SSH: Advanced Cheat Sheet

Add passphrase protection to ssh keyfilessh-keygen -p -f id_rsa
configure SSH to avoid trying all identity filesssh -o IdentitiesOnly=yes -i id1.key [email protected]
Convert OpenSSL format to SSH-RSA formatssh-keygen -f my_ssh.pub -i
Critical ssh files/folders~/.ssh/authorized_keys~/.ssh/config~/.ssh/known_hosts
SSH config file/etc/ssh/ssh_config/etc/ssh/sshd_config
SSH key file permissionchmod 600 ~/.ssh/id_rsa
SSH folder permissionchmod 700 ~/.sshchown -R $USER:$USER ~/.ssh
Authorizedkeys file permissionchmod 644 ~/.ssh/authorized_keys
Mute Warning: Permanently addedssh -o LogLevel=error

SSH: Security Cheat Sheet

Disable ssh by passwordsed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
Disable root loginsed -i 's/^PermitRootLogin yes/#PermitRootLogin yes/' /etc/ssh/sshd_config
Enable/Disable SSH Host Key CheckingStrictHostKeyChecking yes change ~/.ssh/config
Protect SSH server from brute force attacksusing fail2ban command-line tool

SSH: SCP Commands Cheat Sheet

Download a remote folderscp -r ec2-user@<ssh-host>:/home/letsencrypt-20180825 ./
Upload a filescp -i <ssh-keyfile> /tmp/hosts ec2-user@<ssh-host>:/root/
Upload a folderscp -r /tmp/abc/ ec2-user@<ssh-host>:/root/
Upload with timestamps/permissions keptscp -rp /tmp/abc/ ec2-user@<ssh-host>:/root/
Mount remote directory as local foldersshfs [email protected]:/path/remote_folder /path/local_folder

SSH: Parse Log File Cheat Sheet

Events of ssh downgrep -R "ssh.*Received signal 15" /var/log/auth.log
Events of ssh upgrep -R "sshd.*Server listening" /var/log/auth.log
Events of ssh failed logingrep -R "sshd.*Failed password for invalid user" /var/log/auth.log
Events of ssh break-in attempgrep -R "sshd.*POSSIBLE BREAK-IN ATTEMPT!" /var/log/auth.log
Events of ssh port scapgrep -R "sshd.*Bad protocol version identification" /var/log/auth.log
Events of ssh login by public keygrep -R "sshd.*Accepted publickey for" /var/log/auth.log
Events of ssh login by passwordgrep -R "sshd.*Accepted password for" /var/log/auth.log
Events of ssh logout eventgrep -R "sshd.*pam_unix(sshd:session): session closed for" /var/log/auth.log

SSH: Agent Cheat Sheet

eval $(ssh-agent)       # Start agent on demand

ssh-add -l                      # List keys
ssh-add                         # Add default key
ssh-add ~/.ssh/id_rsa           # Add specific key
ssh-add -t 3600 ~/.ssh/id_rsa   # Add with timeout
ssh-add -D                      # Drop keys

ssh -A ...          # Enforce agent forwarding

SSH: Automatic Jump Host Proxying Cheat Sheet

Host <your jump host>
  ForwardAgent yes
  Hostname <your jump host>
  User <your user name on jump host>

# Note the server list can have wild cards, e.g. "webserver-* database*"
Host <server list>
  ForwardAgent yes
  User <your user name on all these hosts>
  ProxyCommand ssh -q <your jump host> nc -q0 %h 22

SSH: Misc Cheat Sheet

# Enforce a umask with SFTP
Subsystem sftp /usr/libexec/openssh/sftp-server -u 0002
# Parallel SSH on Debian
apt-get install pssh

=> using

pssh -h host_list.txt <command>
pssh -i -t 60 -h host_list.txt -- <command>   # 60s timeout, list output
# Clustered SSH on Debian
apt-get install clusterssh

=> using

cssh server1 server2
# Vim Remote File Editing:
vim scp:[email protected]//some/directory/file.txt
# Use GPG keys with SSH agent
monkeysphere subkey-to-ssh-agent -t 3600

SSH: Port Knocking Cheat Sheet

# Knockd installation
apt update
apt install -y knockd iptables-persistent
# iptables rules
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -j DROP
iptables-save > /etc/iptables/rules.v4

These commands will do the following:

  • Instruct iptables to keep existing connections alive.
  • Instruct iptables to drop any connection to port tcp/22 (if your SSH daemon is listening on a port other than 22, you should modify the above command accordingly.)
  • Save these two rules so they will persist after a reboot.
# Knockd configuration

Open the file /etc/knockd.conf

You will see:

[openSSH]
sequence    = 7000,8000,9000
seq_timeout = 5
command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags    = syn

Change the opening sequence:

[openSSH]
sequence    = x,y,z

Change the command value :

command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

Change the closing sequence accordingly:

[closeSSH]
sequence    = z,y,x

Save your changes and exit, and open the file /etc/default/knockd

  • Replace START_KNOCKD=0 with START_KNOCKD=1.
  • Add the following line to the end of the file: KNOCKD_OPTS="-i ens3" (replace ens3 with the name of your public network interface if it differs.)
  • Save and exit.

Start Knockd:

systemctl start knockd

SSH: Hot Keys Cheat Sheet

~.terminate the connection (and any multiplexed sessions)
~Bsend a BREAK to the remote system
~Copen a command line
~RRequest rekey (SSH protocol 2 only)
~^Zsuspend ssh
~#list forwarded connections
~&background ssh (when waiting for connections to terminate)
~?this message
~~send the escape character by typing it twice