醉驾拘留多少天:Breaking Firewalls with OpenSSH and PuTTY

来源:百度文库 编辑:九乡新闻网 时间:2024/03/29 13:43:01

Mike Chirico (mchirico@users.sourceforge.net) or (mchirico@gmail.com)
Copyright (c) 2005 (GNU Free Documentation License)
Last Updated: Sun Jan 27 09:40:26 EST 2008
http://souptonuts.sourceforge.net/sshtips.htm


Breaking Firewalls with OpenSSH and PuTTY

If the system administrator deliberately filters out all traffic exceptport 22 (ssh), to a single server, it is very likely that you can stillgain access other computers behind the firewall. This article shows howremote Linux and Windows users can gain access to firewalled samba, mail,and http servers. In essence, it shows how openSSH and PuTTY can be usedas a VPN solution for your home or workplace, without monkeying withthe firewall. This article is NOT suggesting you close port 22. Thesestep are only possible given valid accounts on all servers. But, read on, youmay be surprised what you can do, without punching additional holes throughthe firewall -- punching additional holes is a bad idea.

OpenSSH and Linux

From the Linux laptop 192.168.1.106, it is possible to get accessto the resources behind the firewall directly, including SAMBAserver, HTTP Server, and Mail Server which are blocked from theoutside by the firewall. The firewall only permits access tothe SSH Server via port 22; yet, as you will see, it is possibleto get access to the other servers.

The SSH Server is seen as 66.35.250.203 from the outside. To tunneltraffic through the SSH Server, from the Linux laptop 192.168.1.106, createthe following "~/.ssh/config" file, on the Linux laptop.

~/.ssh/config

## Linux Laptop .ssh/config ##Host workHostName 66.35.250.203User sporkeyLocalForward 20000 192.168.0.66:80LocalForward 22000 192.168.0.66:22LocalForward 22139 192.168.0.8:139LocalForward 22110 192.168.0.5:110Host httpHostName localhostUser donkeyPort 22000HostKeyAlias localhosthttp

This file must have the following rights.

  $  chmod 600 ~/.ssh/config

Take a look again at the file above. Note the entryfor "LocalForward 22000 192.168.0.66:22", and compare thisto the network diagram. The connection to the SSH Serveris made by running the command below, from the Linux laptop (192.168.1.106).

 $ ssh -l sporkey 66.35.250.203

Quick hint: the above command can be shortened, since the user name "sporkey"and the "HostName" are already specified in the config file. Therefore, youcan use "ssh work" as shown below.

 $ ssh work

After this connection is made, it is possible to access theHTTP Server directly, assuming the account donkey has access tothis server. The following command below is executed on theLinux laptop (192.168.1.106). Yes, that is on the Linux laptop ina new window. Again, this will be executed from 192.168.1.106 in anew session. So note here the Linux laptop is getting direct access to(192.168.0.66). Reference the diagram above. This is the "localhost" ofthe Linux laptop -- you got this, right? The ssh sessions are initiatedfrom the Linux laptop.

  $ ssh -l donkey localhost -p 22000

Since the config file maps "http" to localhost port 2200, the above commandcan be shortened to the following:

  $ ssh http

Wait, there is a better way. Instead of creating two terminal sessions, onefor "ssh work", then, another one for "ssh http", why not put it all togetherin one command.

   $ ssh -N -f -q work;ssh http

The above command will establish the connection to work, forwarding the necessaryports to the other servers. The "-N" is for "Do not execute remote command", the"-f" requests ssh to go to the background, and "-q" is to suppress all warningsand diagnostic messages. So, still not short enough for you? Then create analias, alias http='ssh -N -f -q work;ssh http' and put that in your "~.bashrc"file, which is about as short as you can get, since typing http on thecommand line would get you to the HTTP server.

To copy files to this server, the command below is used. Noteuppercase "-P" follows "scp". If you are in the ".ssh" directory you will seean "authorized_keys2" and maybe an "authorized_keys",which you may want to append to the like files on the destination server. Thesefiles are only listed as an example. Any file could be copied; but, if you copythese files to the remote server and append the contents to the remote server'sauthorized_key* files, then, you will not be prompted for a password the next timeyou make a connection. See Tip 12 in Linux Tips.You will need to create an authorized_keys2 and authorized_keys file with all the publickeys of the computers that will connect. Below, assume you have these keys in thecurrently directory on the laptop, and you want to copy this to the HTTP Sever [192.168.0.66].The keys go in "~/.ssh/authorized_keys2" for ssh2. Again, take a look at Linux Tips. Youdo not want to write over any existing keys.

 $ scp -P 22000 authorized_keys* donkey@localhost:./.ssh/.

But, because you have everything in the "config" file, you can shorten the abovecommand to the following:

 $ scp authorized_keys* http:./.ssh/.

The following command, executed from the Linux laptop, will downloadthe web page from the remote server (192.168.0.66).

 $ wget http://localhost:20000/

Linux Laptop becomes Company Web Server -- Power of RemoteForward

Suppose the Linux laptop is running a web server. Is it possible for thepeople in the company to view this, the web server on the laptop (192.168.1.106), whenthey attach to HTTP Server (192.168.0.66)? Absolutely. Think about this because whatis being suggested here is that a laptop, with no direct access to the HTTP server, isactually going to take over the company web server. Yes, that is exactly what will be shownhere; although, instead of taking over the company web server, which is running on port 80 of(192.168.0.66), you will see how to add an additional web server on port 20080. However, ifyou are intent upon taking over the company web server, you would have to perform similar stepsas root, since only root has the ability to take over the privileged ports. But, start withthis example first, then, you'll see how to do this on port 80. To perform this magic,the "/etc/ssh/sshd_config", on the company web server (192.168.0.66), must have thevariable "GatewayPorts" set to "yes", otherwise, only the users logged into HTTP Server willbe able to see the laptop's web page. Instead, we want everyone in the company to have directaccess to the added port.

 GatewayPorts yes

After making the change, you will need to restart sshd.

 $ /etc/init.d/sshd restart

In the Linux laptop's "~/.ssh/config" add the following entryRemoteForward 20080 localhost:80 so thatthe complete "~/.ssh/config" is shown below.

## Updated Linux Laptop .ssh/config  ##Host workHostName 66.35.250.203User sporkeyLocalForward 20000 192.168.0.66:80LocalForward 22000 192.168.0.66:22LocalForward 22139 192.168.0.8:139LocalForward 22110 192.168.0.5:110Host httpHostName localhostUser donkeyPort 22000RemoteForward 20080 localhost:80HostKeyAlias localhosthttp

If you perform a "netstat -l" from 192.168.0.66, the remote companyweb server, you should see the following:

 tcp  0  0 *:20080 *:*  LISTEN

This means that anyone, in the company, can view this webpage http://192.168.0.66:20080/ onport 20080. If you wanted port 80, the default http port, the connecteduser would have to have root privileges.

If you did not change the "/etc/ssh/sshd_config" file, "GatewayPorts" defaultsto "no". And executing a "netstat -l" (that's an ell), would return the following:

 tcp   0 0 ::1:20080 *:* LISTEN

With the above restrictions, only users on the computer 192.168.0.66 would see the webpage on192.168.1.106 from port 20080. This is what happens by default, since "GatewayPorts" is set to no.

By the way, did you figure out what the HostKeyAlias command does? If you make multiplelocalhost entries in your config file without HostKeyAlias, .ssh/known_hosts will containmultiple entries for "localhost" with different keys. Try it without HostKeyAlias and itshould bark at you.

For references on generating ssh key pairs, securing an ssh server fromremote root access, and samba mounts through an ssh tunnel see (TIP 12, TIP 13,and TIP 138) inLinux Tipslisted at the end of this article. In addition,if you are a system administrator, may want to take note of(TIP 14), keeping yearly logs, and (TIP 26), which shows how to kill a userand all their running processes. In addition, the following (TIP 10, TIP 11, TIP 15, TIP 24,TIP 47, TIP 52, TIP 89, TIP 104, TIP 148, and TIP 150) may help with system security.


PuTTY for WindowsXP

From your Windows XP laptop, you want access to the followingresources behind a firewall "SSH server", "Mail Server", and"HTTP Server". The only port allowed in is ssh, port 22, tothe "SSH Server". So, how do you get access, from thelaptop to the other resources using an ssh tunnel?


Step 1: (Download PuTTY)

Download putty.exe andplink.exe. Althoughplink.exe is not needed, it provides some handy features you may end up using later.

I normally put the files in "c:/bin", then, add this directory to the path.


Step 2: (Load the IP Address of Your Server)

Substitute the IP address 66.35.250.203 for the IP address of your ssh serverand save it. Note 66.35.250.203 really is sourceforge, so unless you're accessprojects on sourceforge, you probably want a different IP address.


Step 3: (Create the Necessary Tunnels)

There are 2 additional servers you need access to. The "HTTP server" 192.168.0.66,and "Mail server" 192.168.0.5. Click on Tunnel and fill in the following values.The HTTP server works on port 80, so enter 80 in the Source port. The destinationis 192.168.0.60:80. Hit "Add" to commit this entry.

Your listing should be similar to the following. Make sure each entry has an"L" listed in front of it. Local port 25 will now go to server 192.168.0.5on port 25. But, ports 110 and 25 will go to server 192.168.0.5.


Step 4: (Testing the Connection)

If you now open your ssh connection, click on "Sourceforge", or whatever youname it, then, you can browse the data on the "HTTP Server" by fillingin local host at the browser. It makes sense to "Check" the connection atthis stage -- remember to put in the correct IP addresses for your server.


Step 5: (Setting up Mail)

Mozilla Thunderbird is an excellent mail package. It will work in placeof Microsoft Outlook, when connect to your work's Exchange, Postfix, or Sendmail server.

The server location is localhost. And notice the option below to "Leave messages on server". If you have another email clienton your workstation at work, then, you might want to keep the mail on the server.


Step 6: (Getting Access to Samba Shares -- Loopback Adapter)

From the Windows XP computer, you want to add a Micosoft loopback Adapter. From thecontrol panel, follow the steps below. By the way, it is possible to add more thanone adapter.

  1.  Yes, I already connected the hardware2.  Add a new hardware device (bottom of menu)3.  Install the hardware that I manually select from a list (Advanced)4.  Select Network Adapters5.  Micosoft Loopback Adapter

Once the adapter is added, you must assign an IP address. The first adapter willbe assigned 10.0.0.1, the second will be assigned 10.0.0.2, etc. DO NOT enter a "Default gateway".

The second adapter will have the IP address 10.0.0.2. Remember, there are twosamba servers in the network diagram. Both the HTTP server and the SAMBA serverhave samba shares. Again, DO NOT enter a "Default gateway".

The loopback Adapters should appear in the control panel


Step 7: (Getting Access to Samba Shares -- SSH Configuration Settings)

Now you want to go back into the Putty configuration. In the "Source port"text box, yes it is small, enter 10.0.0.1:139; but note, the image belowonly shows 0.0.1:139 because it has scrolled to the left. Also, enter 192.168.0.66:139for the destination address. When done, click "Add".

The completed entry should look like the following:

You can repeat the same procedure above for more samba shares, if you want. Although notshown, the same procedure is used for 10.0.0.2:139; but, it will have a destinationof 192.168.0.8. Again, there are two samba shares in the network diagram.


Step 8: (Getting Access to Samba Shares -- View It)

To view the samba share, click Start/Run and type in \\10.0.0.1


Special Note

You will probably have to reboot. Also, read and download thefollowingpatch from Microsoft.

Also, disable File and Printer Sharing for Microsoft Networks for bothadapters.

Disable NetBIOS over TCP/IP; but, make sure LMHosts Lookup is enabled.


DOWNLOADS

OpenSSH
www.openssh.org

PuTTY
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html


ADDITIONAL TUTORIALS

Linux System Admin TipsThere are over 200 Linux tips and tricks in this article. That is over 150 pages covering topics from settingand keeping the correct time on your computer, permanently deleting documents with shred, makingfiles "immutable" so that root cannot change or delete, setting up more than one IP address on asingle NIC, monitering users and processes, setting log rotate to monthly with 12 months of backupsin compressed format, creating passwords for Apache using the htpasswd command, common Perl commands,using cfengine, adding users to groups, finding out which commands are aliased, query program text segmentsize and data segment size, trusted X11 forwarding, getting information on the hard drive including thecurrent temperature, using Gnuplot, POVRAY and making animated GIFs, monitoring selective traffic withtcpdump and netstat, multiple examples using the find command, getting the most from Bash, plus a lot more.You can also down this article as a text document herefor easy grepping.

Linux Quota TutorialThis tutorial walks you through implementing disk quotas for both usersand groups on Linux, using a virtual filesystem, which is a filesystem created from a disk file. Since quotaswork on a per-filesystem basis, this is a way to implement quotas on a sub-section, or even multiple subsectionsof your drive, without reformatting. This tutorial also covers quotactl, or quota's C interface, by way of an exampleprogram that can store disk usage in a SQLite database for monitoring data usage over time.

Google Gmail on Home Linux Box using Postfix and Fetchmail If you have a Google Gmail account, you can relay mail from your home linux system. It's a good exercise inconfiguring Postfix with TLS and SASL. Plus, you will learn how to bring down the mail safely, usingfetchmail with the "sslcertck" option, that is, after you have verify and copied thenecessary certificates. You'll learn it all from this tutorial. And you'll have Gmail running on your local Postfix MTA.

Create your own custom Live Linux CDThese steps will show you how to create a functioning Linux system,with the latest 2.6 kernel compiled from source, and how to integratethe BusyBox utilities including the installation of DHCP. Plus, howto compile in the OpenSSH package on this CD based system.On system boot-up a filesystem will be created and thecontents from the CD will be uncompressed andcompletely loaded into RAM -- the CD could be removedat this point for boot-up on a second computer. The remainingfunctioning system will have full ssh capabilities.You can take over any PC assuming, of course, you haveconfigured the kernel with the appropriate drivers and thePC can boot from a CD.

MySQL Tips and Tricks Find out who is doing what in MySQL and how to kill the process,create binary log files, connect, create and select with Perl and Java,remove duplicates in a table with the index command, rollback and how to apply,merging several tables into one, updating foreign keys, monitor port 3306 with the tcpdump command,creating a C API, XML and HTML output, spatial extensions, complex selects, and much more.

SQLite TutorialThis article explores the power and simplicity of sqlite3,first by starting with common commands and triggers, then the attachstatement with the union operation is introduced in a way that allowsmultiple tables, in separate databases, to be combined as one virtualtable, without the overhead of copying or moving data. Next, the simplesign function and the amazingly powerful trick of using this function inSQL select statements to solve complex queries with a single passthrough the data is demonstrated, after making a brief mathematical casefor how the sign function defines the absolute value and IF conditions.

Lemon Parser Tutorial Lemon is a compact, thread safe, well-tested parser generatorwritten by D. Richard Hipp. Using a parser generator, along with ascanner like flex, can be advantageous because there is less code towrite. You just write the grammar for the parser. This article is anintroduction to the Lemon Parser, complete with examples.


Errata

Special thanks to the following people who pointed out needed corrections.

[Sun Oct 9 13:32:01 EDT 2005] Kent West


Mike Chirico, a father of triplets (all girls) lives outside ofPhiladelphia, PA, USA. He has worked with Linux since 1996, has a Mastersin Computer Science and Mathematics from Villanova University, and hasworked in computer-related jobs from Wall Street to the University ofPennsylvania. His hero is Paul Erdos, a brilliant number theorist who wasknown for his open collaboration with others.


Mike's notes page is souptonuts. Foropen source consulting needs, please send an email tomchirico@gmail.com. All consulting work must include a donation toSourceForge.net.


Breaking Firewalls with OpenSSH and PuTTY Breaking Out of the Box With CSS Layouts ? Si... Italian Meatballs With Pasta And Tomato Sauce... how to meet and connect with women South China Sea cannot be overturning, even when waves breaking and foaming Magic with JMS, MDBs, and ActiveMQ in Geronimo DHTML Editor with Table Support and Source Editor - CodeProject Learn Regular Expression (Regex) syntax with C# and .NET My life is always filled with sadness and little joyss Get installed Applications with Name, Package Name, Version and Icon Animated Text and Icon Menu with jQuery | Codrops 流行美语:get with the program & cost an arm and a leg(英语听力)ZT Performance Analysis of CDMA WLL Systems with Imperfect Power Control and Imperfect Sectorization In the business and the business method of dealing with all kinds of people The safety and efficacy of PCNL with supracostal approach in the treatment of renal stones solem's vision blog: Reading and writing .mat files with Python 000-105 Power Systems with POWER7 and AIX Sales - v1 : Takeitexam.com .htaccess tricks and tips.. part two: url rewriting with mod rewrite. How to install Nginx, PHP, PHP-FPM and MySQL under Windows with Cygwin How to mount partition with ntfs file system and read write access Traditional wedding with style of Han and Tang dynasties held in Luoyang, China's Henan - People's Daily Online Super Tables - HTML Tables with Fixed Headers and More - Matt's 411 - A Web Developer's Blog putty工具的指纹验证 | PuTTY中文站 putty来实现上传和下载 | PuTTY中文站