Results 1 to 10 of 10

Thread: OpenSSH

Hybrid View

  1. #1
    Join Date
    Feb 2013
    Beans
    3

    OpenSSH

    Hello,

    I recently purchased an old (but still functional) Dell Server, and then put Ubuntu Server edition onto it. It has been my first time with it and I have having loads of fun learning the command line stuff.

    The reason I bought the server was to use it as an SSH Tunnel for my friends and I. I got the OpenSSH Server running on it and have managed to connect to it from other computers (Windows) using Putty. I haven't tried connecting to the server from outside of the network, but I'm guessing you just forward the port for the server and type in the external IP of the network instead of the internal IP. Please correct me if I am wrong.

    I am just testing it with the computers at home, and have made 3 accounts (for my friends), these account don't have admin access so they can't do anything (that my friend's are capable of doing) but tunnel.

    I know this has been a bit long winded, but here are my 2 questions:

    1) Is there anyway to monitor (from my admin account) what is going on? I mean, who is currently logged on, who is consuming the most bandwidth being used by each user, the amount of data downloaded from each user, etc. (I know this is a lot, but so far the possibilities of Ubuntu seem limitless, so it's worth asking!)

    2) Is there any way of controlling my friends? I mean, if I find out they are viewing inappropriate websites, etc, can I ban them? Or limit their bandwidth if they are slowing the connection down?

    Thanks in advance, and any advise, whether is pertain to these questions or not would be much appreciated,
    -Oliver

  2. #2
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    5,742
    Distro
    Xubuntu 15.04 Vivid Vervet

    Re: Help with OpenSSH

    I'm guessing you just forward the port for the server and type in the external IP of the network instead of the internal IP.
    Yes. I think it's UDP port 1194 that you must forward.

    Do you plan to simply route them back to the internet, or to provide a proxy web server for them?

    EDIT:
    That's what happens when I answer posts while I have a cold. You wrote OpenSSH tunnel and I read OpenVPN tunnel. So I end up writing rubbish. Please ignore this post.
    Last edited by The Cog; February 20th, 2013 at 01:43 PM.

  3. #3
    Join Date
    Mar 2010
    Location
    Metro-ATL; PM free zone.
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Help with OpenSSH

    Quote Originally Posted by The Cog View Post
    Yes. I think it's UDP port 1194 that you must forward.

    Do you plan to simply route them back to the internet, or to provide a proxy web server for them?
    Last time I checked, tunneling a port over ssh was was selected by the person setting up the tunnel. Only the specific port where ssh listened was under the admin control. That is usually 22/tcp, but I never simply forward that port from public IPs. Use your router to do forwarding AND port translation. Pick a high port on the router, but forward it to server:22 like always. That way you don't need to change any defaults internally and normal ssh security techniques work without changing the internal port setup.

    Monitoring what other people are doing on UNIX/Linux is easy, if you know the commands. Sadly, I can't tell you the commands to use here, since there are a mix completely dependent on what you want to monitor. ps, vmstat, lsof,and many others will do that. I'd suggest that read UNIX Power Tools from O'Reilly to get a feel.

    You can ban a user easy. Lock their user account.

    You can throttle a user easily, use iptables.

    I wouldn't allow people to tunnel through my servers unless they were paying, we had a legal contract that prohibited illegal use, and I was 100% positive they wouldn't use it for porn or copyright violations.

    If they have a shell on the box, then local root-escalations are possible on many Linux systems. The community is much more concerned about remote access and remote root access, which is much worse, but there have been some ingenious local root escalations over the years.

    BTW, buying a server for an ssh tunnel seems like overkill. I hope you plan to do something else with it. A $75 Atom-based mini-PC or $22 ARM device can easily provide an ssh tunnel.

    I hope you are using key-based authentication, not passwords, and have fail2ban or similar running too. There's no need for anyone without credentials to get free password cracking access forever.

  4. #4
    Join Date
    Feb 2013
    Beans
    3

    Re: Help with OpenSSH

    Thanks for the replies! I have changed the default ports on internal machines to a custom port because I have having issues with Port 22 for some reason.

    Could you possibly give me a quick command to lock their accounts? I have just discovered how to delete an account, but it is slightly inconvenient to delete and remake accounts when something happens!

    They will be paying me. And thanks for the advise, I should probably draw up some sort of contract. I wasn't going to buy a dedicated one originally, but I found 3 Dell PowerEdge 2650's on eBay for 15 GBP! And I know they are very outdated not, but I'm going to use one of them for SOCKS Tunneling.

    I want to use keys, but I have no idea how they work. And how to use them. And I don't know if I really want to use them because if I'm going to be "renting" spaces on the server off then it might back slightly inconvenient to be passing around keys. All my passwords are over 35 chars, random, and with letters and numbers. I know that's not as secure as keys, but will those passwords suffice?

    And what is fail2ban?

    Thanks again,
    -Oliver

  5. #5
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    5,742
    Distro
    Xubuntu 15.04 Vivid Vervet

    Re: Help with OpenSSH

    Sorry for the wrong post earlier.

    The quickest way to lock an account is
    Code:
    sudo passwd -l username
    but this won't throw the user off or disconnect his existing connections, just prevent him logging in again. I don't know of a good way to forcibly disconnect anyone except maybe
    Code:
    sudo killall -9 -u username
    I can't think of an easy way to control what they're looking at unless you run a proxy and have them use that (will work for web browsing only). You can use iptables to block http (port 80) on a per-user basis with the --uid-owner qualifier.

  6. #6
    Join Date
    Mar 2010
    Location
    Metro-ATL; PM free zone.
    Beans
    Hidden!
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Help with OpenSSH

    Quote Originally Posted by crowoy View Post
    Thanks for the replies! I have changed the default ports on internal machines to a custom port because I have having issues with Port 22 for some reason.
    That is scary. Could it be that someone has already highjacked the box? I'd want to figure out the exact issue around port 22 before doing anything else. lsof will help you figure out which program/process has port 22 open.

    Quote Originally Posted by crowoy View Post
    Could you possibly give me a quick command to lock their accounts? I have just discovered how to delete an account, but it is slightly inconvenient to delete and remake accounts when something happens!
    $ man passwd
    tells me that passwd -l doesn't prevent other authentication methods from working. If they are coming in using ssh, then to lock them out, you need to either delete the account or sudo usermod --expiredate 1 . Read that man page for details. BTW, I did not know the answer to this - only by carefully reading the man page for passwd, did I see the issue.

    Quote Originally Posted by crowoy View Post
    They will be paying me. And thanks for the advise, I should probably draw up some sort of contract. I wasn't going to buy a dedicated one originally, but I found 3 Dell PowerEdge 2650's on eBay for 15 GBP! And I know they are very outdated not, but I'm going to use one of them for SOCKS Tunneling.
    I suspect that you would have preferred to have (3) US$100 atom boxes instead after you see the power/cooling bills. Then there is the noise issue.

    Quote Originally Posted by crowoy View Post
    I want to use keys, but I have no idea how they work. And how to use them. And I don't know if I really want to use them because if I'm going to be "renting" spaces on the server off then it might back slightly inconvenient to be passing around keys. All my passwords are over 35 chars, random, and with letters and numbers. I know that's not as secure as keys, but will those passwords suffice?
    Keys are more convenient than passwords AND more secure. That doesn't happen very often in life - where the more secure solution is also the more convenient one. There are subtleties of using keys on a commercial offering that I won't try to explain ... just that you want to provide them with their private key and install their public key into their ~/.ssh/ directory. This way, you never need to give them a password to your box. Just keys are used. It is a beautiful thing. If I were doing this, I'd create the keys with a passphrase too - really long, so you know they don't share it easily. Of course, anyone with a little gpg/openssl knowledge can strip the passphrase off the key, so it will only protect you from abuses until they realize that fact.

    Check out ssh-copy-id for how to easily push keys to remote systems. ssh-keygen is how you create keys. 2K keys or larger, please.

    You probably want an ssh-primer first. I find that learning by watching youtube is often helpful.

    Quote Originally Posted by crowoy View Post
    And what is fail2ban?
    Google will explain the details.
    sudo apt-get install fail2ban
    man fail2ban
    will install and explain the complete fail2ban system. Since you've elected to change ssh from port 22, you'll need to read the man page.

    Sorry to send you to read the man pages so much (RTFM), but all that you want to know is inside there. Use the apropos command to search all the man pages, when you don't know exactly what you are seeking.

    Give a man a fish .... teach a man to fish ...

  7. #7
    Join Date
    Mar 2007
    Location
    Denver, CO
    Beans
    7,605
    Distro
    Ubuntu 12.04 Precise Pangolin

    Re: Help with OpenSSH

    What you are asking to do is rather difficult.

    You should first probably create a linux jail for both of your users -- that would limit the executables that could be run from both of their accounts.

    In order to block websites and restrict content, I'd recommend two options:
    #1 - A properly setup firewall (iptables or ufw (gufw if you want it gui). This probably more protects your machine, but it can also block various ports
    #2 - Configuration of a web proxy such as squid -- this would be the actual blocking mechanism where various websites could be altered.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •