Useful Commands/Security: Difference between revisions

From Fundamental Ramen
Jump to navigation Jump to search
No edit summary
 
(192 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Frequently Used Commands =
{| class="wikitable"
{| class="wikitable"
! 情境 || 指令
! TODO || Command
|-
|-
| 從裡面間接出去 ||
| Automatically accept fingerprint. ||
any -> localhost:8888 -> server:22 -> somewhere.com:80
<syntaxhighlight lang="bash">
<source lang="bash">
ssh -o "StrictHostKeyChecking no" ...
ssh -NCfL *:8888:somewhere.com:80 server
</syntaxhighlight>
</source>
|-
|-
| 讓外面間接進來 ||
| Indirect outgoing for PostgreSQL ||
效果會因為 sshd_config 的 GatewayPorts 而有差異
<syntaxhighlight lang="bash">
<source lang="text">
# [Private]
[GatewayPorts no]:  bind 127.0.0.1 (預設)
# localhost -> localhost:15432
home-nas -> home-nas:60080 -> home-nas:22 -> office-pc:## -> 192.168.1.100:80
#          -> server:22
[GatewayPorts yes]: bind 0.0.0.0
#          -> somewhere.com:5432
    Any -> home-nas:60080 -> home-nas:22 -> office-pc:## -> 192.168.1.100:80
ssh -NCfL 15432:somewhere.com:5432 server
</source>
 
在 office-pc 執行這指令
# [Shared]
<source lang="bash">
# any -> *:15432
ssh -NCfR 60080:192.168.1.100:80 home-nas
#    -> server:22
</source>
#     -> somewhere.com:5432
如果 GatewayPorts no 可以在回家時加上正向穿隧進行兩段穿隧
ssh -NCfL *:15432:somewhere.com:5432 server
<source lang="bash">
</syntaxhighlight>
ssh -NCfL 61180:localhost:60080 home-nas
</source>
如果搭配 autossh 會更好用
<source lang="bash">
autossh -M 11119 -NCfR 60080:192.168.1.100:80 home-nas
</source>
|-
|-
| SOCKS Relay Proxy ||
| Indirect outgoing for Web ||
Any -> localhost:3128 -> server:22 -> *:*
<syntaxhighlight lang="bash">
<source lang="bash">
# [Private]
# localhost -> localhost:3128
#    -> server:22
#    -> *:*
ssh -NCfD localhost:3128 server
 
# [Shared]
# any -> *:3128
#    -> server:22
#    -> *:*
ssh -NCfD *:3128 server
ssh -NCfD *:3128 server
</source>
</syntaxhighlight>
[[Image:proxy-with-socks.png|250px|border]]
|-
|-
| 顯示已開啟的 Tunnel ||
| Share MariaDB in LAN ||
<source lang="bash">
<syntaxhighlight lang="bash">
ps ax | awk '/ssh \-NCf/ { print $0 }' # 看完整指令
# Step 1: Listen (Run at LAN)
ps ax | awk '/ssh \-NCf/ { print $1 }' # 看 pid
# Listen server:13306 -> server:22
ps ax | awk '/ssh \-NCf/ { print $7 }' # 看 port
#                     -> localhost:3306
ps ax | grep 'ssh \-NCf'
ssh -NCfR 13306:localhost:3306 server
</source>
 
# Step 2: Share (Run at Home/WAN)
# any -> server:3306
#    -> server:13306
#    -> server:22
#     -> localhost:3306
ssh -NCfL *:3306:localhost:13306 localhost
</syntaxhighlight>
|-
|-
| 產生 OpenSSH 金鑰 ||
| List tunnels ||
<source lang="bash">
<syntaxhighlight lang="bash">
cd ~/.ssh
# List full commands.
ssh-keygen -N '' -f ~/.ssh/palmce
ps ax | awk '/ssh \-NCf/ { print $0 }'
mv palmce palmce.pem
 
scp palmce.pub user@hostname:~
# List settings.
</source>
ps ax | awk '/ssh \-NCf/ { print $7 }'
 
# List pids.
ps ax | awk '/ssh \-NCf/ { print $1 }'
 
# Kill all tunnels.
kill $(ps ax | awk '/ssh \-NCf/ { print $1 }')
</syntaxhighlight>
|-
|-
| 以私鑰連線到伺服器的 Security Shell 服務 || <source lang="bash">ssh -i 私鑰 帳號@主機</source>
| Generate key pair ||
<syntaxhighlight lang="bash">
# Save as default name id_rsa, id_rsa.pub
ssh-keygen
# Save as thefuck, thefuck.pub without password
ssh-keygen -f abc -N ''
# Save as thefuck, thefuck.pub with password
ssh-keygen -f abc -N '12345'
# Generate ed25519 key
ssh-keygen -t ed25519 -f sucks.pem
ssh-keygen -t ed25519 -f sucks.pem -C nobody@sucks.com
</syntaxhighlight>
|-
|-
| 產生 RSA 公私鑰 ||
| Generate public key from private key ||
<source lang="bash">
<syntaxhighlight lang="bash">
ssh-keygen # 單純產生公私鑰,會問檔名和密碼
# Dump
ssh-keygen -f abc -N '' # 指定檔名產生公私鑰,無密碼
ssh-keygen -yf thefuck.pem
ssh-keygen -f abc -N '12345' # 指定檔名指定密碼產生公私鑰
# Save as file
</source>
ssh-keygen -yf thefuck.pem > thefuck.pub
# Save as authorized_keys (while ~/.ssh/authorized_keys didn't exist)
ssh-keygen -yf thefuck.pem > authorized_keys
# Append into authorized_keys
ssh-keygen -yf thefuck.pem >> authorized_keys
</syntaxhighlight>
|}
 
= Access resources without VPN =
== Lesson 1: UDP -> UDP ==
{| class="wikitable"
! Command || Routing
|-
| valign="top" |
<syntaxhighlight lang="bash">
sudo socat -d -d \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  udp4-sendto:8.8.8.8:53
</syntaxhighlight>
|
<quickgv name="LS1" theme="warm">
rankdir=TB;
 
subgraph cluster_office {
  label="Office";
 
  A [label="nslookup www.google.com 127.0.0.1"];
  B [label="sudo socat -d -d ..."];
  C [label="DNS Server"];
 
  A -> B [xlabel="1. udp",color="#ff0000"];
  B -> C [xlabel="2. udp",color="#ff0000"];
  C -> B [xlabel="3. udp",color="#0000ff"];
  B -> A [xlabel="4. udp",color="#0000ff"];
}
</quickgv>
|}
 
== Lesson 2: UDP -> TCP -> UDP ==
{| class="wikitable"
! Command || Routing
|-
| valign="top" |
<syntaxhighlight lang="bash">
sudo socat -d -d \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053
 
socat -d -d \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:8.8.8.8:53
</syntaxhighlight>
|
<quickgv name="LS2" theme="warm">
rankdir=TB;
subgraph cluster_office {
  label="Office";
 
  A [label="nslookup www.google.com 127.0.0.1"];
  B [label="sudo socat -d -d udp4-recvfrom:53 ..."];
  C [label="socat -d -d tcp4-listen ..."];
  D [label="DNS Server"];
 
  A -> B [xlabel="1. udp",color="#ff0000"];
  B -> C [xlabel="2. tcp",color="#ff0000"];
  C -> D [xlabel="3. udp",color="#ff0000"];
  D -> C [xlabel="4. udp",color="#0000ff"];
  C -> B [xlabel="5. tcp",color="#0000ff"];
  B -> A [xlabel="6. udp",color="#0000ff"];
}
</quickgv>
|}
 
== Lesson 3: UDP -> SSH -> TCP -> UDP ==
{| class="wikitable"
! Command || Routing
|-
|-
| 讀取私鑰轉出公鑰 ||
| valign="top" |
<source lang="bash">
<syntaxhighlight lang="bash">
ssh-keygen -yf 私鑰 # 單純私鑰轉公鑰
# Step 1. SSH -> TCP -> UDP (Run at Office)
ssh-keygen -yf 私鑰 > authorized_keys # 首次加入 ssh 授權清單
socat -d -d -lf socat.log \
ssh-keygen -yf 私鑰 >> authorized_keys # 第N次加入 ssh 授權清單
  tcp4-listen:1053,bind=127.0.0.1,fork \
</source>
  udp4-sendto:192.168.1.1:53 &
 
ssh -NCfR 1053:127.0.0.1:1053 home
 
# Step 2. UDP -> TCP -> SSH -> TCP -> UDP (Run at Home)
sudo socat -d -d -lf socat.log \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053 &
</syntaxhighlight>
|
<quickgv name="LS3" theme="warm">
rankdir=TB;
 
subgraph cluster_home {
  label="Home";
  A [label="nslookup www.google.com 127.0.0.1"];
  B [label="sudo socat ... udp4-recvfrom:53 ..."];
}
 
subgraph cluster_office {
  label="Office";
  C [label="ssh -NCfR ..."];
  D [label="socat ... tcp4-listen ..."];
  E [label="DNS Server"];
}
 
A -> B [xlabel="1 udp",color="#ff0000"];
B -> C [xlabel="2 ssh",color="#ff0000"];
C -> D [xlabel="3 tcp",color="#ff0000"];
D -> E [xlabel="4 udp",color="#ff0000"];
E -> D [xlabel="5 udp",color="#0000ff"];
D -> C [xlabel="6 tcp",color="#0000ff"];
C -> B [xlabel="7 ssh",color="#0000ff"];
B -> A [xlabel="8 udp",color="#0000ff"];
</quickgv>
|}
|}
== Lesson 4: Forward HTTP ==
<syntaxhighlight lang="bash">
# Step 1. SSH -> TCP -> UDP (Run at Office)
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &
ssh -NCfR 1053:127.0.0.1:1053 home
# Step 2. SSH -> SOCKS -> HTTP (Run at office)
ssh -NCfD 127.0.0.1:3128 localhost
ssh -NCfR 3128:127.0.0.1:3128 home
# Step 3. UDP -> TCP -> SSH -> TCP -> UDP (Run at Home)
sudo socat -d -d -lf socat.log \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053 &
</syntaxhighlight>
<quickgv name="LS4" theme="warm">
rankdir=TB;
newrank=true;
subgraph cluster_home {
  label="Home";
  rank="same";
  A [label="browser https://www.google.com"];
  B [label="sudo socat ... udp4-recvfrom:53 ..."];
}
subgraph cluster_office {
  label="Office";
  subgraph cluster_dns {
    label="DNS";
    C [label="ssh -NCfR 1053: ..."];
    D [label="socat ... tcp4-listen ..."];
    E [label="DNS Server"];
  }
  subgraph cluster_http {
    label="HTTP";
    F [label="ssh -NCfR 3128: ..."];
    G [label="ssh -NCfD ..."];
    H [label="HTTP Server"];
  }
}
// DNS Routing
A -> B [xlabel="1. udp",color="#ff0000",minlen=3];
B -> C [xlabel="2. ssh",color="#ff0000"];
C -> D [xlabel="3. tcp",color="#ff0000"];
D -> E [xlabel="4. udp",color="#ff0000"];
E -> D [xlabel="5. udp",color="#0000ff"];
D -> C [xlabel="6. tcp",color="#0000ff"];
C -> B [xlabel="7. ssh",color="#0000ff"];
B -> A [xlabel="8. udp",color="#0000ff",constraint=false];
// SOCKS Routing
A -> F [xlabel="9. ssh",color="#ff0000"];
F -> G [xlabel="10. socks",color="#ff0000"];
G -> H [xlabel="11. tcp",color="#ff0000"];
H -> G [xlabel="12. tcp",color="#0000ff"];
G -> F [xlabel="13. socks",color="#0000ff"];
F -> A [xlabel="14. ssh",color="#0000ff"];
</quickgv>
== Lesson 5: Improve connection quality ==
=== ~/bin/mksvc.sh ===
Create SOCKS and TCP DNS services.
<syntaxhighlight lang="bash">
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &
ssh -NCf -D 127.0.0.1:3128 localhost
</syntaxhighlight>
=== ~/bin/mktun.sh ===
Make tunnels.
<syntaxhighlight lang="bash">
ssh -NCf \
  -MS revtun.ctrl \
  -R 1053:127.0.0.1:1053 \
  -R 13128:127.0.0.1:3128 \
  home
</syntaxhighlight>
=== ~/bin/rmtun.sh ===
Remove tunnels.
<syntaxhighlight lang="bash">
if [ -e /tmp/revtun.ctrl ]; then
  ssh -S /tmp/revtun.ctrl -O exit home
fi
</syntaxhighlight>
=== ~/.ssh/config ===
Make the ssh connection more reliable.
<syntaxhighlight lang="text" highlight="5-7">
Host                home
Hostname            x.x.x.x
User                user
IdentityFile        ~/.ssh/mykey.pem
TCPKeepAlive        yes
ServerAliveInterval 60
ServerAliveCountMax 3
</syntaxhighlight>
=== crontab -e ===
Create tunnels during 7:30~09:30, 21:00~22:00 only.
<syntaxhighlight lang="text">
# 07:30 ~ 09:30
30  07  *  *  *  ~/bin/mktun.sh
30  09  *  *  *  ~/bin/rmtun.sh
# 21:00 ~ 22:00
00  21  *  *  *  ~/bin/mktun.sh
00  22  *  *  *  ~/bin/rmtun.sh
</syntaxhighlight>
=== Homework ===
Do it at home. NAS is a good choice.
<syntaxhighlight lang="bash">
sudo socat -d -d -lf socat-dns.log \
  udp4-recvfrom:53,bind=*,fork \
  tcp4:127.0.0.1:1053 &
sudo socat -d -d -lf socat-socks.log \
  tcp4-listen:3128,bind=*,fork \
  tcp4:127.0.0.1:13128
</syntaxhighlight>

Latest revision as of 08:05, 12 November 2025

Frequently Used Commands

TODO Command
Automatically accept fingerprint. 
ssh -o "StrictHostKeyChecking no" ...
Indirect outgoing for PostgreSQL 
# [Private]
# localhost -> localhost:15432
#           -> server:22
#           -> somewhere.com:5432
ssh -NCfL 15432:somewhere.com:5432 server

# [Shared]
# any -> *:15432
#     -> server:22
#     -> somewhere.com:5432
ssh -NCfL *:15432:somewhere.com:5432 server
Indirect outgoing for Web 
# [Private]
# localhost -> localhost:3128
#     -> server:22
#     -> *:*
ssh -NCfD localhost:3128 server

# [Shared]
# any -> *:3128
#     -> server:22
#     -> *:*
ssh -NCfD *:3128 server
Share MariaDB in LAN 
# Step 1: Listen (Run at LAN)
# Listen server:13306 -> server:22
#                     -> localhost:3306
ssh -NCfR 13306:localhost:3306 server

# Step 2: Share (Run at Home/WAN)
# any -> server:3306
#     -> server:13306
#     -> server:22
#     -> localhost:3306
ssh -NCfL *:3306:localhost:13306 localhost
List tunnels 
# List full commands.
ps ax | awk '/ssh \-NCf/ { print $0 }'

# List settings.
ps ax | awk '/ssh \-NCf/ { print $7 }'

# List pids.
ps ax | awk '/ssh \-NCf/ { print $1 }'

# Kill all tunnels.
kill $(ps ax | awk '/ssh \-NCf/ { print $1 }')
Generate key pair 
# Save as default name id_rsa, id_rsa.pub
ssh-keygen
# Save as thefuck, thefuck.pub without password
ssh-keygen -f abc -N ''
# Save as thefuck, thefuck.pub with password 
ssh-keygen -f abc -N '12345' 
# Generate ed25519 key
ssh-keygen -t ed25519 -f sucks.pem
ssh-keygen -t ed25519 -f sucks.pem -C nobody@sucks.com
Generate public key from private key 
# Dump
ssh-keygen -yf thefuck.pem
# Save as file
ssh-keygen -yf thefuck.pem > thefuck.pub
# Save as authorized_keys (while ~/.ssh/authorized_keys didn't exist)
ssh-keygen -yf thefuck.pem > authorized_keys
# Append into authorized_keys
ssh-keygen -yf thefuck.pem >> authorized_keys

Access resources without VPN

Lesson 1: UDP -> UDP

Command Routing 
sudo socat -d -d \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  udp4-sendto:8.8.8.8:53

Lesson 2: UDP -> TCP -> UDP

Command Routing 
sudo socat -d -d \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053

socat -d -d \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:8.8.8.8:53

Lesson 3: UDP -> SSH -> TCP -> UDP

Command Routing 
# Step 1. SSH -> TCP -> UDP (Run at Office)
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &

ssh -NCfR 1053:127.0.0.1:1053 home

# Step 2. UDP -> TCP -> SSH -> TCP -> UDP (Run at Home)
sudo socat -d -d -lf socat.log \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053 &

Lesson 4: Forward HTTP

# Step 1. SSH -> TCP -> UDP (Run at Office)
socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &

ssh -NCfR 1053:127.0.0.1:1053 home

# Step 2. SSH -> SOCKS -> HTTP (Run at office)
ssh -NCfD 127.0.0.1:3128 localhost
ssh -NCfR 3128:127.0.0.1:3128 home

# Step 3. UDP -> TCP -> SSH -> TCP -> UDP (Run at Home)
sudo socat -d -d -lf socat.log \
  udp4-recvfrom:53,bind=127.0.0.1,fork \
  tcp4:127.0.0.1:1053 &

Lesson 5: Improve connection quality

~/bin/mksvc.sh

Create SOCKS and TCP DNS services. 

socat -d -d -lf socat.log \
  tcp4-listen:1053,bind=127.0.0.1,fork \
  udp4-sendto:192.168.1.1:53 &

ssh -NCf -D 127.0.0.1:3128 localhost

~/bin/mktun.sh

Make tunnels. 

ssh -NCf \
  -MS revtun.ctrl \
  -R 1053:127.0.0.1:1053 \
  -R 13128:127.0.0.1:3128 \
  home

~/bin/rmtun.sh

Remove tunnels. 

if [ -e /tmp/revtun.ctrl ]; then
  ssh -S /tmp/revtun.ctrl -O exit home
fi

~/.ssh/config

Make the ssh connection more reliable. 

Host                home
Hostname            x.x.x.x
User                user
IdentityFile        ~/.ssh/mykey.pem
TCPKeepAlive        yes
ServerAliveInterval 60
ServerAliveCountMax 3

crontab -e

Create tunnels during 7:30~09:30, 21:00~22:00 only. 

# 07:30 ~ 09:30
30   07   *   *   *   ~/bin/mktun.sh
30   09   *   *   *   ~/bin/rmtun.sh
# 21:00 ~ 22:00
00   21   *   *   *   ~/bin/mktun.sh
00   22   *   *   *   ~/bin/rmtun.sh

Homework

Do it at home. NAS is a good choice. 

sudo socat -d -d -lf socat-dns.log \
  udp4-recvfrom:53,bind=*,fork \
  tcp4:127.0.0.1:1053 &

sudo socat -d -d -lf socat-socks.log \
  tcp4-listen:3128,bind=*,fork \
  tcp4:127.0.0.1:13128
Retrieved from "https://wiki.fundamental-ramen.com/index.php?title=Useful_Commands/Security&oldid=2185"