Tag Archives: ssh

Fail2ban Debian 9

Scratch pad with conf files to configure Fail2ban on Debian 9

This setup will configure Fail2ban to monitor SSH and keep track of the bad guys. Every time an IP gets banned, it will be stored in /etc/fail2ban/ip.blacklist .
This files gets processed every time Fail2ban restarts.
A cron will sanitise the file daily.

HOW TO

1) Create a custom action file: /etc/fail2ban/action.d/iptables-allports-CUSTOM.conf

# Fail2Ban configuration file

[INCLUDES]

before = iptables-common.confhttps://docs.google.com/document/d/1DjP5z7tvkaMWJMZXVAnMOCgfynfQNHvRkqJyxQdEB84/edit?usp=sharing


[Definition]

# Option:  actionstart
# Notes.:  command executed once at the start of Fail2Ban.
# Values:  CMD
#
actionstart = <iptables> -N f2b-<name>
              <iptables> -A f2b-<name> -j <returntype>
              <iptables> -I <chain> -p <protocol> -j f2b-<name>
              # Persistent banning of IPs
              cat /etc/fail2ban/ip.blacklist | grep -v ^\s*#|awk '{print $1}' | while read IP; do <iptables> -I f2b-<name> 1 -s $IP -j DROP; done

# Option:  actionstop
# Notes.:  command executed once at the end of Fail2Ban
# Values:  CMD
#
actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>
             <iptables> -F f2b-<name>
             <iptables> -X f2b-<name>

# Option:  actioncheck
# Notes.:  command executed once before each actionban command
# Values:  CMD
#
actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>
            # Persistent banning of IPs
            echo '<ip>' >> /etc/fail2ban/ip.blacklist

# Option:  actionunban
# Notes.:  command executed when unbanning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]

# Fail2Ban configuration file

[INCLUDES]

before = iptables-common.confhttps://docs.google.com/document/d/1DjP5z7tvkaMWJMZXVAnMOCgfynfQNHvRkqJyxQdEB84/edit?usp=sharing

[Definition]

# Option: actionstart

# Notes.: command executed once at the start of Fail2Ban.

# Values: CMD

actionstart = <iptables> -N f2b-<name>

# Persistent banning of IPs

cat /etc/fail2ban/ip.blacklist | grep -v ^\s*#|awk '{print $1}' | while read IP; do <iptables> -I f2b-<name> 1 -s $IP -j DROP; done

# Option: actionstop

# Notes.: command executed once at the end of Fail2Ban

# Values: CMD

actionstop = <iptables> -D <chain> -p <protocol> -j f2b-<name>

# Option: actioncheck

# Notes.: command executed once before each actionban command

# Values: CMD

actioncheck = <iptables> -n -L <chain> | grep -q 'f2b-<name>[ \t]'

# Option: actionban

# Notes.: command executed when banning an IP. Take care that the

# command is executed with Fail2Ban user rights.

# Tags: See jail.conf(5) man page

# Values: CMD

actionban = <iptables> -I f2b-<name> 1 -s <ip> -j <blocktype>

# Persistent banning of IPs

echo '<ip>' >> /etc/fail2ban/ip.blacklist

# Option: actionunban

# Notes.: command executed when unbanning an IP. Take care that the

# command is executed with Fail2Ban user rights.

# Tags: See jail.conf(5) man page

# Values: CMD

actionunban = <iptables> -D f2b-<name> -s <ip> -j <blocktype>

[Init]

2) Create /etc/fail2ban/jail.local

# Fail2Ban custom configuration file.


[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host
ignoreip = 127.0.0.1 192.168.1.0/24 192.168.2.0/24

# Ban forever => -1
#bantime=-1

# Ban 3 days => 259200
bantime = 259200 

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.
findtime = 30

banaction = iptables-allports-CUSTOM

[sshd]
enabled = true
filter = sshd
logfile = /var/log/auth.log
maxretry = 3

# Fail2Ban custom configuration file.

[DEFAULT]

# "ignoreip" can be an IP address, a CIDR mask or a DNS host

ignoreip = 127.0.0.1 192.168.1.0/24 192.168.2.0/24

# Ban forever => -1

#bantime=-1

# Ban 3 days => 259200

bantime = 259200

# A host is banned if it has generated "maxretry" during the last "findtime" seconds.

findtime = 30

banaction = iptables-allports-CUSTOM

[sshd]

enabled = true

filter = sshd

logfile = /var/log/auth.log

maxretry = 3

3) Remove the default debian jail configuration (is integrated in the above custom jail.local file):

rm -f /etc/fail2ban/jail.d/defaults-debian.conf

1	rm -f /etc/fail2ban/jail.d/defaults-debian.conf

4) Set this cron:

# Daily rotate of ip.blacklist
0 20 * * * tail -100 /etc/fail2ban/ip.blacklist | sort | uniq > /tmp/ip.blacklist ; cat /tmp/ip.blacklist > /etc/fail2ban/ip.blacklist ; rm -f /tmp/ip.blacklist > /dev/null 2>&1

1 2	# Daily rotate of ip.blacklist 0 20 * * * tail -100 /etc/fail2ban/ip.blacklist \| sort \| uniq > /tmp/ip.blacklist ; cat /tmp/ip.blacklist > /etc/fail2ban/ip.blacklist ; rm -f /tmp/ip.blacklist > /dev/null 2>&1

5) Run the cron manually once, just to be sure all works AND to have an empty file

6) Restart Fail2ban … and good luck 😉

Email notification for successful SSH connection

If you manage a remote server, and you are a bit paranoiac about the bad guys outside, it could be nice to have some sort of notification every time a SSH connection is successful.

I found this post and it seems working pretty well for me as well.
I’ve installed this on my CentOS7 server and seems working good! Of course, this in addition to an aggressive Fail2Ban setup.

Make sure you have your MTA (Postfix/Sendmail…) configured to deliver emails to the user root
Make sure you get the emails for the user root (otherwise doesn’t make any sense 😛 )

Create this script (this is a slightly modified version comparing with the one in the original post:

#!/bin/sh
if [ "$PAM_TYPE" != "open_session" ]
then
  exit 0
else
  {
    echo "User: $PAM_USER"
    echo "Remote Host: $PAM_RHOST"
    echo "Service: $PAM_SERVICE"
    echo "TTY: $PAM_TTY"
    echo "Date: `date`"
    echo "Server: `uname -a`"
  } | mail -s "$PAM_SERVICE login on `hostname -s` from user $PAM_USER@$PAM_RHOST" root
fi
exit 0

#!/bin/sh

if [ "$PAM_TYPE" != "open_session" ]

then

exit 0

else

{

echo "User: $PAM_USER"

echo "Remote Host: $PAM_RHOST"

echo "Service: $PAM_SERVICE"

echo "TTY: $PAM_TTY"

echo "Date: `date`"

echo "Server: `uname -a`"

} | mail -s "$PAM_SERVICE login on `hostname -s` from user $PAM_USER@$PAM_RHOST" root

exit 0

Set the permission:

Shell

chmod +x /usr/local/bin/send-mail-on-ssh-login.sh

1

chmod +x /usr/local/bin/send-mail-on-ssh-login.sh
Append this line to /etc/pam.d/sshd

Shell

session optional pam_exec.so /usr/local/bin/send-mail-on-ssh-login.sh

1

session optional pam_exec.so /usr/local/bin/send-mail-on-ssh-login.sh
…and that’s it! 😉

If you’d like to have a specific domain/IP whitelisted, for example if you don’t want to get notified when you connect from your office or your home (fixed IP or dynamic IP is required), you can use this version of the script:

#!/bin/bash
if [ "$PAM_TYPE" != "open_session" ]; then
  exit 0
else
  MSG="$PAM_SERVICE login on `hostname -s` from user $PAM_USER@$PAM_RHOST"
  # check if the PAM_RHOST is shown as IP
  echo "$PAM_RHOST" | grep -q -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'
  if [ $? -eq 0 ]; then
    SRCIP=$PAM_RHOST
  else
    SRCIP=$(dig +short $PAM_RHOST)
  fi
  SAFEIP=$(dig +short myofficedomain.com)
  if [ "$SRCIP" == "$SAFEIP" ]; then
    echo "Authorised $MSG" | logger
  else
  {
    echo "User: $PAM_USER"
    echo "Remote Host: $PAM_RHOST"
    echo "Service: $PAM_SERVICE"
    echo "TTY: $PAM_TTY"
    echo "Date: `date`"
    echo "Server: `uname -a`"
  } | mail -s "Unexpected $MSG" root
  fi
fi
exit 0

#!/bin/bash

if [ "$PAM_TYPE" != "open_session" ]; then

exit 0

else

MSG="$PAM_SERVICE login on `hostname -s` from user $PAM_USER@$PAM_RHOST"

# check if the PAM_RHOST is shown as IP

echo "$PAM_RHOST" | grep -q -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'

if [ $? -eq 0 ]; then

SRCIP=$PAM_RHOST

else

SRCIP=$(dig +short $PAM_RHOST)

SAFEIP=$(dig +short myofficedomain.com)

if [ "$SRCIP" == "$SAFEIP" ]; then

echo "Authorised $MSG" | logger

else

{

echo "User: $PAM_USER"

echo "Remote Host: $PAM_RHOST"

echo "Service: $PAM_SERVICE"

echo "TTY: $PAM_TTY"

echo "Date: `date`"

echo "Server: `uname -a`"

} | mail -s "Unexpected $MSG" root

exit 0

The script will send an email ONLY if the source IP is not the one from myofficedomain.com; however, it will log the authentication in /var/log/messages using logger command.

Fail2ban notes

General notes about Fail2ban

### Fail2Ban ###

Best practise:
- do NOT edit /etc/fail2ban/jail.conf BUT create a new /etc/fail2ban/jail.local file

=============================================================
# Test fail2ban regex:
example: fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf
example2: fail2ban-regex --print-all-matched/var/log/secure /etc/fail2ban/filter.d/sshd.conf

=============================================================
# Remove email notifications:

comment out 'sendmail-whois' from action in [ssh-iptables]
FYI, comment with # at the BEGINNING of the line like this or it won't work!!!

[ssh-iptables]

enabled  = true
filter   = sshd
action   = iptables[name=SSH, port=ssh, protocol=tcp]
#           sendmail-whois[name=SSH, dest=root, sender=fail2ban@example.com, sendername="Fail2Ban"]
logpath  = /var/log/secure
maxretry = 5


=============================================================
# Wordpress wp-login - block POST attacks

/etc/fail2ban/jail.local

[apache-wp-login]
enabled = true
port = http,https
filter = apache-wp-login
logpath = /var/log/httpd/blog.tian.it-access.log
maxretry = 3
bantime = 604800 ; 1 week
findtime = 120

----------------------------------------------------------------------------------------------------------------------

/etc/fail2ban/filter.d/apache-wp-login.conf
[Definition]
failregex = <HOST>.*POST.*wp-login.php HTTP/1.1
ignoreregex =

=============================================================

# Manually ban an IP:
fail2ban-client -vvv set <CHAIN> banip <IP>

# Check status of sshd chain
fail2ban-client status sshd

### Fail2Ban ###

Best practise:

- do NOT edit /etc/fail2ban/jail.conf BUT create a new /etc/fail2ban/jail.local file

=============================================================

# Test fail2ban regex:

example: fail2ban-regex /var/log/secure /etc/fail2ban/filter.d/sshd.conf

example2: fail2ban-regex --print-all-matched/var/log/secure /etc/fail2ban/filter.d/sshd.conf

=============================================================

# Remove email notifications:

comment out 'sendmail-whois' from action in [ssh-iptables]

FYI, comment with # at the BEGINNING of the line like this or it won't work!!!

[ssh-iptables]

enabled = true

filter = sshd

action = iptables[name=SSH, port=ssh, protocol=tcp]

# sendmail-whois[name=SSH, dest=root, [email protected], sendername="Fail2Ban"]

logpath = /var/log/secure

maxretry = 5

=============================================================

# Wordpress wp-login - block POST attacks

/etc/fail2ban/jail.local

[apache-wp-login]

enabled = true

port = http,https

filter = apache-wp-login

logpath = /var/log/httpd/blog.tian.it-access.log

maxretry = 3

bantime = 604800 ; 1 week

findtime = 120

----------------------------------------------------------------------------------------------------------------------

/etc/fail2ban/filter.d/apache-wp-login.conf

[Definition]

failregex = <HOST>.*POST.*wp-login.php HTTP/1.1

ignoreregex =

=============================================================

# Manually ban an IP:

fail2ban-client -vvv set <CHAIN> banip <IP>

# Check status of sshd chain

fail2ban-client status sshd

How to “SSH” brute force

If you want to make safer your remote server, it is good practise to use a good combination of sshd setup and fail2ban.

Firstly, you should setup your server to allow only key auth, and no passwords. This will drastically reduce the risk. This means anyway that you need to keep your ssh key safe and you won’t be able to access your server unless you have this key. Most of the time is something possible 🙂

For this reason, I’m explaining here how I configured my server.

SSHD

/etc/ssh/sshd_config

Have these settings in the config file (NOTE: the verbosity is for Fail2ban)

LogLevel VERBOSE

PasswordAuthentication no

LogLevel VERBOSE

PasswordAuthentication no

(restart sshd)

/etc/fail2ban/jail.local

[DEFAULT]
# Ban hosts for 
# one hour:
#bantime = 3600

# one day:
bantime = 86400

# A host is banned if it has generated "maxretry" during the last "findtime"
# # seconds.
findtime  = 30

# # "maxretry" is the number of failures before a host get banned.
maxretry = 5

# Override /etc/fail2ban/jail.d/00-firewalld.conf:
banaction = iptables-multiport

[sshd]
enabled = true
filter = sshd-aggressive
port     = ssh
logpath  = /var/log/secure
maxretry = 3
findtime = 30
bantime  = 86400

[DEFAULT]

# Ban hosts for

# one hour:

#bantime = 3600

# one day:

bantime = 86400

# A host is banned if it has generated "maxretry" during the last "findtime"

# # seconds.

findtime = 30

# # "maxretry" is the number of failures before a host get banned.

maxretry = 5

# Override /etc/fail2ban/jail.d/00-firewalld.conf:

banaction = iptables-multiport

[sshd]

enabled = true

filter = sshd-aggressive

port = ssh

logpath = /var/log/secure

maxretry = 3

findtime = 30

bantime = 86400

/etc/fail2ban/filter.d/sshd.conf

Add a custom section after the ddos one:

custom = ^%(__prefix_line_sl)sDisconnected from <HOST> port [0-9]+ \[preauth\]$

1	custom = ^%(__prefix_line_sl)sDisconnected from <HOST> port [0-9]+ \[preauth\]$

This line matches whoever tries to connect without a proper ssh key.

Add this line to include custom to the sshd-aggressive setup:

aggressive = %(normal)s
             %(ddos)s
             %(custom)s

aggressive = %(normal)s

%(ddos)s

%(custom)s

Linux SSH auth passwordless using key

Pretty basic, but handy for whoever start playing with Linux.

Here simple steps to follow in order to have box1 to be able to connect securely to box2 over SSH without being required to insert password.
This is very handy if you run scripts 😉

On BOX1

You can run this as any user.

ssh-keygen -b 1024 -t rsa -f id_rsa -P ""

1	ssh-keygen -b 1024 -t rsa -f id_rsa -P ""

This will generate ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key).
The .pub is the key that needs to be appended in ~/.ssh/authorized_keys on BOX2.

If the following command is available, that’s the best/safest way to setup BOX2.

ssh-copy-id user@box2

1	ssh-copy-id user@box2

Password for user on box2 will be requested.
Once completed, you can try to ssh [email protected] and theoretically you should be able to connect without need to insert the password again!

If ssh-copy-id does not exist (e.g. Mac or other Distros), you can scp the .pub file and append it as per below:

scp ~/.ssh/id_rsa.pub user@box2:/tmp

1	scp ~/.ssh/id_rsa.pub user@box2:/tmp

Then connect to box2 with user and run this:

cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys
rm -f /tmp/id_rsa.pub

1 2	cat /tmp/id_rsa.pub >> ~/.ssh/authorized_keys rm -f /tmp/id_rsa.pub

After those 2 commands, the key should be added to the authorised ones, so ssh [email protected] should work.

NOTE: if you are experiencing issues, please make sure that the permissions of id_rsa file is 600 on BOX1 and that sshd_conf on BOX2 is set to allow key auth connections

Remote port forwarding via SSH

Imagine that you want to access a specific port on a remote server from your local machine. Basically, a “remote port forwarding”.

This remote server is not accessible directly from internet. It is NAT’d behind firewall.
To access the remote server you need to connect firstly to a remote bastion server (accessible from internet) and from there, you will be able to access the server.
Your current machine is also within restricted network and unable to ssh out. You can ssh into a local bastion server only. From this local bastion you can ssh out.

As long as you have access to the 2 bastions servers, you will be able to run the following script.

+-------------------------------+                  +-------------------------------+
|                               |                  |                               |
| +--------+         +--------+ |                  | +--------+         +--------+ |
| | LOCAL  |         | LOCAL  | |                  | | REMOTE |         | REMOTE | |
| | MACHINE| +-----> | BASTION| +---> INTERNET +---> | BASTION| +-----> | SERVER | |
| |        |         |        | |                  | |        |         |        | |
| +--------+         +--------+ |                  | +--------+         +--------+ |
|                               |                  |                               |
+-------------------------------+                  +-------------------------------+

+-------------------------------+ +-------------------------------+

| | | |

| +--------+ +--------+ | | +--------+ +--------+ |

| | | | | | | | | | | |

| +--------+ +--------+ | | +--------+ +--------+ |

| | | |

+-------------------------------+ +-------------------------------+

The script points/links a local_port on your local machine to the ssh port of the remote bastion, via your local bastion.
After that, it will connect the remote port or the remote server to a new_local_port, ssh’ing via local_port.

Example below shows a way to have the VNC port 5900 available locally on port 5910.
I’m using port 8888 as local port.
Local Bastion ssh port is 8022.
Remote Bastion ssh port is 9022.

Example:

ssh -N -f -p 8022 -L8888:remote_bastion:9022 local_bastion_user@local_bastion
ssh -N -f -p 8888 -L5910:remote_server:5900 remote_bastion_user@localhost

1 2	ssh -N -f -p 8022 -L8888:remote_bastion:9022 local_bastion_user@local_bastion ssh -N -f -p 8888 -L5910:remote_server:5900 remote_bastion_user@localhost

And here a full script:

#!/bin/bash
#
# ============================================ #
# PORT FORWARD from CURRENT_HOST to DEST_HOST  #
# via LOC_BASTION and REMOTE_BASTION           #
# ============================================ #
#
# The scripts creates an SSH tunnel connecting
# the local port TUN_LOC_PORT to the REMOTE_BASTION ssh port
# via LOC_BASTION.
# After that, it forwards the remote port DEST_FW_PORT to
# DEST_FW_PORT using the ssh tunnel just created.
#
###########################################################

LOC_BASTION_HOST=""
LOC_BASTION_USER=""
LOC_BASTION_SSH_PORT=""

REMOTE_BASTION_HOST=""
REMOTE_BASTION_USER=""
REMOTE_BASTION_SSH_PORT=""

DEST_HOST=""
DEST_USER=""
DEST_FW_PORT="5900"

TUN_LOC_PORT="8888"
LISTENING_LOC_PORT=""

############################################################

CHECK_TUNS=$(ps aux | grep "[s]sh -N -f -p $LOC_BASTION_SSH_PORT -L$TUN_LOC_PORT:$REMOTE_BASTION_HOST:$REMOTE_BASTION_SSH_PORT $LOC_BASTION_USER@$LOC_BASTION_HOST" | awk '{print $2}')

N_TUNS=$(echo $CHECK_TUNS | wc -l)

create_tunnel(){
  # Create a connection between localhost:$TUN_LOC_PORT to MIDDLE_BOX:SSH_PORT
  # It will ask for MIDDLE_BOX's password
  # -N -f keep the connection open in background executing No commands
  ssh -N -f -p $LOC_BASTION_SSH_PORT -L$TUN_LOC_PORT:$REMOTE_BASTION_HOST:$REMOTE_BASTION_SSH_PORT $LOC_BASTION_USER@$LOC_BASTION_HOST
  echo "Created new tunnel"
}

check_tunnel(){
nc -w 1 -z localhost $TUN_LOC_PORT > /dev/null 2>&1
}

reset_tunnel() {
for PID in $CHECK_TUNS; do
   kill -9 $PID > /dev/null 2>&1
   echo "Found multiple tunnels. Killed all."
done
}


# Hidden function. Add 'cleanup' as argument to close all the tunnels
[ "$1" == "cleanup" ] && reset_tunnel && exit 0

if [ $N_TUNS -eq 0 ] ; then
   create_tunnel
elif [ $N_TUNS -eq 1 ] ; then
   check_tunnel
   if [ $? -eq 0 ] ; then
      echo "Tunnel already up and running"
   else
      reset_tunnel
      create_tunnel
   fi
else
   reset_tunnel
   create_tunnel
fi


CHECK_PORT_FWD=$(ps aux | grep -q "[s]sh -N -f -p $TUN_LOC_PORT -L$LISTENING_LOC_PORT:$DEST_HOST:$DEST_FW_PORT -l $REMOTE_BASTION_USER localhost")
if [ $? -eq 0 ] ; then
   echo "Port forward already created. Remote port $DEST_FW_PORT should be accessible on localhost port $LISTENING_LOC_PORT"
   exit 0
 else
   # This will create 'link' between $DEST_FW_PORT from $DEST_HOST to $TUN_LOC_PORT on localhost
   echo "Creating link between $DEST_FW_PORT to $TUN_LOC_PORT on localhost via $DEST_HOST"
   ssh -N -f -p $TUN_LOC_PORT -L$LISTENING_LOC_PORT:$DEST_HOST:$DEST_FW_PORT -l $REMOTE_BASTION_USER localhost
   echo "You can now access $DEST_FW_PORT listening on $DEST_HOST from localhost on port $LISTENING_LOC_PORT."
fi

#!/bin/bash

# ============================================ #

# PORT FORWARD from CURRENT_HOST to DEST_HOST #

# via LOC_BASTION and REMOTE_BASTION #

# ============================================ #

# The scripts creates an SSH tunnel connecting

# the local port TUN_LOC_PORT to the REMOTE_BASTION ssh port

# via LOC_BASTION.

# After that, it forwards the remote port DEST_FW_PORT to

# DEST_FW_PORT using the ssh tunnel just created.

###########################################################

LOC_BASTION_HOST=""

LOC_BASTION_USER=""

LOC_BASTION_SSH_PORT=""

REMOTE_BASTION_HOST=""

REMOTE_BASTION_USER=""

REMOTE_BASTION_SSH_PORT=""

DEST_HOST=""

DEST_USER=""

DEST_FW_PORT="5900"

TUN_LOC_PORT="8888"

LISTENING_LOC_PORT=""

############################################################

CHECK_TUNS=$(ps aux | grep "[s]sh -N -f -p $LOC_BASTION_SSH_PORT -L$TUN_LOC_PORT:$REMOTE_BASTION_HOST:$REMOTE_BASTION_SSH_PORT $LOC_BASTION_USER@$LOC_BASTION_HOST" | awk '{print $2}')

N_TUNS=$(echo $CHECK_TUNS | wc -l)

create_tunnel(){

# Create a connection between localhost:$TUN_LOC_PORT to MIDDLE_BOX:SSH_PORT

# It will ask for MIDDLE_BOX's password

# -N -f keep the connection open in background executing No commands

ssh -N -f -p $LOC_BASTION_SSH_PORT -L$TUN_LOC_PORT:$REMOTE_BASTION_HOST:$REMOTE_BASTION_SSH_PORT $LOC_BASTION_USER@$LOC_BASTION_HOST

echo "Created new tunnel"

}

check_tunnel(){

nc -w 1 -z localhost $TUN_LOC_PORT > /dev/null 2>&1

}

reset_tunnel() {

for PID in $CHECK_TUNS; do

kill -9 $PID > /dev/null 2>&1

echo "Found multiple tunnels. Killed all."

done

}

# Hidden function. Add 'cleanup' as argument to close all the tunnels

[ "$1" == "cleanup" ] && reset_tunnel && exit 0

if [ $N_TUNS -eq 0 ] ; then

create_tunnel

elif [ $N_TUNS -eq 1 ] ; then

check_tunnel

if [ $? -eq 0 ] ; then

echo "Tunnel already up and running"

else

reset_tunnel

create_tunnel

else

reset_tunnel

create_tunnel

CHECK_PORT_FWD=$(ps aux | grep -q "[s]sh -N -f -p $TUN_LOC_PORT -L$LISTENING_LOC_PORT:$DEST_HOST:$DEST_FW_PORT -l $REMOTE_BASTION_USER localhost")

if [ $? -eq 0 ] ; then

echo "Port forward already created. Remote port $DEST_FW_PORT should be accessible on localhost port $LISTENING_LOC_PORT"

exit 0

else

# This will create 'link' between $DEST_FW_PORT from $DEST_HOST to $TUN_LOC_PORT on localhost

echo "Creating link between $DEST_FW_PORT to $TUN_LOC_PORT on localhost via $DEST_HOST"

ssh -N -f -p $TUN_LOC_PORT -L$LISTENING_LOC_PORT:$DEST_HOST:$DEST_FW_PORT -l $REMOTE_BASTION_USER localhost

echo "You can now access $DEST_FW_PORT listening on $DEST_HOST from localhost on port $LISTENING_LOC_PORT."

SSH tunnel from A to B via jumpbox

Here a basic script that you can use if you want to connect from your local box, via a middle linux machine, to a third host.
It will also allow you to use FoxyProxy on your browser and browse the internal network of the destination box.

BOX_A <==== MIDDLE_BOX ====> BOX_B

The goal is having access from BOX_A to BOX_B via MIDDLE_BOX

MIDDLE_BOX is the only one that can talk withBOX_A and BOX_B

#!/bin/bash
#
# ==================================================== #
# Tunnel from CURRENT_HOST to DEST_HOST via MIDDLE_BOX #
# ==================================================== #
#
# The scripts connects the local port 8888 
# to the SSH port on DEST_BOX via MIDDLE_BOX.
#

MIDDLE_BOX_HOST="bastion_server.localdomain.loc"
MIDDLE_BOX_USER="username"
MIDDLE_BOX_SSH_PORT="22"

DEST_BOX_HOST="destination_host.domain.com"
DEST_BOX_USER="username"
DEST_BOX_SSH_PORT="22"

LOC_PORT=8888
SOCK_PORT=9050

############################################################

CHECK_TUNS=$(ps aux | grep "[s]sh -N -f -p $MIDDLE_BOX_SSH_PORT -L$LOC_PORT:$DEST_BOX_HOST:$DEST_BOX_SSH_PORT $MIDDLE_BOX_USER@$MIDDLE_BOX_HOST" | awk '{print $2}')

N_TUNS=$(echo $CHECK_TUNS | wc -l)

create_tunnel(){
  # Create a connection between localhost:$LOC_PORT to MIDDLE_BOX:SSH_PORT
  # It will ask for MIDDLE_BOX's password
  # -N -f keep the connection open in background executing No commands
  ssh -N -f -p $MIDDLE_BOX_SSH_PORT -L$LOC_PORT:$DEST_BOX_HOST:$DEST_BOX_SSH_PORT $MIDDLE_BOX_USER@$MIDDLE_BOX_HOST
  echo "Created new tunnel"
}

check_tunnel(){
nc -w 1 -z localhost $LOC_PORT > /dev/null 2>&1
}

reset_tunnel() {
for PID in $CHECK_TUNS; do
   kill -9 $PID > /dev/null 2>&1
   echo "Found multiple tunnels. Killed all."
done
}

# Hidden function. Add 'cleanup' as argument to close all the tunnels
[ "$1" == "cleanup" ] && reset_tunnel && exit 0

if [ $N_TUNS -eq 0 ] ; then
   create_tunnel
elif [ $N_TUNS -eq 1 ] ; then
   check_tunnel
   if [ $? -eq 0 ] ; then
      echo "Tunnel already up and running"
   else
      reset_tunnel
      create_tunnel
   fi
else
   reset_tunnel
   create_tunnel
fi


CHECK_SOCK=$(ps aux | grep -q "[s]sh -D$SOCK_PORT -p$LOC_PORT $DEST_BOX_USER@localhost")
if [ $? -eq 0 ] ; then
   echo "Sock already created on port $SOCK_PORT - just opening SSH shell on $DEST_BOX_HOST"
   ssh -p$LOC_PORT $DEST_BOX_USER@localhost
 else
   # This will open an SSH shell from DEST_BOX *AND* create a sock proxy on port $SOCK_PORT locally
   # You can use FoxyProxy in your browser to browse the DEST_BOX's network
   # Just set "localhost", dest port "$SOCK_PORT" and select "Socks Proxy"
   echo "Created sock on port $SOCK_PORT and ssh'ing on $DEST_BOX_HOST"
   ssh -D$SOCK_PORT -p$LOC_PORT $DEST_BOX_USER@localhost
fi

#!/bin/bash

# ==================================================== #

# Tunnel from CURRENT_HOST to DEST_HOST via MIDDLE_BOX #

# ==================================================== #

# The scripts connects the local port 8888

# to the SSH port on DEST_BOX via MIDDLE_BOX.

MIDDLE_BOX_HOST="bastion_server.localdomain.loc"

MIDDLE_BOX_USER="username"

MIDDLE_BOX_SSH_PORT="22"

DEST_BOX_HOST="destination_host.domain.com"

DEST_BOX_USER="username"

DEST_BOX_SSH_PORT="22"

LOC_PORT=8888

SOCK_PORT=9050

############################################################

CHECK_TUNS=$(ps aux | grep "[s]sh -N -f -p $MIDDLE_BOX_SSH_PORT -L$LOC_PORT:$DEST_BOX_HOST:$DEST_BOX_SSH_PORT $MIDDLE_BOX_USER@$MIDDLE_BOX_HOST" | awk '{print $2}')

N_TUNS=$(echo $CHECK_TUNS | wc -l)

create_tunnel(){

# Create a connection between localhost:$LOC_PORT to MIDDLE_BOX:SSH_PORT

# It will ask for MIDDLE_BOX's password

# -N -f keep the connection open in background executing No commands

ssh -N -f -p $MIDDLE_BOX_SSH_PORT -L$LOC_PORT:$DEST_BOX_HOST:$DEST_BOX_SSH_PORT $MIDDLE_BOX_USER@$MIDDLE_BOX_HOST

echo "Created new tunnel"

}

check_tunnel(){

nc -w 1 -z localhost $LOC_PORT > /dev/null 2>&1

}

reset_tunnel() {

for PID in $CHECK_TUNS; do

kill -9 $PID > /dev/null 2>&1

echo "Found multiple tunnels. Killed all."

done

}

# Hidden function. Add 'cleanup' as argument to close all the tunnels

[ "$1" == "cleanup" ] && reset_tunnel && exit 0

if [ $N_TUNS -eq 0 ] ; then

create_tunnel

elif [ $N_TUNS -eq 1 ] ; then

check_tunnel

if [ $? -eq 0 ] ; then

echo "Tunnel already up and running"

else

reset_tunnel

create_tunnel

else

reset_tunnel

create_tunnel

CHECK_SOCK=$(ps aux | grep -q "[s]sh -D$SOCK_PORT -p$LOC_PORT [email protected]")

if [ $? -eq 0 ] ; then

echo "Sock already created on port $SOCK_PORT - just opening SSH shell on $DEST_BOX_HOST"

ssh -p$LOC_PORT $DEST_BOX_USER@localhost

else

# This will open an SSH shell from DEST_BOX *AND* create a sock proxy on port $SOCK_PORT locally

# You can use FoxyProxy in your browser to browse the DEST_BOX's network

# Just set "localhost", dest port "$SOCK_PORT" and select "Socks Proxy"

echo "Created sock on port $SOCK_PORT and ssh'ing on $DEST_BOX_HOST"

ssh -D$SOCK_PORT -p$LOC_PORT $DEST_BOX_USER@localhost

My notepad

Chris' IT notes…

Tag Archives: ssh

Fail2ban Debian 9

HOW TO

Email notification for successful SSH connection

Fail2ban notes

General notes about Fail2ban

How to “SSH” brute force

SSHD

/etc/ssh/sshd_config

/etc/fail2ban/jail.local

/etc/fail2ban/filter.d/sshd.conf

Linux SSH auth passwordless using key

Remote port forwarding via SSH

SSH tunnel from A to B via jumpbox