Howto make SSH listens on multiple port

Although it is a security risks, it is possible to make OpenSSH listens on multiple port.

To do that, you need to edit /etc/ssh/sshd_config file. and enable the “GatewayPorts” option.

AllowTcpForwarding no
GatewayPorts yes
X11Forwarding no
#X11DisplayOffset 10

Look for the line that contain “Port 22”, and uncomment it if necessary, and add additional Port line to enable OpenSSH to listen to other ports. Like this:

Port 22
Port 80
Port 1025

The example will enable OpenSSH to listen to port 22,80,1025 simultaneously. Don’t forget to restart SSH service to enable the change by running :

sudo /etc/inet.d/sshd restart

Warning: Running SSH on multiple port may cause security risk, you have been warned!

Recommended Reading

Easy File Encryption On Ubuntu Linux with OpenSSL

Here’s an easy way to encrypt your file using OpenSSL. The general syntax is:


openssl enc (cipher) -e -in (input file) -out (output file)

so to encrypt a “plaintext.txt” file, using aes256, you only need to run this command:

openssl enc aes256 -e -in plaintext.txt -out encrypted.txt

Similarly, to decrypt the file, you can run the command:

openssl enc aes256 -d -in encrypted.txt -out decrypted.txt

How to Setup SSH public-key or password-less authentication in Ubuntu

Here’s how to setup public-key (or passwordless) authentication in Ubuntu or any other Linux based operating system that use OpenSSH.

First make sure you’ve remote SSH server running and accepting connection. Then you need to generate ssh key on local server (I prefer RSA). You can enter passphrase for added security, or leave it blank for passwordless authentication.

local:~$ ssh-keygen -t rsa
Enter passphrase (empty for no passphrase):

The command will generate id_rsa and id_rsa.pub files. The files will be save in ~/.ssh/ directory. Then copy id_rsa.pub file to the remote server using SCP. Read How to use SCP on Linux or other UNIX-based Environment for more information about SCP

local:~$ scp id_rsa.pub username@remote.host:~/

Then you have to connect to the remote host and append the id_rsa.pub public key file to the list of “authorized_keys“. Don’t forget to chmod the authorized_keys file and .ssh directory, or OpenSSH won’t work correctly

local:~$ ssh username@remote.host

#now we are on remote server!
remote:~$ cat id_rsa.pub >> ~/.ssh/authorized_keys
remote:~$ chmod 644 ~/.ssh/authorized_keys
remote:~$ chmod 700 ~/.ssh

Make sure you have edited the “/etc/ssh/sshd_config” file to allow Public key authentication and RSA authentication.

#sshd_config file

PermitRootLogin no
...snip...
RSAAuthentication yes
PubkeyAuthentication yes
...snip..

Save and restart sshd server daemon by running the following command.

remote:~$ sudo /etc/init.d/ssh restart

After that, logout from the remote host to test the Public-key authentication


remote:~$ exit
local:~$

Testing the SSH public-key authentication
To test the public-key authentication, simply connect to remote server normally using ssh, and if things have gone smoothly you’ll be prompted to enter your passphrase, instead of password.


local:~$ ssh username@remote.host
Enter passphrase for key '/home/username/.ssh/id_rsa':

Note that you will not be prompted to enter passphrase/password if you’ve generated a key with “blank passphrase“, effectively making your login “passwordless”. For added security, it is advised that you disable normal interactive-keyboard password option and rely fully on public-key authentication by changing sshd_config line from:

PasswordAuthentication yes

to


PasswordAuthentication no

p/s: this tutorial was adapted from Shortest passwordless ssh tutorial, ever with updated notes for latest OpenSSH release

How to use SCP on Linux or other UNIX-based Environment

SCP is used to copy files securely over network. In order to use SCP, the remote host must be configured to use SSH server (OpenSSH on Linux system, including Ubuntu) and the user must have an account on remote server.

scp syntax is easy,


local:~$ scp <source> <username>@<remote_host>:<destination>

Example for copying local file to the users home directory on remote host, you can replace mypapit with your own username

local:~$ scp id_rsa_.pub mypapit@remote.host:~/

id_rsa.pub 100% 392 0.9KB/s 00:00

local:~$

To list the file on the remote directory, just run

local:~$ ssh mypapit@remote.host ls

temp_file.txt id_rsa.pub

and the content of remote directory will be displayed.

Copying file recursively
To copy file recursively, you only need to add “-r” switch. Add -v for verbose output.

Example:

local:~$ scp -rv ~/* username@remote.host:~/backup

Conclusion
SCP is easy to use especially when you want to copy or upload files from client to server without the use of FTP server. Additionally, the content of the files transfered is encrypted over SSH communication and you get the benefit of simplicity while working on the console.

How to use rsync to backup and synchronize files to USB drive

Portable USB drive (sometimes called pendrive) has gained popularity as a medium for storing documents. Computer users would work on the files that they store on the usb drive and occasionally would copy them on their computer, or vice versa.

However this would cause problems if there’s a lot of files being worked on and transfered between usb drive and computers. Valuable time might be lost solely for identifying which of the files are more recent and need to be updated.

Fortunately there’s ‘rsync’, a tool which can be used to synchronize files between the computer and usb drive. Assuming you use Debian or Ubuntu, you only need to start ‘synaptic’ and select ‘rsync’ package. Once installed, start the terminal application and you can begin synchronizing the files using this command


$ rsync -r -vv /home/username/Documents/ /media/your_usb_drive

The general format of rsync command is :

$ rsync -r -vv <local document directory> <remote backup directory>

rsync only updates file which has been changed and would save time and precious harddisk space from maintaining duplicate files.

A Windows version is also available at : http://www.rsync.net/resources/binaries/cwRsync_3.1.0_Installer.zip

ssh-vulkey : How to test weak SSH keys on your server

This might be stale news by most security alert people, but I felt compelled to write this post nevertheless. Byy this time most security alert people have realised that a serious security vulnerability has been discovered in the random number generator used by OpenSSL on Debian and Ubuntu systems, and there are a lot of sites have published information about it. [1] [2] [3] [4] [5].

This vulnerability caused OpenSSL to generate “common” and predictable keys, which is easily crackable by using brute-force algorithm. In the extreme case, some of the keys are successfully cracked in 2 hours time. Longer keys 8192-bit RSA keyset might take as short as 129 days to generate as opposed to hundred of years if the keys were generated securely.

Which Ubuntu Linux system are affected ?
As Ubuntu linux operating system is based on Debian, it inherited Debian vulnerability problem. Users who has generated keys under (before updating to the new OpenSSL package via automatic updates, which is before May 13 2008) — Ubuntu 7.04 Ubuntu 7.10 Ubuntu 8.04 LTS are all affected by this vulnerability

Other system which uses the keys generated by Debian and the above mentioned Ubuntu system is also affected as the keys might allow malicious 3rd party user to abuse the system. SSH login which uses these keys will not be considered secure anymore, and are advised to update their SSH keys immediately.

How to check against weak SSH keys ?
A system is as strong as its security measures (in this case, the key) to protect it. By using ssh-vulkey as detailed in Ubuntu Security Notice 612-2, you can detect weak keys in your system, and updates them accordingly.

Run “sudo ssh-vulnkey -a” command to check against weak keys :

ssh-vulnkey -a

ssh-vulnkey -a
Not blacklisted: 2048 fa:2e:1d:a6:84:64:a1:80:c4:31:68:5a:b0:1a:cb:fe /etc/ssh/ssh_host_rsa_key.pub
Not blacklisted: 1024 f4:34:04:85:58:a0:6b:0a:a1:b9:2d:3b:e6:19:5a:76 /etc/ssh/ssh_host_dsa_key.pub
COMPROMISED: 2048 5c:10:8a:c0:55:8c:1f:d9:4b:05:f0:35:0a:0d:2f:5c /home/someuser/.ssh/authorized_keys
Not blacklisted: 2048 a7:b4:3e:41:18:cb:f7:68:5e:4f:ae:30:14:d2:17:fd /home/someuser/.ssh/authorized_keys

More information about OpenSSL in Debian / Ubuntu security vulnerability :