 | Lars Fosdal on Security alarm provider Woonve… |
 | Thomas Mueller on Question got closed in May 202… |
 | Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
Posted by jpluimers on 2020/05/22
Running autossh from Windows is still on my list, so here are a few links:
–jeroen
Posted in Communications Development, Development, Internet protocol suite, Power User, SSH, TCP, Windows | Leave a Comment »
Posted by jpluimers on 2020/05/18
This looks like an ssh equivalent to testssl.sh: [WayBack] GitHub – arthepsy/ssh-audit: SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc).
It is on my list of things to try, so I’ve put a watch on the repository changes.
–jeroen
Posted in Communications Development, Development, Encryption, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »
Posted by jpluimers on 2020/05/12
[WayBack] Insomnia REST Client A powerful REST API Client with cookie management, environment variables, code generation, and authentication for Mac, Window, and Linux.
Source code at [WayBack] GitHub – getinsomnia/insomnia: The most intuitive cross-platform REST API Client 😴.
Via: [WayBack] Paw is nice – The Isoblog.
–jeroen
Posted in Communications Development, Development, HTTP, Internet protocol suite, JavaScript/ECMAScript, JSON, REST, Scripting, Software Development, TCP, Web Development | Leave a Comment »
Posted by jpluimers on 2020/05/11
Below the steps for ensuring port forwardings are up from an OpenSuSE system to an ssh server using autossh on the client system.
Many have written about the benefits of autossh, so I can’t do better than that. A good abbreviated quote is from [WayBack] Autossh for persistent database connectivity – Compose Articles:
Autossh wraps SSH in an application which was designed to monitor the state of the connection. It will also restart SSH if it exits. The idea of the monitoring is that If it sees the packets aren’t going through, it would also restart SSH. …
the developers of OpenSSH added some options –
ServerAliveIntervalandServerAliveCountMax– which activate built in connection checking in OpenSSH. Together the options set checking at a set interval and exiting SSH if the count maximum is exceeded. And when SSH exits, autossh will restart it so it serves as much improved replacement as there’s no extra ports needed.
The scenario is that a client user named autoSshClientUser automatically logs on to a server as user autosshServerUser using autossh from the client system.
The sequence is to first test this manually from the client system using a regular ssh command, then manually with the autossh command from the client system, then automate the starting (and keep alive) of the autossh instance from the client system.
Start configuring the server side first:
autosshServerUser).Then finish confiruging the client side:
zypper install autosshautoSshClientUser has an ssh key that does not require a passwordautosshServerUser on the remote systemautossh command that suits your situation bestautoSshClientUser runs a job at or shortly after system boot (after the network is up) that will start autossh with the correct parametersIf the autoSshClientUser is root, then you could use a service to start autossh, but be sure that service depends on a functioning network connection.
If the autoSshClientUser is not root, then usually a user based cron job works best.
Naming idea:
Train and the server is StationautosshTrainAtStationautosshTrainToStationroot, add he user using [Archive.is]useradd:
--shell /bin/false)-p or --passwordadduser: [WayBack] debian – What does adduser do that useradd doesn’t? – Unix & Linux Stack Exchange)
# useradd --create-home --shell /bin/false autosshServerUser
root use su to become autosshServerUser, then create an ssh key without a password (you need to specify the logon shell) using [WayBack] ssh-keygen.# su --shell /bin/bash autosshServerUser > cd ~ > whoami autosshServerUser > rm -f ~/.ssh/id_rsa ~/.ssh/id_rsa.pub > ssh-keygen -t rsa -b 4096 -o -a 100 -f ~/.ssh/id_rsa -N '' Generating public/private rsa key pair. Your identification has been saved in /home/autosshServerUser/.ssh/id_rsa. Your public key has been saved in /home/autosshServerUser/.ssh/id_rsa.pub. The key fingerprint is: SHA256:... autossh24@linux The key's randomart image is: +---[RSA 2048]----+ ... +----[SHA256]-----+ > rm -f ~/.ssh/id_ed25519 ~/.ssh/id_ed25519.pub > ssh-keygen -t ed25519 -o -a 100 -f ~/.ssh/id_ed25519 -N '' Generating public/private ed25519 key pair. Your identification has been saved in /home/autossh24/.ssh/id_ed25519. Your public key has been saved in /home/autossh24/.ssh/id_ed25519.pub. The key fingerprint is: SHA256:... autossh24@linux The key's randomart image is: +--[ED25519 256]--+ ... +----[SHA256]-----+
I need to check the below links on killing autossh (including the underlying ssh based connection), as you need to use the kill or pkill parameters signals -3 (SIGQUIT), not -9 (SIGKILL) as explained in [WayBack] ssh – How to stop/kill an autossh tunnel? – Super User (thanks mariusmatutiae and dviljoen).
Monitoring the state of the ssh connection needs some parameters (like ClientAliveInterval and ClientAliveCountMax). A good start on that is [WayBack] networking – autossh does not kill ssh when link down – Server Fault.
Setting up a service so root automatically logs on a remote system:
With non-root, it might actually be possible to do this as a service too given there is a user= parameter in service files:
Though as non-root, most people seem to use cron [WayBack] ssh – Problems with Autossh: running from cron vs terminal – Super User
Please do not use /etc/init.d/after.local as mentioned often (for instance in [WayBack] TUMBLEWEED run a script a boot): this mechanism has been deprecated and won’t work on more recent systems (like 2012 and younger: [WayBack] openSUSE Forums – systemd and using the after.local script in openSUSE 12.1). The same holds for /etc/init.d/boot.local: don’t use, even though many people indicate it works, for instance [WayBack] Run a command at boot.
An interesting approach is at [WayBack] Autossh Startup Script for Multiple Tunnels | Surnia Ulula, though I will stick with what’s below.
Read:
/usr/lib/systemd/system/autossh@.service/usr/share/doc/packages/autossh/README.SUSE.md/usr/share/doc/packages/autossh/my.confDownloads:
Most of the above comes from these links:
–jeroen
Continuation of:
Posted in *nix, Communications Development, Development, Internet protocol suite, Linux, Power User, SSH, TCP | Leave a Comment »
Posted by jpluimers on 2020/05/04
Often, hotspots only allow http/https traffic. Other traffic – like SSH – is blocked. Nowadays, fewer hotspots block that, but too many still do.
So it can be worth a while to route your SSH server through HTTPS (I don’t like Web-based SSH that much as terminal emulation in browsers isn’t that well yet, but that seems to change rapidly, more on that in the “Further reading” section below).
After some background reading at apache – Tunnel over HTTPS – Stack Overflow, here are a few links that help you do it:
You need:
Read more at DAG: Tunneling SSH over HTTP(S) and SSH over SSL, a quick and minimal config..
Steps:
Read more at Using SSH over the HTTPS port · GitHub Help.
Using Putty and an HTTP proxy to ssh anywhere through firewalls | Me in IT.
Tunneling SSH through HTTP proxies using HTTP Connect – ArchWiki.
Not all proxy configurations and hotspots support this. But it might be worth a look: SSH Over Proxy.
SSH plugins for browsers:
Web based SSH:
–jeroen
Posted in Communications Development, Development, Encryption, HTTP, https, HTTPS/TLS security, Internet protocol suite, Power User, Security, SSH, TCP | Leave a Comment »
Posted by jpluimers on 2020/04/10
A few links for my archive:
–jeroen
Posted in Communications Development, Development, Internet protocol suite, Security, SSH, TCP | Leave a Comment »
Posted by jpluimers on 2020/04/08
After a 2018 discussion with a “zorgkantoor” (Dutch for office that arranges for special long term health care needs, successor of AWBZ) about their very low (10 megabyte) SMTP message size limit – even though they expect scanned PDF documents.
Their web-care team posed this limit as normal, so I made a list of limits in their peer group, common world-wide and well-ranked Dutch internet providers.
My plan is to check the progression of these limits over time.
Note these are the bruto message sizes including encoded attachments. Since encoding in [WayBack] MIME Base64 – Wikipedia has a overhead of at least 37% (encoded size is at least 1.37 the original size), the unencoded maximum size is less than 73% of what is listed below.
References:
Posted in base64, Communications Development, Development, eMail, Encoding, Internet protocol suite, MIME, Power User, Python, Scripting, SMTP, SocialMedia, Software Development, TCP | Leave a Comment »
Posted by jpluimers on 2020/04/06
I found this in one of my logs a a while ago:
Error when executing EHLO command for domain mail.com on SMTP server mx00.mail.com.
(554, 'mail.com (mxgmxus007) Nemesis ESMTP Service not available\nNo SMTP service\nBad DNS PTR resource record.\nFor explanation visit http://postmaster.gmx.com/en/error-messages?ip=37.153.243.242&c=rdns')
It means that gmx.de / mail.com are among the strictest email handling providers I know. I don’t blame them: EHLO is at the start of an extended SMTP session.
At [WayBack] Error messages | GMX Postmaster it indicates:
5xy Bad DNS PTR resource record
Emails from your email server were rejected because the PTR Resource Record (PTR-RR) of your IP address does not follow our guidelines. Possible reasons for this can be:
–jeroen
Posted in Communications Development, Development, eMail, Internet protocol suite, Power User, SMTP, SocialMedia, TCP | Leave a Comment »
Posted by jpluimers on 2020/03/26
Often when you send large emails the only reply you get is a non-descriptive message like 552 5.3.4 Message size exceeds fixed limit from the SMTP server without an indication what the limit actually is.
Most SMTP servers however implement extensions in the EHLO greeting that returns a SIZE mail parameter. You can query it by hand using this:
telnet aspmx.l.google.com smtp Trying 108.177.119.27... Connected to aspmx.l.google.com. Escape character is '^]'. 220 mx.google.com ESMTP 32si3005669edb.510 - gsmtp EHLO example.org 250-mx.google.com at your service, [80.100.143.119] 250-SIZE 157286400 250-8BITMIME 250-STARTTLS 250-ENHANCEDSTATUSCODES 250-PIPELINING 250-CHUNKING 250 SMTPUTF8 QUIT 221 2.0.0 closing connection 32si3005669edb.510 - gsmtp Connection closed by foreign host.
There you can see the maximum message size at the time of writing is 157286400 bytes which is about 150 megabytes.
There is a nice Python script showing how to obtain it at [WayBack] Getting Information from EHLO | Erle Robotics Python Networking Gitbook Free (note this one does send an email, so you might want to trim the example if you just want to see the size).
More background reading:
smtplib.SMTP.ehlo (also documents esmtp_features)smtplib.SMTP.has_extnThis turns out to be a tad more complex, because DNS functionality isn’t part of core Python, and the rdata part of DNS records ends with a dot, which might not be usable with the SMTP library.
References for me when trimming down:
pip install or pip install --user–jeroen
Posted in Communications Development, Conference Topics, Conferences, Development, Event, Internet protocol suite, Power User, SMTP | Leave a Comment »
Posted by jpluimers on 2020/03/16
I love short and to the point examples. The list of permutations for scp is at [WayBack] Linux – How to Securely Copy Files Using SCP examples.
–jeroen
Posted in *nix, *nix-tools, Development, Internet protocol suite, Power User, SSH, TCP | Leave a Comment »
The Wiert Corner - irregular stream of stuff 