Random Wisdom

rssh is a tool that allows SFTP/SCP for file transfers over SSH but denies shell access — useful for preventing users from running commands on the system. More details are available on the tool’s homepage.

I first came across it on this page.

After getting around 1500 failed ssh login attempts a day for a while on a server I manage, I decided to look into tools that automatically blacklist offending IPs.

Sshblack fits the bill perfectly. A HOWTO (including an init-script) for REDHAT-like systems is available from the OSS Watch Wiki.

There may already be some builtin option that allows a client to reconnect when a timeout occurs but I was too lazy to look through the man pages. So I came up with line of bash commands that will do just that:

$ while [ 1 ]; do ssh user@host.domain; sleep 120; done

This will keep reconnecting to the host 120 seconds after a connection drops out for whatever reason. This is specially handy to make sure that a remote tunnel stays open. Right now I use it to reach a single host (A,http) on a remote private network from home (B) via another machine in the private network (C) and an intermediate SSH server (D):

1. [user@C ~]$ while [ 1 ]; do ssh -R someport:A:80 user@D; sleep 120; done

2. [user@B ~]$ ssh -L 80:localhost:someport user@D

3. [root@B ~]# echo "127.0.0.1    A" >> /etc/hosts

Now it is possible to type “http://A” and visit the site from B as easily as from within the remote private network.

I guess it’s usual for every institution to have a central firewall/proxy that all internal traffic must go through to reach the outside world. I am by no means paranoid about security/privacy but it got me thinking.

… And once again, SSH to the rescue! It almost feels like the possibilites of a SSH tunnel with Local port forwarding are limitless 😀

I just picked up a public German proxy from this page:

http://www.publicproxyservers.com/index.html

And then setup a SSH connection to forward local port 8080 to proxy:port. Then for the browser I just set localhost:8080 as the proxy.

Well, the speed is a little short of astounding but it’s very much usable 😀 Now all that the central firewall/proxy should be seeing is a bunch of encrypted traffic.