web. Search for "SSH Linux" or "SSH Tutorial" on google and it is usually in the top 10 results.

Other information that Mark presented is documented below

SSH other topics

The following topics are things I discussed but have not covered in the document on suso.org.

How encryption works (in a very small nutshell)

How encryption works is worthy of a whole other presentation just to explain the basics and prerequisites, let alone explaining how something like the RSA encryption algorithm works. However, here is a simple example that will give you a taste of how some encryption techniques work.

In mathematics, there is a function called modulus that gives you the remainder after division. Its commonly notated as mod() in computer programming. For example, the mod(3,5) is 3, mod(6,5) is 1, mod(25,5) is 0. Basically, whatever is left over after doing the division of the first number by the second number.

Now if you imagine the alphabet and all of its 26 letters being numbered from 1 to 26. a is 1, b is 2.......x is 24, y is 25 and z is 26.

Now let's make a sentence to encrypt.

How about

 linux is the best os

Now to do the encryption we need a key, which is what is used to encrypt and decrypt the data. In this case it is simply a string of characters that makes a word.

 windows

Now we number the letters in each string of characters. In this case let's make the space ' ' a 27th character in the alphabet.

l = 12
i = 9
n = 14
u = 21
x = 24
  = 27
i = 9
s = 19
  = 27
t = 20
h = 8
e = 5
  = 27
b = 2
e = 5
s = 19
t = 20
  = 27
o = 15
s = 19

And the key

w = 23
i = 9
n = 14
d = 4
o = 15
w = 23
s = 19

Now doing the encryption is simply a matter of applying the key over the string and repeating when we run out of characters in the key. Then for each character we do a mod(27,s+k) where s is the numerical value of the character in the string and k is the numerical value of the character in the key. Then for each numeric result, we assign a letter according to the number in the same fashion we did for the string and the key, and we get this:

l=12 + w=23 = (35 mod 27) =  8 -> h
i=9  + i=9  = (18 mod 27) = 18 -> r
n=14 + n=14 = (28 mod 27) =  1 -> a
u=21 + d=4  = (25 mod 27) = 25 -> y
x=24 + o=15 = (39 mod 27) = 12 -> l
 =27 + w=23 = (50 mod 27) = 23 -> w
i=9  + s=19 = (28 mod 27) =  1 -> a
s=19 + w=23 = (42 mod 27) = 15 -> o
 =27 + i=9  = (38 mod 27) = 11 -> k
t=20 + n=14 = (34 mod 27) =  7 -> g
h=8  + d=4  = (12 mod 27) = 12 -> l
e=5  + o=15 = (20 mod 27) = 20 -> t
 =27 + w=23 = (50 mod 27) = 23 -> w
b=2  + s=19 = (21 mod 27) = 21 -> u
e=5  + w=23 = (28 mod 27) =  1 -> a
s=19 + i=9  = (28 mod 27) =  1 -> a
t=20 + n=14 = (34 mod 27) =  7 -> g
 =27 + d=4  = (31 mod 27) =  4 -> d
o=15 + o=15 = (30 mod 27) =  3 -> c
s=19 + w=23 = (42 mod 27) = 15 -> o

or

hraylwaokgltwuaagdco

So the whole operation looks something like this

  "linux is the best os"
+ "windowswindowswindow" mod 27
------------------------------
= "hraylwaokgltwuaagdco"

Then to decrypt, someone needs to have the same key 'windows' and do the operation in reverse. You can also crack encryption using a variety of techniques, one of the most common being done through the frequency of letters in the English language. For instance, the letter 'e' is the most common letter used in English. The important thing is to use a good long key and keep it secret.

Again, this is very simple. But I think it illustrates the concept.

See if you can crack this encrypted string:

egi 

Or these:

hpg

uqccgcptcoqwavradh

epdposcnranwznprawkyaubanbeggvtrctbsuznovktswsnhmxwlkijdzcwbgzfgzvanbodwewmmjk

If you crack them, put the results and your name on the talk page for this article.

Here is simple program I wrote in perl that encrypts a string using a key that you supply.

Using the ssh command line and escapes

Did you know that you can control your ssh client while you are logged in to a host? Using the ~ (tilde) followed by several different characters you can do a few different useful things:

~.  Disconnect by closing the client side process (instead of the server side shell)
~C  Open command line.  Currently this allows the addition of port forwardings using the -L and -R options (see below).  It also
~#  List forwarded connections.
~R  Request rekeying of the connection (only useful for SSH protocol version 2 and if the peer supports it).
~?  Display a list of escape characters.

Useful options you can set in the authorized_keys file

You can put certain options in front of your key in an authorized_keys file on the server.

 from="hostname"  This limits access so that only the user logging in from "hostname" with the right key can login.
 command="path/to/command" this is discussed below.

Controlling root logins

On the server, you can use the directive PermitRootLogin to turn on the ability to login directly as root or not. There is also another option for that directive called 'forced-commands-only' that allows root logins, but forces the login session to run a specific command that is specified in the authorized_keys file. Like this:

from="special.host.name.com",command="/usr/local/bin/backup.sh" ssh-rsa AAAAB3NzaC1y......

And then usually you would create a special key for root that has an empty passphrase. That way even if someone else gets the key file, they are only allowed to run one specific command.

Using iptables to slow rapid SSH connection attempts from internet worms

In early 2005 I started to receive large numbers of SSH connection attempts to some of my suso.org servers from a series of internet worms that were making their way around. Below is a graph I made plotting the number of connection attempts per day over about a 110 day period.

The real problem was that these worms would open a connection and leave it open for a while and try common usernames with a variety of passwords, which ended up causing outages of SSH for legitimate users.

So I needed a solution and fast. I found a module for iptables called hashlimit. The hashlimit module keeps track of how many recent connections (SYN packets) a client has made to a specific port and keeps that in a database file in /proc/net/ipt_hashlimit. You can then control how many connections a specific IP address can make in a period of time. For instance, below is a set of rules that limits clients to 4 connections per minute. After exceeding this, the client is denied access for 600 seconds (10 minutes).

/sbin/iptables -A INPUT -p tcp -i eth0 --syn --dport 22 -m hashlimit --hashlimit-name SSH --hashlimit 4/minute \
  --hashlimit-burst 1 --hashlimit-mode srcip --hashlimit-htable-expire 600000 -j ACCEPT

The --hashlimit-htable-expire option specifies the number of milliseconds before a denied address is removed from the list. This actually works quite well and legitimate users run into this limit very seldomly.

Using ssh in a command pipeline for sending data

A colleage of mine where I work once had to copy the contents of an old server with a hardware problem over to a replacement server with an identical hard drive configuration. To transfer the data he used one of the coolest uses of ssh in a pipeline I've ever seen. It was something like this:

dd if=/dev/sda | ssh username@new.host.name dd of=/dev/sda

So in this case, ssh becomes a sort of network transparent 'cat' program.