issue97:securite_-_ssh
Différences
Ci-dessous, les différences entre deux révisions de la page.
Prochaine révision | Révision précédente | ||
issue97:securite_-_ssh [2015/06/04 12:25] – créée d52fr | issue97:securite_-_ssh [2015/06/19 18:04] (Version actuelle) – [6] auntiee | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
- | The ssh command has a number of options, and I don’t plan to cover all of them. Even the SSH documentation warns against the use of some of them, suggesting they are only for real experts. But I want to mention the ones that I think you will find important. These options take the form of switches in the command: | + | ====== 1 ====== |
+ | |||
+ | **The ssh command has a number of options, and I don’t plan to cover all of them. Even the SSH documentation warns against the use of some of them, suggesting they are only for real experts. But I want to mention the ones that I think you will find important. These options take the form of switches in the command: | ||
-1 : Forces the connection to use SSH v.1 protocol only. The question here is why would you want to do that if you have SSH v.2 available. It is a real improvement, | -1 : Forces the connection to use SSH v.1 protocol only. The question here is why would you want to do that if you have SSH v.2 available. It is a real improvement, | ||
Ligne 11: | Ligne 13: | ||
-v : Verbose mode. This shows all commands and replies, and is useful for debugging. | -v : Verbose mode. This shows all commands and replies, and is useful for debugging. | ||
-W : Requests that standard input and output on the client be forwarded to host on port over the secure channel. Works with v.2 only. | -W : Requests that standard input and output on the client be forwarded to host on port over the secure channel. Works with v.2 only. | ||
- | -X : Enables X11 forwarding. But note that this can open a vulnerability. | + | -X : Enables X11 forwarding. But note that this can open a vulnerability.** |
- | Port Forwarding | + | La commande ssh possède pas mal d' |
+ | |||
+ | -1 : Force la connexion à utiliser seulement le protocole SSH v.1. La question ici est pourquoi voudriez-vous faire cela si vous avez SSH v.2 disponible ? Cette dernière est une réelle amélioration, | ||
+ | -2 : Force la connexion à utiliser seulement le protocole SSH v.2. | ||
+ | -4 : Force ssh à utiliser seulement des adresses IPv4. | ||
+ | -6 : Force ssh à utiliser seulement des adresses IPv6. | ||
+ | -b : Adresse de liaison. Utile pour les machines qui ont deux adresses IP, deux cartes réseau. Indique à SSH quelle adresse IP utiliser sur la machine locale pour la connexion. | ||
+ | -L : Indique que le port donné sur l' | ||
+ | -p : Port sur lequel se connecter à l' | ||
+ | -R : Indique que le port donné sur l' | ||
+ | -v : Mode verbeux. Affiche toutes les commandes et les réponses ; utile pour le débogage. | ||
+ | -W : Demande que l' | ||
+ | -X : Permet la translation X11. Mais notez que cela peut ouvrir une vulnérabilité. | ||
+ | |||
+ | ====== 2 ====== | ||
+ | |||
+ | **Port Forwarding | ||
One of the handy things you can do, and something useful for tunneling. is port forwarding over SSH. The basic idea is to connect via ssh to a remote machine, and ask it to send something to a specific port other than the default port. The basic way you do this is to use the SSH command with the appropriate flags, -L and -R, which, not surprisingly, | One of the handy things you can do, and something useful for tunneling. is port forwarding over SSH. The basic idea is to connect via ssh to a remote machine, and ask it to send something to a specific port other than the default port. The basic way you do this is to use the SSH command with the appropriate flags, -L and -R, which, not surprisingly, | ||
• Local Port Forwarding – This takes a port on your local machine and forwards it to a specified port on the server. So you can make a request on a local port like 7280 on address 127.0.0.1, and your SSH client would intercept that call and send it to port 119 on the server. Then you would have a secure connection to get whatever port 119 is configured to serve (typically Usenet traffic, but this is just an example). So you use this to configure your newsgroup client to securely grab messages from a public server, assuming it allows SSH connections. | • Local Port Forwarding – This takes a port on your local machine and forwards it to a specified port on the server. So you can make a request on a local port like 7280 on address 127.0.0.1, and your SSH client would intercept that call and send it to port 119 on the server. Then you would have a secure connection to get whatever port 119 is configured to serve (typically Usenet traffic, but this is just an example). So you use this to configure your newsgroup client to securely grab messages from a public server, assuming it allows SSH connections. | ||
• Remote Port Forwarding – This is the reverse of Local Port Forwarding. Here, the idea is to specify a port on the remote server and have it forwarded to your local server. This is not very common, and you may never need to do this. Essentially, | • Remote Port Forwarding – This is the reverse of Local Port Forwarding. Here, the idea is to specify a port on the remote server and have it forwarded to your local server. This is not very common, and you may never need to do this. Essentially, | ||
- | • Dynamic Port Forwarding – This creates a SOCKS proxy and is not restricted to one port or one type of traffic. | + | • Dynamic Port Forwarding – This creates a SOCKS proxy and is not restricted to one port or one type of traffic.** |
- | Local Port Forwarding | + | Translation de port |
+ | |||
+ | Une des choses pratiques que vous pouvez faire, et quelque chose d' | ||
+ | • Translation de port local - Ceci prend un port sur votre machine locale et le transfère vers un port spécifié sur le serveur. Ainsi, vous pouvez faire une requête sur un port local comme 7280 sur l' | ||
+ | • Translation de port distant - Ceci est l' | ||
+ | • Translation de port dynamique - Ceci crée un proxy SOCKS et ne se limite pas à un port ou un type de trafic. | ||
+ | |||
+ | ====== 3 ====== | ||
+ | |||
+ | **Local Port Forwarding | ||
Suppose you are at work (or school), and you just cannot bear to miss out on your Facebook stream. But there’s a filter stopping you from accessing the site. However, for the sake of argument, you could create an SSH connection to a server outside the network (which could be your computer at home). You could then do something clever using Local Port Forwarding. Create a connection as follows: | Suppose you are at work (or school), and you just cannot bear to miss out on your Facebook stream. But there’s a filter stopping you from accessing the site. However, for the sake of argument, you could create an SSH connection to a server outside the network (which could be your computer at home). You could then do something clever using Local Port Forwarding. Create a connection as follows: | ||
Ligne 30: | Ligne 57: | ||
Once you have done this, you would open your browser and set it to go to http:// | Once you have done this, you would open your browser and set it to go to http:// | ||
- | But SSH Port Forwarding is not just a matter of a security breach in the making, it can be used very legitimately in a number of situations. For example, you have a company with a number of geographically dispersed locations. In that case, SSH Port Forwarding would be a very useful way to connect sites to exchange data. You might have a database server that employees might need to connect to, and don’t want that traffic flowing through the Internet unsecured. Or perhaps you have set up a server for yourself, such as OwnCloud, and it is in a remote hosting center. Creating an SSH connection and using Port Forwarding might make your data a lot more secure. | + | But SSH Port Forwarding is not just a matter of a security breach in the making, it can be used very legitimately in a number of situations. For example, you have a company with a number of geographically dispersed locations. In that case, SSH Port Forwarding would be a very useful way to connect sites to exchange data. You might have a database server that employees might need to connect to, and don’t want that traffic flowing through the Internet unsecured. Or perhaps you have set up a server for yourself, such as OwnCloud, and it is in a remote hosting center. Creating an SSH connection and using Port Forwarding might make your data a lot more secure.** |
- | Limitations | + | Translation de port local |
+ | |||
+ | Supposons que vous êtes au travail (ou à l' | ||
+ | |||
+ | ssh -L 7280: | ||
+ | |||
+ | Attention, votre machine à domicile doit avoir une adresse IP publique, ou vous aurez besoin de configurer votre routeur pour rediriger le trafic, pour que ceci arrive à bon port. | ||
+ | |||
+ | Une fois cela fait, vous ouvrez votre navigateur et le réglez pour aller sur http:// | ||
+ | |||
+ | Mais le transfort de port SSH n'est pas qu'une question de contournement de la sécurité, elle peut être utilisée très légitimement dans un certain nombre de situations. Par exemple, vous avez une entreprise avec un certain nombre de sites géographiquement dispersés. Dans ce cas, la translation de port SSH serait un moyen très utile pour connecter des sites et échanger des données. Vous pourriez avoir un serveur de base de données sur lequel les employés pourraient avoir besoin de se connecter, et ne pas vouloir que le trafic circule sur l' | ||
+ | |||
+ | ====== 4 ====== | ||
+ | |||
+ | **Limitations | ||
There are a few things you need to watch out for. One is that not all ports may be available to you. If you are in a Unix-like environment, | There are a few things you need to watch out for. One is that not all ports may be available to you. If you are in a Unix-like environment, | ||
- | The other thing you need to remember is that if the connection is dropped the port forwarding is gone. And, in general, TCP connections are configured to close after a period of inactivity, and on some firewalls that can be as little as 300 seconds (5 minutes). This can be controlled by a rule (or perhaps more than one) in your iptables, or directly by / | + | The other thing you need to remember is that if the connection is dropped the port forwarding is gone. And, in general, TCP connections are configured to close after a period of inactivity, and on some firewalls that can be as little as 300 seconds (5 minutes). This can be controlled by a rule (or perhaps more than one) in your iptables, or directly by / |
- | Keep Alives | + | Limites |
+ | |||
+ | Il faut quand même faire attention à certaines choses. La première est que tous les ports ne sont peut-être pas disponibles pour vous. Si vous êtes dans un environnement Unix, par exemple, le port 1024 et tous les ports en-dessous ne peuvent être utilisés que par l' | ||
+ | |||
+ | L' | ||
+ | |||
+ | ====== 5 ====== | ||
+ | |||
+ | **Keep Alives | ||
There are two, basically. One is the TCP Keep Alive, which is simple but spoofable, and the other is the SSH keepalive, also called serveralive. Serveralive messages travel through the encrypted connection between you and the server, and thus cannot be spoofed. Assuming security is your reason for creating SSH connections, | There are two, basically. One is the TCP Keep Alive, which is simple but spoofable, and the other is the SSH keepalive, also called serveralive. Serveralive messages travel through the encrypted connection between you and the server, and thus cannot be spoofed. Assuming security is your reason for creating SSH connections, | ||
For everyone – edit / | For everyone – edit / | ||
+ | Host * | ||
+ | ServerAliveInterval 300 | ||
+ | ServerAliveCountMax 2** | ||
+ | |||
+ | Keep Alives | ||
+ | |||
+ | Il y a en a deux principaux. L'un est le TCP Keep Alive ([Ndt : garder vivant]), qui est simple, mais qui peut être usurpé, et l' | ||
+ | |||
+ | Pour tout le monde, modifiez / | ||
Host * | Host * | ||
ServerAliveInterval 300 | ServerAliveInterval 300 | ||
ServerAliveCountMax 2 | ServerAliveCountMax 2 | ||
- | For just you, edit ~/ | + | ====== 6 ====== |
+ | |||
+ | **For just you, edit ~/ | ||
ServerAliveInterval, | ServerAliveInterval, | ||
Ligne 53: | Ligne 113: | ||
On Windows, | On Windows, | ||
- | Once you understand Port Forwarding and Keepalives, you are most of the way to tunneling. | + | Once you understand Port Forwarding and Keepalives, you are most of the way to tunneling.** |
+ | |||
+ | Pour vous seulement, éditez ~/ | ||
+ | |||
+ | ServerAliveInterval spécifie combien de fois un paquet vide doit être envoyé au serveur pour maintenir la connexion. Cependant, parfois, le serveur peut être coupé ou abandonner la connexion, de sorte que la deuxième ligne spécifie combien de fois vous devez envoyer un paquet sans obtenir une réponse. Le réglage que j'ai montré enverra un paquet et, si aucune réponse n'est reçue, il enverra un deuxième paquet 300 secondes plus tard. Si aucune réponse n'est reçue au deuxième paquet consécutif, | ||
+ | |||
+ | Sous Windows, en utilisant PuTTY, il y a une bonne explication sur http:// | ||
+ | |||
+ | Une fois que vous comprenez la translation de port et les Keepalives, vous êtes presque arrivé au « tunneling ». |
issue97/securite_-_ssh.1433413534.txt.gz · Dernière modification : 2015/06/04 12:25 de d52fr