Useful Commands/Security: Difference between revisions

From Fundamental Ramen
Jump to navigation Jump to search
 
(146 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Frequently Used Commands =
{| class="wikitable"
{| class="wikitable"
! TODO || Command
! TODO || Command
|-
| Automatically accept fingerprint. ||
<syntaxhighlight lang="bash">
ssh -o "StrictHostKeyChecking no" ...
</syntaxhighlight>
|-
|-
| Indirect outgoing for PostgreSQL ||
| Indirect outgoing for PostgreSQL ||
<source lang="bash">
<syntaxhighlight lang="bash">
# [Private]
# [Private]
# localhost -> localhost:15432
# localhost -> localhost:15432
Line 15: Line 21:
#    -> somewhere.com:5432
#    -> somewhere.com:5432
ssh -NCfL *:15432:somewhere.com:5432 server
ssh -NCfL *:15432:somewhere.com:5432 server
</source>
</syntaxhighlight>
|-
|-
| Indirect outgoing for Web ||
| Indirect outgoing for Web ||
<source lang="bash">
<syntaxhighlight lang="bash">
# [Private]
# [Private]
# localhost -> localhost:3128
# localhost -> localhost:3128
Line 30: Line 36:
#    -> *:*
#    -> *:*
ssh -NCfD *:3128 server
ssh -NCfD *:3128 server
</source>
</syntaxhighlight>
|-
|-
| Share MariaDB in LAN ||
| Share MariaDB in LAN ||
<source lang="bash">
<syntaxhighlight lang="bash">
# Step 1: Listen (Run at LAN)
# Step 1: Listen (Run at LAN)
# Listen server:13306 -> server:22
# Listen server:13306 -> server:22
Line 45: Line 51:
#    -> localhost:3306
#    -> localhost:3306
ssh -NCfL *:3306:localhost:13306 localhost
ssh -NCfL *:3306:localhost:13306 localhost
</source>
</syntaxhighlight>
|-
|-
| List tunnels ||
| List tunnels ||
<source lang="bash">
<syntaxhighlight lang="bash">
# List full commands.
# List full commands.
ps ax | awk '/ssh \-NCf/ { print $0 }'
ps ax | awk '/ssh \-NCf/ { print $0 }'
Line 60: Line 66:
# Kill all tunnels.
# Kill all tunnels.
kill $(ps ax | awk '/ssh \-NCf/ { print $1 }')
kill $(ps ax | awk '/ssh \-NCf/ { print $1 }')
</source>
</syntaxhighlight>
|-
|-
| Generate key pair ||
| Generate key pair ||
<source lang="bash">
<syntaxhighlight lang="bash">
# Save as default name id_rsa, id_rsa.pub
# Save as default name id_rsa, id_rsa.pub
ssh-keygen
ssh-keygen
Line 70: Line 76:
# Save as thefuck, thefuck.pub with password  
# Save as thefuck, thefuck.pub with password  
ssh-keygen -f abc -N '12345'  
ssh-keygen -f abc -N '12345'  
</source>
# Generate ed25519 key
ssh-keygen -t ed25519 -f sucks.pem
ssh-keygen -t ed25519 -f sucks.pem -C nobody@sucks.com
</syntaxhighlight>
|-
|-
| Generate public key from private key ||
| Generate public key from private key ||
<source lang="bash">
<syntaxhighlight lang="bash">
# Dump
# Dump
ssh-keygen -yf thefuck.pem
ssh-keygen -yf thefuck.pem
Line 82: Line 91:
# Append into authorized_keys
# Append into authorized_keys
ssh-keygen -yf thefuck.pem >> authorized_keys
ssh-keygen -yf thefuck.pem >> authorized_keys
</source>
</syntaxhighlight>
|}
|}


= Forward DNS service =
= Access resources without VPN =
<quickgv name="ncflow" theme="warm">
== Lesson 1: UDP -> UDP ==
{| class="wikitable"
! Command || Routing
|-
| valign="top" |
<syntaxhighlight lang="bash">
sudo socat -d -d \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  udp4-sendto:8.8.8.8:53
</syntaxhighlight>
|
<quickgv name="LS1" theme="warm">
rankdir=TB;
rankdir=TB;


CLIENT [label="DNS request\n$ nslookup www.facebook.com localhost"];
subgraph cluster_office {
SS [label="UDP Service LISTEN *:53\n$ nc -u -l 53 > outgoing.fifo < incoming.fifo"];
  label="Office";
SOCK [label="UDP Connection 192.168.1.1:53\n$ nc -u 192.168.1.1 53 > incoming.fifo < outgoing.fifo"];
 
DNS [label="DNS Server"];
  A [label="nslookup www.google.com 127.0.0.1"];
  B [label="sudo socat -d -d ..."];
  C [label="DNS Server"];
 
  A -> B [xlabel="1. udp",color="#ff0000"];
  B -> C [xlabel="2. udp",color="#ff0000"];
  C -> B [xlabel="3. udp",color="#0000ff"];
  B -> A [xlabel="4. udp",color="#0000ff"];
}
</quickgv>
|}
 
== Lesson 2: UDP -> TCP -> UDP ==
{| class="wikitable"
! Command || Routing
|-
| valign="top" |
<syntaxhighlight lang="bash">
sudo socat -d -d \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053
 
socat -d -d \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:8.8.8.8:53
</syntaxhighlight>
|
<quickgv name="LS2" theme="warm">
rankdir=TB;
subgraph cluster_office {
  label="Office";


OF [label="outgoing.fifo"];
  A [label="nslookup www.google.com 127.0.0.1"];
IF [label="incoming.fifo"];
  B [label="sudo socat -d -d udp4-recvfrom:53 ..."];
  C [label="socat -d -d tcp4-listen ..."];
  D [label="DNS Server"];


CLIENT -> SS [label="1",dir="forward"];
  A -> B [xlabel="1. udp",color="#ff0000"];
// SS -> CLIENT [label="8"];
  B -> C [xlabel="2. tcp",color="#ff0000"];
SS -> OF [label="2"];
  C -> D [xlabel="3. udp",color="#ff0000"];
SS -> IF [label="7", dir="back"];
  D -> C [xlabel="4. udp",color="#0000ff"];
OF -> SOCK [label="3"];
  C -> B [xlabel="5. tcp",color="#0000ff"];
IF -> SOCK [label="6", dir="back"];
  B -> A [xlabel="6. udp",color="#0000ff"];
SOCK -> DNS [label="4"];
}
// DNS -> SOCK [label="5"];
</quickgv>
</quickgv>
|}
== Lesson 3: UDP -> SSH -> TCP -> UDP ==
{| class="wikitable"
! Command || Routing
|-
| valign="top" |
<syntaxhighlight lang="bash">
# Step 1. SSH -> TCP -> UDP (Run at Office)
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &
ssh -NCfR 1053:127.0.0.1:1053 home
# Step 2. UDP -> TCP -> SSH -> TCP -> UDP (Run at Home)
sudo socat -d -d -lf socat.log \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053 &
</syntaxhighlight>
|
<quickgv name="LS3" theme="warm">
rankdir=TB;
subgraph cluster_home {
  label="Home";
  A [label="nslookup www.google.com 127.0.0.1"];
  B [label="sudo socat ... udp4-recvfrom:53 ..."];
}
subgraph cluster_office {
  label="Office";
  C [label="ssh -NCfR ..."];
  D [label="socat ... tcp4-listen ..."];
  E [label="DNS Server"];
}
A -> B [xlabel="1 udp",color="#ff0000"];
B -> C [xlabel="2 ssh",color="#ff0000"];
C -> D [xlabel="3 tcp",color="#ff0000"];
D -> E [xlabel="4 udp",color="#ff0000"];
E -> D [xlabel="5 udp",color="#0000ff"];
D -> C [xlabel="6 tcp",color="#0000ff"];
C -> B [xlabel="7 ssh",color="#0000ff"];
B -> A [xlabel="8 udp",color="#0000ff"];
</quickgv>
|}
== Lesson 4: Forward HTTP ==
<syntaxhighlight lang="bash">
# Step 1. SSH -> TCP -> UDP (Run at Office)
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &
ssh -NCfR 1053:127.0.0.1:1053 home
# Step 2. SSH -> SOCKS -> HTTP (Run at office)
ssh -NCfD 127.0.0.1:3128 localhost
ssh -NCfR 3128:127.0.0.1:3128 home
# Step 3. UDP -> TCP -> SSH -> TCP -> UDP (Run at Home)
sudo socat -d -d -lf socat.log \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053 &
</syntaxhighlight>
<quickgv name="LS4" theme="warm">
rankdir=TB;
newrank=true;
subgraph cluster_home {
  label="Home";
  rank="same";
  A [label="browser https://www.google.com"];
  B [label="sudo socat ... udp4-recvfrom:53 ..."];
}
subgraph cluster_office {
  label="Office";
  subgraph cluster_dns {
    label="DNS";
    C [label="ssh -NCfR 1053: ..."];
    D [label="socat ... tcp4-listen ..."];
    E [label="DNS Server"];
  }
  subgraph cluster_http {
    label="HTTP";
    F [label="ssh -NCfR 3128: ..."];
    G [label="ssh -NCfD ..."];
    H [label="HTTP Server"];
  }
}
// DNS Routing
A -> B [xlabel="1. udp",color="#ff0000",minlen=3];
B -> C [xlabel="2. ssh",color="#ff0000"];
C -> D [xlabel="3. tcp",color="#ff0000"];
D -> E [xlabel="4. udp",color="#ff0000"];
E -> D [xlabel="5. udp",color="#0000ff"];
D -> C [xlabel="6. tcp",color="#0000ff"];
C -> B [xlabel="7. ssh",color="#0000ff"];
B -> A [xlabel="8. udp",color="#0000ff",constraint=false];
// SOCKS Routing
A -> F [xlabel="9. ssh",color="#ff0000"];
F -> G [xlabel="10. socks",color="#ff0000"];
G -> H [xlabel="11. tcp",color="#ff0000"];
H -> G [xlabel="12. tcp",color="#0000ff"];
G -> F [xlabel="13. socks",color="#0000ff"];
F -> A [xlabel="14. ssh",color="#0000ff"];
</quickgv>
== Lesson 5: Improve connection quality ==
=== ~/bin/mksvc.sh ===
Create SOCKS and TCP DNS services.
<syntaxhighlight lang="bash">
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &
ssh -NCf -D 127.0.0.1:3128 localhost
</syntaxhighlight>
=== ~/bin/mktun.sh ===
Make tunnels.
<syntaxhighlight lang="bash">
ssh -NCf \
  -MS revtun.ctrl \
  -R 1053:127.0.0.1:1053 \
  -R 13128:127.0.0.1:3128 \
  home
</syntaxhighlight>
=== ~/bin/rmtun.sh ===
Remove tunnels.
<syntaxhighlight lang="bash">
if [ -e /tmp/revtun.ctrl ]; then
  ssh -S /tmp/revtun.ctrl -O exit home
fi
</syntaxhighlight>


= Share DNS and SOCKS Proxy =
=== ~/.ssh/config ===
== Share SOCKS Proxy ==
Make the ssh connection more reliable.
<source lang="bash">
# Step 1:
ssh -NCfD 3128 localhost


# Step 2:
<syntaxhighlight lang="text" highlight="5-7">
ssh -NCfR 13128:localhost:3128 server
Host                home
Hostname            x.x.x.x
User                user
IdentityFile        ~/.ssh/mykey.pem
TCPKeepAlive        yes
ServerAliveInterval 60
ServerAliveCountMax 3
</syntaxhighlight>


# Step 3:
=== crontab -e ===
ssh -NCfL *:3128:localhost:13128 localhost
Create tunnels during 7:30~09:30, 21:00~22:00 only.
</source>
<syntaxhighlight lang="text">
# 07:30 ~ 09:30
30  07  *  *  *  ~/bin/mktun.sh
30  09  *  *  *   ~/bin/rmtun.sh
# 21:00 ~ 22:00
00  21  *  *  *  ~/bin/mktun.sh
00  22  *  *  *  ~/bin/rmtun.sh
</syntaxhighlight>


== Share DNS ==
=== Homework ===
See: [http://zarb.org/~gc/html/udp-in-ssh-tunneling.html Performing UDP tunneling through an SSH connection]
Do it at home. NAS is a good choice.
<source lang="bash">
<syntaxhighlight lang="bash">
mkfifo /tmp/dns-incoming
sudo socat -d -d -lf socat-dns.log \
nc -l 10053 < /tmp/dns-incoming | nc -u 192.168.1.1 53 > /tmp/dns-incoming &
  udp4-recvfrom:53,bind=*,fork \
ssh -NCfR 10053:localhost:10053 server
  tcp4:127.0.0.1:1053 &


mkfifo /tmp/dns-incoming
sudo socat -d -d -lf socat-socks.log \
sudo nc -u -l 53 < /tmp/dns-incoming | nc localhost 10053 /tmp/dns-incoming &
  tcp4-listen:3128,bind=*,fork \
</source>
  tcp4:127.0.0.1:13128
</syntaxhighlight>

Latest revision as of 08:05, 12 November 2025

Frequently Used Commands

TODO Command
Automatically accept fingerprint. 
ssh -o "StrictHostKeyChecking no" ...
Indirect outgoing for PostgreSQL 
# [Private]
# localhost -> localhost:15432
#           -> server:22
#           -> somewhere.com:5432
ssh -NCfL 15432:somewhere.com:5432 server

# [Shared]
# any -> *:15432
#     -> server:22
#     -> somewhere.com:5432
ssh -NCfL *:15432:somewhere.com:5432 server
Indirect outgoing for Web 
# [Private]
# localhost -> localhost:3128
#     -> server:22
#     -> *:*
ssh -NCfD localhost:3128 server

# [Shared]
# any -> *:3128
#     -> server:22
#     -> *:*
ssh -NCfD *:3128 server
Share MariaDB in LAN 
# Step 1: Listen (Run at LAN)
# Listen server:13306 -> server:22
#                     -> localhost:3306
ssh -NCfR 13306:localhost:3306 server

# Step 2: Share (Run at Home/WAN)
# any -> server:3306
#     -> server:13306
#     -> server:22
#     -> localhost:3306
ssh -NCfL *:3306:localhost:13306 localhost
List tunnels 
# List full commands.
ps ax | awk '/ssh \-NCf/ { print $0 }'

# List settings.
ps ax | awk '/ssh \-NCf/ { print $7 }'

# List pids.
ps ax | awk '/ssh \-NCf/ { print $1 }'

# Kill all tunnels.
kill $(ps ax | awk '/ssh \-NCf/ { print $1 }')
Generate key pair 
# Save as default name id_rsa, id_rsa.pub
ssh-keygen
# Save as thefuck, thefuck.pub without password
ssh-keygen -f abc -N ''
# Save as thefuck, thefuck.pub with password 
ssh-keygen -f abc -N '12345' 
# Generate ed25519 key
ssh-keygen -t ed25519 -f sucks.pem
ssh-keygen -t ed25519 -f sucks.pem -C nobody@sucks.com
Generate public key from private key 
# Dump
ssh-keygen -yf thefuck.pem
# Save as file
ssh-keygen -yf thefuck.pem > thefuck.pub
# Save as authorized_keys (while ~/.ssh/authorized_keys didn't exist)
ssh-keygen -yf thefuck.pem > authorized_keys
# Append into authorized_keys
ssh-keygen -yf thefuck.pem >> authorized_keys

Access resources without VPN

Lesson 1: UDP -> UDP

Command Routing 
sudo socat -d -d \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  udp4-sendto:8.8.8.8:53

Lesson 2: UDP -> TCP -> UDP

Command Routing 
sudo socat -d -d \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053

socat -d -d \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:8.8.8.8:53

Lesson 3: UDP -> SSH -> TCP -> UDP

Command Routing 
# Step 1. SSH -> TCP -> UDP (Run at Office)
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &

ssh -NCfR 1053:127.0.0.1:1053 home

# Step 2. UDP -> TCP -> SSH -> TCP -> UDP (Run at Home)
sudo socat -d -d -lf socat.log \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053 &

Lesson 4: Forward HTTP

# Step 1. SSH -> TCP -> UDP (Run at Office)
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &

ssh -NCfR 1053:127.0.0.1:1053 home

# Step 2. SSH -> SOCKS -> HTTP (Run at office)
ssh -NCfD 127.0.0.1:3128 localhost
ssh -NCfR 3128:127.0.0.1:3128 home

# Step 3. UDP -> TCP -> SSH -> TCP -> UDP (Run at Home)
sudo socat -d -d -lf socat.log \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053 &

Lesson 5: Improve connection quality

~/bin/mksvc.sh

Create SOCKS and TCP DNS services. 

socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &

ssh -NCf -D 127.0.0.1:3128 localhost

~/bin/mktun.sh

Make tunnels. 

ssh -NCf \
  -MS revtun.ctrl \
  -R 1053:127.0.0.1:1053 \
  -R 13128:127.0.0.1:3128 \
  home

~/bin/rmtun.sh

Remove tunnels. 

if [ -e /tmp/revtun.ctrl ]; then
  ssh -S /tmp/revtun.ctrl -O exit home
fi

~/.ssh/config

Make the ssh connection more reliable. 

Host                home
Hostname            x.x.x.x
User                user
IdentityFile        ~/.ssh/mykey.pem
TCPKeepAlive        yes
ServerAliveInterval 60
ServerAliveCountMax 3

crontab -e

Create tunnels during 7:30~09:30, 21:00~22:00 only. 

# 07:30 ~ 09:30
30   07   *   *   *   ~/bin/mktun.sh
30   09   *   *   *   ~/bin/rmtun.sh
# 21:00 ~ 22:00
00   21   *   *   *   ~/bin/mktun.sh
00   22   *   *   *   ~/bin/rmtun.sh

Homework

Do it at home. NAS is a good choice. 

sudo socat -d -d -lf socat-dns.log \
  udp4-recvfrom:53,bind=*,fork \
  tcp4:127.0.0.1:1053 &

sudo socat -d -d -lf socat-socks.log \
  tcp4-listen:3128,bind=*,fork \
  tcp4:127.0.0.1:13128
Retrieved from "https://wiki.fundamental-ramen.com/index.php?title=Useful_Commands/Security&oldid=2185"