Shell-In-A-Box

• Project page – http://code.google.com/p/shellinabox/
  Shell In A Box implements a web server that can export arbitrary command line tools to a web based terminal emulator. This emulator is accessible to any JavaScript and CSS enabled web browser and does not require any additional browser plugins.
• http://www.freshports.org/www/shellinabox/
  Shell In A Box is a web server that can export arbitary command line tools to a
  web based terminal emulator
• “Shell In A Box Gives Your Browser Terminal Status” by Ken Hess (2010.09.19) – http://www.linux-mag.com/id/7864/
  Shell In A Box gives you simple web-based terminal access to your Linux system.
• https://help.ubuntu.com/community/shellinabox
• “How to install Shell In a Box” – http://www.acmesystems.it/shellinabox
• “shellinabox With Apache Authentication Over HTTPS 443” (scottlinux.com; 2010.12.15) – http://scottlinux.com/2010/12/15/shellinabox-with-apache-authentication-over-https-443/
• “Shellinabox” by BobJunior – http://bobjunior.com/linux/shellinabox/
• http://freecode.com/projects/shellinabox
  Shell In A Box implements a Web server that can export arbitrary command line tools to a Web-based terminal emulator. This emulator is accessible to any JavaScript and CSS enabled Web browser, and does not require any additional browser plugins. Most typically, login shells would be exported this way: “shellinaboxd -s /:LOGIN”. This starts a Web server at http://localhost:4200 that allows users to log in with their username and password and to get access to their login shell. The connection will be encrypted if SSL/TLS certificates are available.
• “Installing Shell In A Box – Ubuntu Server 11.04” (YouTube video) – http://www.youtube.com/watch?v=d4sgJY7-_r0

Advertisements

Logon Banners

• On Linux systems, put pre-login banner text in the files /etc/banner, /etc/issue, and /etc/issue.net; and the after-login banner in /etc/motd.
• For OpenSSH servers (e.g. on Linux systems), activate the banner use (by SSH/SFTP/SCP) by including following (uncommented) line in /etc/ssh/sshd_config:

  Banner /etc/banner

• TELNET:
  • On Linux, if Kerberized TELNET is used, edit /etc/xinetd.d/krb5-telnet to add following line:

    banner = /etc/issue

  • Older versions of TELNET may be using /etc/default/telnetd containing the block:

      BANNER="\\n
      nThis should be a telnet banner\\n
      n"
      

• FTP:
  • If gssftp is used (on Linux), edit /etc/xinetd.d/gssftp to add following line:

    banner = /etc/issue

  • If wu-ftpd is used (on Linux), edit /etc/ftpaccess to add following line:

    banner = /etc/issue

  • FTP may be using /etc/ftpd/banner.msg (or any file external to /etc/ftpd/ftpaccess) by specifying following line:

    banner /etc/ftpd/banner.msg

    in /etc/ftpd/ftpaccess.

SSH, OpenSSH

• “Top 20 OpenSSH Server Best Security Practices” at UnixCraft – http://www.cyberciti.biz/tips/linux-unix-bsd-openssh-server-best-practices.html
• “How do I permit specific users SSH access?” (SoftLayer) – http://knowledgelayer.softlayer.com/questions/295/How+do+I+permit+specific+users+SSH+access%3F
• “Six things I wish Mom told me (about ssh)” – http://blog.ksplice.com/2010/08/six-things-i-wish-mom-told-me-about-ssh/
• “ProxyCommand – SSH Key on Proxing Machine” (comp.security.ssh; 2009) – http://groups.google.com/group/comp.security.ssh/browse_thread/thread/1e5ae560420b9d12
• “Quick HOWTO: Ch17 : Secure Remote Logins and File Copying” (LHN) – http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch17_:_Secure_Remote_Logins_and_File_Copying
• “Securing your ssh server” (Racker Hacker blog) – http://rackerhacker.com/2010/10/12/securing-your-ssh-server/
• “How to connect to a non standard SSH port in the Mac terminal” – http://chimac.net/2011/01/08/how-to-connect-to-a-non-standard-ssh-port-in-the-mac-terminal/
  • ssh -p 12345 remoteUsername@address.of.remote.system
• “Best Practices to secure a OPENSSH/SSH Server” – http://teknoteknik.wordpress.com/2010/07/06/best-practices-to-secure-a-opensshssh-server/
• “Quick and dirty manual compile of OpenSSH on CentOS 5” (#!/bin/blog; 2008.04.06) – http://binblog.info/2008/04/06/quick-and-dirty-manual-compile-of-openssh-on-centos-5/
• “Using the SSH agent from daemon processes” (#!/bin/blog; 2008.12.31) – http://binblog.info/2008/12/31/using-the-ssh-agent-from-daemon-processes/
• “OpenSSH: Going flexible with forced commands” (#!/bin/blog; 2008.10.20) – http://binblog.info/2008/10/20/openssh-going-flexible-with-forced-commands/
• Secure Copy (SCP) (WikiPedia) – http://en.wikipedia.org/wiki/Secure_copy
• SSH tricks at SuperUser – http://superuser.com/questions/tagged/telnet+ssh
  related:
  • Telnet tricks at SuperUser: Telnet tricks – http://superuser.com/questions/tagged/telnet | PuTTY tricks – http://superuser.com/questions/tagged/putty | Tunnels – http://superuser.com/questions/tagged/putty+tunnel

SSHFS (SSH FileSystem)

• “SSH Filesystem” – http://fuse.sourceforge.net/sshfs.html
• http://en.wikipedia.org/wiki/SSHFS
• https://help.ubuntu.com/community/SSHFS
• SHSFS FAQ – http://sourceforge.net/apps/mediawiki/fuse/index.php?title=SshfsFaq

Related:

• FISH (Files transferred over shell) protocol (WikiPedia) – http://en.wikipedia.org/wiki/Files_transferred_over_shell_protocol
• FTPFS – http://en.wikipedia.org/wiki/FTPFS
• WebDrive – http://en.wikipedia.org/wiki/WebDrive | http://www.webdrive.com/products/webdrive/
• FTPDrive – http://en.wikipedia.org/wiki/FTPDrive | http://www.killprog.com/fdrve.html

Authentication via public keys

• ‘OpenSSH key management” by Daniel Robbins (IBM):
  • OpenSSH key management, Part 1 (2001.07.01) – http://www.ibm.com/developerworks/library/l-keyc.html
  • OpenSSH key management, Part 2 (2001.09.01) – http://www.ibm.com/developerworks/library/l-keyc2/
  • OpenSSH key management, Part 3 (2002.02.01) – http://www.ibm.com/developerworks/library/l-keyc3/
• “SSH with authentication key instead of password” – http://www.debian-administration.org/articles/530
• “Public key authentication with ssh” – http://www.linuxquestions.org/linux/answers/Networking/Public_key_authentication_with_ssh
• OpenSSH Public Key Authentication – http://web.archive.org/web/20070418231823/http://sial.org/howto/openssh/publickey-auth/
• “SSH Public Key (/w RSA) Authentication and SSH Tunneling – Part 1” (ipsure; 2010.02.03) – http://www.ipsure.com/blog/2010/ssh-public-key-w-rsa-authentication-and-ssh-tunneling-part-1/

SFTP

• “Chrooted SFTP with Public Key Authentication” (IPSURE; 2010.12.10) – http://www.ipsure.com/blog/2010/chrooted-sftp-with-public-key-authentication/
• How to mount SFTP accesses – http://wiki.gilug.org/index.php/How_to_mount_SFTP_accesses
• “OpenSSH chrooted SFTP (e.g. for Webhosting)” (#!/bin/blog; 2008.04.06) – http://binblog.info/2008/04/06/openssh-chrooted-sftp-eg-for-webhosting/

FTPS vs SFTP

• “FTPS vs. SFTP: What to Choose” by Eugene Mayevski (CodeGuru; 2007.10.11) – http://www.codeguru.com/csharp/.net/net_general/internet/article.php/c14329
• “FTPS vs. SFTP, once and for all” (#!/bin/blog; 2010.10.12) – http://binblog.info/2010/10/12/ftps-vs-sftp-once-and-for-all/
• FTPS (WikiPedia) – http://en.wikipedia.org/wiki/FTPS
• SSH File Transfer Protocol (Wikipedia) – http://en.wikipedia.org/wiki/SSH_file_transfer_protocol
• “Setup groups and users in FileZilla Server and connect with ftpes” (Banbika’s Blog; 2010.08.28) – http://banbika.wordpress.com/2010/08/28/setup-groups-and-users-in-filezilla-server-and-connect-with-ftpes/
• “Install and Configure FTP Secure (FTPS) or FTP-SSL using FileZilla” (Banbika’s Blog; 2010.08.24) – http://banbika.wordpress.com/2010/08/24/install-and-configure-ftp-secure-ftps-or-ftp-ssl-using-filezilla/

Using SCP

• Example syntax for Secure Copy (scp) – http://www.hypexr.org/linux_scp_help.php
  • Copy the file “foobar.txt” from a remote host to the local host: $ scp your_username@remotehost.edu:foobar.txt /some/local/directory
  • Copy the file “foobar.txt” from the local host to a remote host: $ scp foobar.txt your_username@remotehost.edu:/some/remote/directory
  • Copy the directory “foo” from the local host to a remote host’s directory “bar”: $ scp -r foo your_username@remotehost.edu:/some/remote/directory/bar
  • Copy the file “foobar.txt” from remote host “rh1.edu” to remote host “rh2.edu”: $ scp your_username@rh1.edu:/some/remote/directory/foobar.txt \
    your_username@rh2.edu:/some/remote/directory/
  • Copying the files “foo.txt” and “bar.txt” from the local host to your home directory on the remote host: $ scp foo.txt bar.txt your_username@remotehost.edu:~
  • Copy multiple files from the remote host to your current directory on the local host: $ scp your_username@remotehost.edu:/some/remote/directory/\{a,b,c\}. Also:: $ scp your_username@remotehost.edu:~/\{foo.txt,bar.txt\} .

---

Use of Expect with SSH suite applications

Password-less SFTP

Establish the SFTP connection to the system AAAA where the user account BBBB has password CCCC, and go to the directory DDDD, all without being prompted to enter the password:

sftpToAAAA.expect

#!/bin/expect # sftpToAAAA.expect spawn sftp BBBB@AAAA expect "password" { sleep 1 send "CCCC\n" } send "cd DDDD\n" interact

All normal warning on the danger of hard-wiring the password into scripts are in place here.

Password-less SCP

Use the SCP to upload connect system AAAA with user account BBBB (that has password CCCC), and upload the file EEEE to the directory DDDD, all without being prompted to enter the password:

UploadEEEEtoAAAA.expect

#!/bin/expect spawn scp EEEE BBBB@AAAA:DDDD/EEEE expect "password" { send "CCCC\n" }

More

• Expect and SSH – http://rootprompt.org/article.php3?article=9187
• expect and ssh – http://www.unix.com/unix-advanced-expert-users/50467-expect-ssh.html
• Expect and SSH in Cygwin – http://forums.devshed.com/unix-help-35/expect-and-ssh-in-cygwin-176556.html

Unix hardening

General

• “20 Linux Server Hardening Security Tips” at UnixCraft – http://www.cyberciti.biz/tips/linux-security.html
• “Linux Security Basics” by Michael Dougherty (2010.07.05) – http://www.brighthub.com/computing/linux/articles/76572.aspx

Passwords

• “Info: Enforcing a Strict Password Rule” by “kopeah” (OverClock.net; 2005.07.11) – http://www.overclock.net/faqs/33217-info-enforcing-strict-password-rule.html
• “7 Examples to Manage Linux Password Expiration and Aging Using chage” by Dhineshkumar Manikannan (2009.04.23) – http://www.thegeekstuff.com/2009/04/chage-linux-password-expiration-and-aging/

Logging and auditing

• “Quick HOWTO : Ch17 : Secure Remote Logins and File Copying” (LHN) – http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch17_:_Secure_Remote_Logins_and_File_Copying

---

Related:

• SSH, OpenSSH – https://eikonal.wordpress.com/2010/12/16/ssh-openssh/