|
|
(47 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
| [[Category:Engineering]] | | [[Category:Engineering]] |
− | | + | [[Category:SSL]] |
− | == External OpenSSL Command-line FAQ ==
| |
− | This [http://www.madboa.com/geek/openssl/ OpenSSL HowTo/FAQ] deals with the command-line openssl.
| |
− | | |
− | == sshd_conf tweaks ==
| |
− | These are changes I always make to /etc/ssh/sshd_config.
| |
− | See [http://www.fail2ban.org/ fail2ban] for
| |
− | protecting against bots doing dictionary attacks.
| |
− | | |
− | <pre>
| |
− | # this speeds up logins.
| |
− | UseDNS no
| |
− | # bots often check these accounts for weak passwords:
| |
− | DenyUsers root test admin guest nobody
| |
− | # for extra security, limit access to only these users:
| |
− | AllowUsers user1 user2 user3
| |
− | </pre>
| |
− | | |
− | Use the following to support SSH1. I no longer use this.
| |
− | <pre>
| |
− | # this is required if you want to support SSH1
| |
− | Protocol 2,1
| |
− | # this is required if you want to support SSH1
| |
− | PasswordAuthentication yes
| |
− | </pre>
| |
− | | |
− | == simple port forwarding (SSH tunnel) ==
| |
− | This example creates a tunnel for IMAP. Here we forward port 1143 on localhost to 143 (IMAP) on imap.example.com.
| |
− | <pre>
| |
− | ssh -f -N -q -L 1143:localhost:143 username@imap.example.com
| |
− | </pre>
| |
− | | |
− | -f tells ssh to go into the background (daemonize).
| |
− | | |
− | -N tells ssh that you don't want to run a remote command. That is, you only want to forward ports.
| |
− | | |
− | -q tells ssh to be quiet
| |
− | | |
− | -L specifies the port forwarding
| |
− | | |
− | == reverse port forwarding ==
| |
− | Sometimes I need to make an internal LAN machine expose a service to the outside WAN.
| |
− | For example, I have a database server that will only accept connections from a
| |
− | specific development box. That dev box is inside the firewall. I want to connect to
| |
− | the database from outside the firewall.
| |
− | <pre>ssh -t -L 5432:localhost:1999 my_name@firewall.example.com ssh -t db_server ssh -t -R 1999:127.0.0.1:5432 my_name@firewall
| |
− | </pre>
| |
− | | |
− | | |
− | == SSH for Windows ==
| |
− | [http://www.chiark.greenend.org.uk/~sgtatham/putty/ Putty] is the best free SSH client for Windows. You can also use [http://www.cygwin.com Cygwin], but the ANSI terminal emulation isn't as good unless you start the X11 server and run xterm.
| |
− | | |
− | == MindTerm SSH client Java Applet ==
| |
− | MindTerm_2.1 (non-commercial). This was the last free version of MindTerm.
| |
− | | |
− | [http://www.noah.org/ssh/mindterm.jar mindterm.jar]
| |
− | | |
− | Put this applet on a web page and point the <applet> "archive" attribute to the URL of the JAR file:
| |
− | <small><pre>
| |
− | <applet archive="mindterm.jar" code="com.mindbright.application.MindTerm.class" width="580" height="400">
| |
− | <param name="te" value="xterm-color"> <!-- "vt102" -->
| |
− | <param name="fs" value="18">
| |
− | <param name="gm" value="80x32+0+0">
| |
− | <param name="port" value="22">
| |
− | <param name="cipher" value="blowfish"> <!-- "des" -->
| |
− | <param name="usrname" value="">
| |
− | <param name="sepframe" value="false">
| |
− | <param name="quiet" value="false">
| |
− | <param name="cmdsh" value="false">
| |
− | <param name="verbose" value="true">
| |
− | <pa ram name="autoprops" value="none">
| |
− | <param name="idhost" value="false">
| |
− | <param name="alive" value="10">
| |
− | <param name="appletbg" value="white">
| |
− | </applet>
| |
− | </pre></small>
| |