Useful Commands/Security: Difference between revisions

From Fundamental Ramen
Jump to navigation Jump to search
 
(40 intermediate revisions by the same user not shown)
Line 2: Line 2:
{| class="wikitable"
{| class="wikitable"
! TODO || Command
! TODO || Command
|-
| Automatically accept fingerprint. ||
<syntaxhighlight lang="bash">
ssh -o "StrictHostKeyChecking no" ...
</syntaxhighlight>
|-
|-
| Indirect outgoing for PostgreSQL ||
| Indirect outgoing for PostgreSQL ||
<source lang="bash">
<syntaxhighlight lang="bash">
# [Private]
# [Private]
# localhost -> localhost:15432
# localhost -> localhost:15432
Line 16: Line 21:
#    -> somewhere.com:5432
#    -> somewhere.com:5432
ssh -NCfL *:15432:somewhere.com:5432 server
ssh -NCfL *:15432:somewhere.com:5432 server
</source>
</syntaxhighlight>
|-
|-
| Indirect outgoing for Web ||
| Indirect outgoing for Web ||
<source lang="bash">
<syntaxhighlight lang="bash">
# [Private]
# [Private]
# localhost -> localhost:3128
# localhost -> localhost:3128
Line 31: Line 36:
#    -> *:*
#    -> *:*
ssh -NCfD *:3128 server
ssh -NCfD *:3128 server
</source>
</syntaxhighlight>
|-
|-
| Share MariaDB in LAN ||
| Share MariaDB in LAN ||
<source lang="bash">
<syntaxhighlight lang="bash">
# Step 1: Listen (Run at LAN)
# Step 1: Listen (Run at LAN)
# Listen server:13306 -> server:22
# Listen server:13306 -> server:22
Line 46: Line 51:
#    -> localhost:3306
#    -> localhost:3306
ssh -NCfL *:3306:localhost:13306 localhost
ssh -NCfL *:3306:localhost:13306 localhost
</source>
</syntaxhighlight>
|-
|-
| List tunnels ||
| List tunnels ||
<source lang="bash">
<syntaxhighlight lang="bash">
# List full commands.
# List full commands.
ps ax | awk '/ssh \-NCf/ { print $0 }'
ps ax | awk '/ssh \-NCf/ { print $0 }'
Line 61: Line 66:
# Kill all tunnels.
# Kill all tunnels.
kill $(ps ax | awk '/ssh \-NCf/ { print $1 }')
kill $(ps ax | awk '/ssh \-NCf/ { print $1 }')
</source>
</syntaxhighlight>
|-
|-
| Generate key pair ||
| Generate key pair ||
<source lang="bash">
<syntaxhighlight lang="bash">
# Save as default name id_rsa, id_rsa.pub
# Save as default name id_rsa, id_rsa.pub
ssh-keygen
ssh-keygen
Line 71: Line 76:
# Save as thefuck, thefuck.pub with password  
# Save as thefuck, thefuck.pub with password  
ssh-keygen -f abc -N '12345'  
ssh-keygen -f abc -N '12345'  
</source>
# Generate ed25519 key
ssh-keygen -t ed25519 -f sucks.pem
ssh-keygen -t ed25519 -f sucks.pem -C nobody@sucks.com
</syntaxhighlight>
|-
|-
| Generate public key from private key ||
| Generate public key from private key ||
<source lang="bash">
<syntaxhighlight lang="bash">
# Dump
# Dump
ssh-keygen -yf thefuck.pem
ssh-keygen -yf thefuck.pem
Line 83: Line 91:
# Append into authorized_keys
# Append into authorized_keys
ssh-keygen -yf thefuck.pem >> authorized_keys
ssh-keygen -yf thefuck.pem >> authorized_keys
</source>
</syntaxhighlight>
|}
|}


Line 92: Line 100:
|-
|-
| valign="top" |
| valign="top" |
<source lang="bash">
<syntaxhighlight lang="bash">
sudo socat -d -d \
sudo socat -d -d \
   udp4-recvfrom:53,bind=127.0.0.1,fork \
   udp4-recvfrom:53,bind=127.0.0.1,fork \
   udp4-sendto:8.8.8.8:53
   udp4-sendto:8.8.8.8:53
</source>
</syntaxhighlight>
|
|
<quickgv name="LS1" theme="warm">
<quickgv name="LS1" theme="warm">
Line 121: Line 129:
|-
|-
| valign="top" |
| valign="top" |
<source lang="bash">
<syntaxhighlight lang="bash">
sudo socat -d -d \
sudo socat -d -d \
   udp4-recvfrom:53,bind=127.0.0.1,fork \
   udp4-recvfrom:53,bind=127.0.0.1,fork \
Line 129: Line 137:
   tcp4-listen:1053,bind=127.0.0.1,fork \
   tcp4-listen:1053,bind=127.0.0.1,fork \
   udp4-sendto:8.8.8.8:53
   udp4-sendto:8.8.8.8:53
</source>
</syntaxhighlight>
|
|
<quickgv name="LS2" theme="warm">
<quickgv name="LS2" theme="warm">
Line 156: Line 164:
|-
|-
| valign="top" |
| valign="top" |
<source lang="bash">
<syntaxhighlight lang="bash">
# Step 1. SSH -> TCP -> UDP (Run at Office)
# Step 1. SSH -> TCP -> UDP (Run at Office)
socat -d -d -lf socat.log \
socat -d -d -lf socat.log \
Line 168: Line 176:
   udp4-recvfrom:53,bind=127.0.0.1,fork \
   udp4-recvfrom:53,bind=127.0.0.1,fork \
   tcp4:127.0.0.1:1053 &
   tcp4:127.0.0.1:1053 &
</source>
</syntaxhighlight>
|
|
<quickgv name="LS3" theme="warm">
<quickgv name="LS3" theme="warm">
Line 198: Line 206:


== Lesson 4: Forward HTTP ==
== Lesson 4: Forward HTTP ==
<source lang="bash">
<syntaxhighlight lang="bash">
# Step 1. SSH -> TCP -> UDP (Run at Office)
# Step 1. SSH -> TCP -> UDP (Run at Office)
socat -d -d -lf socat.log \
socat -d -d -lf socat.log \
Line 214: Line 222:
   udp4-recvfrom:53,bind=127.0.0.1,fork \
   udp4-recvfrom:53,bind=127.0.0.1,fork \
   tcp4:127.0.0.1:1053 &
   tcp4:127.0.0.1:1053 &
</source>
</syntaxhighlight>


<quickgv name="LS4" theme="warm">
<quickgv name="LS4" theme="warm">
rankdir=TB;
rankdir=TB;
newrank=true;
subgraph cluster_home {
subgraph cluster_home {
   label="Home";
   label="Home";
  rank="same";
   A [label="browser https://www.google.com"];
   A [label="browser https://www.google.com"];
   B [label="sudo socat ... udp4-recvfrom:53 ..."];
   B [label="sudo socat ... udp4-recvfrom:53 ..."];
Line 241: Line 252:


// DNS Routing
// DNS Routing
A -> B [xlabel="1. udp",color="#ff0000",constraint=false];
A -> B [xlabel="1. udp",color="#ff0000",minlen=3];
B -> C [xlabel="2. ssh",color="#ff0000"];
B -> C [xlabel="2. ssh",color="#ff0000"];
C -> D [xlabel="3. tcp",color="#ff0000"];
C -> D [xlabel="3. tcp",color="#ff0000"];
Line 249: Line 260:
C -> B [xlabel="7. ssh",color="#0000ff"];
C -> B [xlabel="7. ssh",color="#0000ff"];
B -> A [xlabel="8. udp",color="#0000ff",constraint=false];
B -> A [xlabel="8. udp",color="#0000ff",constraint=false];


// SOCKS Routing
// SOCKS Routing
Line 259: Line 269:
F -> A [xlabel="14. ssh",color="#0000ff"];
F -> A [xlabel="14. ssh",color="#0000ff"];
</quickgv>
</quickgv>
== Lesson 5: Improve connection quality ==
=== ~/bin/mksvc.sh ===
Create SOCKS and TCP DNS services.
<syntaxhighlight lang="bash">
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &
ssh -NCf -D 127.0.0.1:3128 localhost
</syntaxhighlight>
=== ~/bin/mktun.sh ===
Make tunnels.
<syntaxhighlight lang="bash">
ssh -NCf \
  -MS revtun.ctrl \
  -R 1053:127.0.0.1:1053 \
  -R 13128:127.0.0.1:3128 \
  home
</syntaxhighlight>
=== ~/bin/rmtun.sh ===
Remove tunnels.
<syntaxhighlight lang="bash">
if [ -e /tmp/revtun.ctrl ]; then
  ssh -S /tmp/revtun.ctrl -O exit home
fi
</syntaxhighlight>
=== ~/.ssh/config ===
Make the ssh connection more reliable.
<syntaxhighlight lang="text" highlight="5-7">
Host                home
Hostname            x.x.x.x
User                user
IdentityFile        ~/.ssh/mykey.pem
TCPKeepAlive        yes
ServerAliveInterval 60
ServerAliveCountMax 3
</syntaxhighlight>
=== crontab -e ===
Create tunnels during 7:30~09:30, 21:00~22:00 only.
<syntaxhighlight lang="text">
# 07:30 ~ 09:30
30  07  *  *  *  ~/bin/mktun.sh
30  09  *  *  *  ~/bin/rmtun.sh
# 21:00 ~ 22:00
00  21  *  *  *  ~/bin/mktun.sh
00  22  *  *  *  ~/bin/rmtun.sh
</syntaxhighlight>
=== Homework ===
Do it at home. NAS is a good choice.
<syntaxhighlight lang="bash">
sudo socat -d -d -lf socat-dns.log \
  udp4-recvfrom:53,bind=*,fork \
  tcp4:127.0.0.1:1053 &
sudo socat -d -d -lf socat-socks.log \
  tcp4-listen:3128,bind=*,fork \
  tcp4:127.0.0.1:13128
</syntaxhighlight>

Latest revision as of 08:05, 12 November 2025

Frequently Used Commands

TODO Command
Automatically accept fingerprint. 
ssh -o "StrictHostKeyChecking no" ...
Indirect outgoing for PostgreSQL 
# [Private]
# localhost -> localhost:15432
#           -> server:22
#           -> somewhere.com:5432
ssh -NCfL 15432:somewhere.com:5432 server

# [Shared]
# any -> *:15432
#     -> server:22
#     -> somewhere.com:5432
ssh -NCfL *:15432:somewhere.com:5432 server
Indirect outgoing for Web 
# [Private]
# localhost -> localhost:3128
#     -> server:22
#     -> *:*
ssh -NCfD localhost:3128 server

# [Shared]
# any -> *:3128
#     -> server:22
#     -> *:*
ssh -NCfD *:3128 server
Share MariaDB in LAN 
# Step 1: Listen (Run at LAN)
# Listen server:13306 -> server:22
#                     -> localhost:3306
ssh -NCfR 13306:localhost:3306 server

# Step 2: Share (Run at Home/WAN)
# any -> server:3306
#     -> server:13306
#     -> server:22
#     -> localhost:3306
ssh -NCfL *:3306:localhost:13306 localhost
List tunnels 
# List full commands.
ps ax | awk '/ssh \-NCf/ { print $0 }'

# List settings.
ps ax | awk '/ssh \-NCf/ { print $7 }'

# List pids.
ps ax | awk '/ssh \-NCf/ { print $1 }'

# Kill all tunnels.
kill $(ps ax | awk '/ssh \-NCf/ { print $1 }')
Generate key pair 
# Save as default name id_rsa, id_rsa.pub
ssh-keygen
# Save as thefuck, thefuck.pub without password
ssh-keygen -f abc -N ''
# Save as thefuck, thefuck.pub with password 
ssh-keygen -f abc -N '12345' 
# Generate ed25519 key
ssh-keygen -t ed25519 -f sucks.pem
ssh-keygen -t ed25519 -f sucks.pem -C nobody@sucks.com
Generate public key from private key 
# Dump
ssh-keygen -yf thefuck.pem
# Save as file
ssh-keygen -yf thefuck.pem > thefuck.pub
# Save as authorized_keys (while ~/.ssh/authorized_keys didn't exist)
ssh-keygen -yf thefuck.pem > authorized_keys
# Append into authorized_keys
ssh-keygen -yf thefuck.pem >> authorized_keys

Access resources without VPN

Lesson 1: UDP -> UDP

Command Routing 
sudo socat -d -d \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  udp4-sendto:8.8.8.8:53

Lesson 2: UDP -> TCP -> UDP

Command Routing 
sudo socat -d -d \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053

socat -d -d \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:8.8.8.8:53

Lesson 3: UDP -> SSH -> TCP -> UDP

Command Routing 
# Step 1. SSH -> TCP -> UDP (Run at Office)
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &

ssh -NCfR 1053:127.0.0.1:1053 home

# Step 2. UDP -> TCP -> SSH -> TCP -> UDP (Run at Home)
sudo socat -d -d -lf socat.log \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053 &

Lesson 4: Forward HTTP

# Step 1. SSH -> TCP -> UDP (Run at Office)
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &

ssh -NCfR 1053:127.0.0.1:1053 home

# Step 2. SSH -> SOCKS -> HTTP (Run at office)
ssh -NCfD 127.0.0.1:3128 localhost
ssh -NCfR 3128:127.0.0.1:3128 home

# Step 3. UDP -> TCP -> SSH -> TCP -> UDP (Run at Home)
sudo socat -d -d -lf socat.log \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053 &

Lesson 5: Improve connection quality

~/bin/mksvc.sh

Create SOCKS and TCP DNS services. 

socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &

ssh -NCf -D 127.0.0.1:3128 localhost

~/bin/mktun.sh

Make tunnels. 

ssh -NCf \
  -MS revtun.ctrl \
  -R 1053:127.0.0.1:1053 \
  -R 13128:127.0.0.1:3128 \
  home

~/bin/rmtun.sh

Remove tunnels. 

if [ -e /tmp/revtun.ctrl ]; then
  ssh -S /tmp/revtun.ctrl -O exit home
fi

~/.ssh/config

Make the ssh connection more reliable. 

Host                home
Hostname            x.x.x.x
User                user
IdentityFile        ~/.ssh/mykey.pem
TCPKeepAlive        yes
ServerAliveInterval 60
ServerAliveCountMax 3

crontab -e

Create tunnels during 7:30~09:30, 21:00~22:00 only. 

# 07:30 ~ 09:30
30   07   *   *   *   ~/bin/mktun.sh
30   09   *   *   *   ~/bin/rmtun.sh
# 21:00 ~ 22:00
00   21   *   *   *   ~/bin/mktun.sh
00   22   *   *   *   ~/bin/rmtun.sh

Homework

Do it at home. NAS is a good choice. 

sudo socat -d -d -lf socat-dns.log \
  udp4-recvfrom:53,bind=*,fork \
  tcp4:127.0.0.1:1053 &

sudo socat -d -d -lf socat-socks.log \
  tcp4-listen:3128,bind=*,fork \
  tcp4:127.0.0.1:13128
Retrieved from "https://wiki.fundamental-ramen.com/index.php?title=Useful_Commands/Security&oldid=2185"