Áåçîïàñíîñòü SSH (dropbear)

Ðåàëèçàöèÿ òóííåëÿ ñðåäñòâàìè dropbear

Ãîñïîäà, ñèòóàöèÿ òàêàÿ: Òðåáóåòñÿ ñäåëàòü òóííåëü ìåæäó êîìïüþòåðîì çà NAT'îì è ðîóòåðîì.
Äëÿ äîñòóïà ê radmin íà óäàëåííîì êîìïå. Ò.å.

Ðîóòåð ñëóøàåò âõîäÿùèå ïîäêëþ÷åíèÿ
Íà óäàëåííîì ÏÊ çàïóñêàåòñÿ plink (êîíñîëüíûé putty), êîòîðûé êîííåêòèòñÿ ê ðîóòåðó è äåëàåò òóííåëü.
Ðåàëèçàöèÿ òàêîâà:

Íà ðîóòåðå çàïóùåí dropbear (òàê:)

Code:

#òóò âîïðîñ, íóæåí ëè ôëàã -a ? dropbear -m -a -p 443

Íà êîìïüþòåðå çàïóñêàåòñÿ

Code:

plink -P 443 -v -ssh -l loginXXX -pw passwordXXX -T -N -noagent -R 172.20.1.1:8087:127.0.0.1:8088 hostanmeXXX.homedns.org

è ïðè ýòîì äåëàåò òóííåëü. Ïðè îáðàùåíèè ê ðîóòåðó ïî àäðåñó 172.20.1.1 (âíóòðåííèé) íà ïîðò 8087,
èäåò òóííåëüíûé êîííåêò ê ñåðâèñó íà óäàëåííîì êîìïüþòåðå íà ïîðòó 8088.

Äëÿ òåñòîâ çàïóñêàþ NetCat äëÿ Windows:

Code:

nc -v -vv -p 8088 -L -s 127.0.0.1

Òàê âîò ïðîáëåìà: åñëè ÿ èñïîëüçóþ ëîãèïàññ àäìèíà-ðóòà ðîóòåðà, òî âñå ðàáîòàåò îòëè÷íî. À âîò ñîçäàòü ïîëüçîâàòåëÿ íå ïîëó÷àåòñÿ.

Code:

[XxX@router root]$ cat /etc/group root:x:0:XxX nobody:x:99: port_tunnels:x:200:yyy1,yyy2,yyy3,yyy4,yyy5 [XxX@router root]$ cat /etc/passwd XxX:hash1hash1hash1hash1:0:0:root:/usr/local/root:/bin/sh nobody:x:99:99:nobody:/:/sbin/nologin yyy1:hash2hash2hash2hash2:201:200:Remote Tunnel N1:/opt:/sbin/nologin

(åññíî, ôàéëû ñîõðàíÿþòñÿ ïðè ðåáóòå)

Ïðè êîííåêòå ïèøåò

Code:

plink -P 443 -v -ssh -l yyy1 -pw pass_yyy1 -T -N -noagent -R 172.20.1.1:80:127.0.0.1:8088 xxxhost.homedns.org Looking up host "xxxhost.homedns.org" Connecting to 111.111.111.111 port 443 Server version: SSH-2.0-dropbear_0.49 We claim version: SSH-2.0-PuTTY_Release_0.60 Using SSH protocol version 2 Using Diffie-Hellman with standard group "group1" Doing Diffie-Hellman key exchange with hash SHA-1 Host key fingerprint is: ssh-rsa 1040 b4:27:d7:ca:44:02:66:54:da:22:62:8f:aa:47:f6:9f Initialised AES-256 CBC client->server encryption Initialised HMAC-SHA1 client->server MAC algorithm Initialised AES-256 CBC server->client encryption Initialised HMAC-SHA1 server->client MAC algorithm Using username "yyy1". Sent password Access denied Access denied Disconnected: Unable to authenticate

Ïîäñêàæèòå, êàê áûòü? Õî÷åòñÿ ÷òîáû ó þçåðà áûëî êàê ìîæíî ìåíüøå ïðàâ.

UPD: Ðåøåíî: íóæíî ïîëüçîâàòåëþ ïðîïèñàòü øåëë /bin/true (âìåñòî /sbin/nologin), çàòåì â /etc/shells äîáàâèòü ñòðîêè ñ øåëëàìè, êîòîðûå èñïîëüçóþòñÿ, íå çàáûâ ïðî /bin/sh (åñëè åãî íå äîáàâèòü, íåâîçìîæíî áóäåò çàéòè ïîä ðóòîì ×åðåç ssh. Åñëè âñå æå ñäåëàëè òàêóþ îøèáêó, çàéäèòå ÷åðåç web-èíòåðôåéñ è rm /etc/shells ). Òåïåðü åñëè ïîëüçîâàòåëü çàéäåò ñ ïîìîùüþ âûøåîïèñàíîé êîìàíäû ïðîáðîñà ïîðòà, âñå áóäåò ÎÊ, à åñëè ñ ïîìîùüþ îáû÷íîãî êîíñîëüíîãî çàõîäà, òî êîíñîëü çàêðîåòñÿ ñðàçó ïîñëå àâòîðèçàöèè.

Íàøåë ïðîáëåìó:

Code:

Jun 16 14:22:55 dropbear[145]: user 'yyy1' has invalid shell, rejected

Ïîñîâåòóéòå, ÷òî íàïèñàòü â êà÷åñòâå øåëëà? Ïðîáîâàë /sbin/nologin, íî òàêîãî ôàéëà íåòó è îí ìàòåðèòñÿ. Ïðîáîâàë /bin/netstat è /bin/true, òî æå ñàìîå. ñ /bin/sh âñå õîðîøî, íî ìíå íóæíî ÷òîáû øåëëà ó äàííîãî ëîãèíà íå áûëî

Quote:

Originally Posted by FilimoniC

Íàøåë ïðîáëåìó:

Code:

Jun 16 14:22:55 dropbear[145]: user 'yyy1' has invalid shell, rejected

Ïîñîâåòóéòå, ÷òî íàïèñàòü â êà÷åñòâå øåëëà? Ïðîáîâàë /sbin/nologin, íî òàêîãî ôàéëà íåòó è îí ìàòåðèòñÿ. Ïðîáîâàë /bin/netstat è /bin/true, òî æå ñàìîå. ñ /bin/sh âñå õîðîøî, íî ìíå íóæíî ÷òîáû øåëëà ó äàííîãî ëîãèíà íå áûëî

Ïîïðîáóé /bin/true, òîëüêî äîáàâü åãî â /etc/shells

Äóìàþ íàäî íàïèñàòü /bin/false.

Ñïàñèáî, òîëüêî äîáèë ðîóòåð :-)
À ïîòîì íàøåë âîò ýòî: http://wl500g.info/showpost.php?p=80019&postcount=9 :_))
6opoga, ïîïðàâüòå ñâîé ïîñò ïëèç, à òî åùå êòî-íèáóäü ñïîòêíåòñÿ :-)

Ïàñèáî áîëüøîå, ïðîáëåìà ðåøåíà!
Äàëåå áóäó äåëàòü win-êëèåíò, êîòîðûé áóäåò ñàì ðåêîííåêòèòüñÿ åñëè ÷òî. Îòïèøó òóò

Ïðîøó åùå ïîìîùè êàñàòåëüíî plink: åñëè ñåðâåð îòâàëèëñÿ,òî plink îñòàåòñÿ âèñåòü, íè÷åãî íå äåëàÿ è íå îòâàëèâàÿñü. Êàê áû ïîáåäèòü òàêóþ ñèòóàöèþ?

1 Attachment(s)

Ðåøèë ïðîáëåìó - äîáàâèë ê ññø-ïîäêëþ÷åíèþ òóííåëü îò êëèåíòà ê ðîóòåðó, íà ðîóòåðå ïîäíÿë õòòï-ñåðâà÷îê ñ èíäåêñîì = 0 áàéò.
Íà êëèåíòå - wget, êîòîðûé ïåðèîäè÷åñêè ñïðàøèâàåò ýòó ñòðàíè÷êó ÷åðåç òóííåëü, åñëè íå ñïðîñèëîñü - taskkill /F /IM plink.exe

Âîò ìîè ñêðèïòû
Âñåãî ó÷àâñòâóþò:
plink - äëÿ ñâÿçè è òóííåëÿ
wget - äëÿ ïåðèîäè÷åñêîãî ïðîøèáàíèÿ êàíàëà
hidec - ÷òîáû ïðÿòàòü dos-îêíà

Ñîâêîâî, íî êîìó íàäî, òîò äîðàáîòàåò ñàì, ïî-ïðàâèëüíîìó, ñ pid-àìè è ïðî÷èì.

sshfs èëè webdav+samba

Äåíü äîáðûé, óâàæàåìûå!

Âîçíèê òàêîé âîïðîñ. Èìåþ ìåñòî íà rsync.net, êîòîðîå èñïîëüçóåòñÿ äëÿ áýêàïîâ. Îíè åãî îòäàþò ïî sftp/sshfs/webdavS.

Âîçíèêëà íåîáõîäèìîñòü â äîìàøíåé ñåòêå çà wl500gP v2 ñäåëàòü äîñòóï ê ýòîìó àêêàóíòó.

Õîòåë áû ïðèìîíèòðîâàòü ê ðàóòåðó ÷åðåç sshfs èëè webdavs óäàëåííóþ ÔÑ è ðàçäàòü å¸ ñ ðàóòåðà ÷åðåç ñàìáó.
Âîçìîæíî ëè ýòî? Êàê íà ðàóòåðå ñêàæåòñÿ êîïèðîâàíèå ÷åðåç ýòó ñâÿçêó áîëüøèõ ôàéëèêîâ?

Ìîæåò áûòü êàêîé-òî ìåòîä ëó÷øå/õóæå.
Êðàéíå áëàãîäàðåí çà ñîâåò è ïîìîùü.

Íèêòî íå ñòàëêèâàëñÿ ñ ïîõîæèì? :(
FUSE, êàæåòñÿ, íå ðàáîòàåò...

Êàê âîéòè ïî SSH áåç ïàðîëÿ(èñïîëüçóÿ êëþ÷) îò èìåíè îáû÷íîãî ïîëüçîâàòåëÿ?

Çäðàâñòâóéòå!

Ñóùåñòâóåò çàäà÷à, âîéòè îò èìåíè îáû÷íîãî ïîëüçîâàòåëÿ ïî SSH áåç ïàðîëÿ èñïîëüçóÿ êëþ÷. Êàê ýòî ñäåëàòü äëÿ âõîäà ïîä ðóòîì, ÿ óæå ðàçîáðàëñÿ. Òåïåðü íå ìîãó ðàçîáðàòñÿ êàê ñäåëàòü òî-æå íî äëÿ âõîäà áåç ïàðîëÿ îò èìåíè îáû÷íîãî ïîëüçîâàòåëÿ (êîòîðûé ïðîïèñàí â /etc/passwd)

×òî èìååì:
Ñåðâåð - ýòî ìîé ASUS WL-500gPremium
Êëèåíò - ýòî ìîé äîìàøíèé ÏÊ

Ñãåíåðèðîâàííûå ìíîþ êëþ÷è - id_dsa - äëÿ ðóòà, id_dsa_maxim - äëÿ ïîëüçîâàòåëÿ maxim. ß äåëàë òàê:

Íà êëèåíòå:

Quote:

maxim@localhost:~$ ssh-keygen -t dsa
<...>
maxim@localhost:~$ scp ~/.ssh/id_dsa_maxim.pub maxim@192.168.1.2:/opt/home/maxim
maxim@192.168.1.2's password:
id_dsa_maxim.pub 100% 605 0.6KB/s 00:00
maxim@localhost:~$

Íà ñåðâåðå:

Quote:

maxim@OpenWrt:~$ mkdir .dropbear
maxim@OpenWrt:~$ cat id_dsa_maxim.pub >> .dropbear/authorized_keys
maxim@OpenWrt:~$ rm id_dsa_maxim.pub
maxim@OpenWrt:~$ chmod 0600 .dropbear/authorized_keys
maxim@OpenWrt:~$ ln -s .dropbear dropbear
maxim@OpenWrt:~$ ls -al
drwxr-xr-x 5 maxim maxim 4096 Jul 6 10:29 .
drwxr-xr-x 4 root root 4096 Jan 1 2000 ..
-rw-r--r-- 1 maxim maxim 16 Jul 6 10:23 .ash_history
drwxr-xr-x 2 maxim maxim 4096 Jul 6 10:28 .dropbear
drwxr-xr-x 7 maxim maxim 4096 Jan 1 2000 Archive
drwxr-xr-x 2 maxim maxim 4096 Jan 1 2000 Torrents
lrwxrwxrwx 1 maxim maxim 9 Jul 6 10:29 dropbear -> .dropbear
-rw-r--r-- 1 root root 61517918 Apr 17 11:13 linux-2.6.25.tar.gz
-rw-r--r-- 1 root root 381866 Jul 5 23:59 nixxx.zip
maxim@OpenWrt:~$ ls -l .dropbear
-rw------- 1 maxim maxim 605 Jul 6 10:28 authorized_keys

Ïðîâåðÿþ íà êëèåíòå:
-----------------------------------------
Äëÿ âõîäà ïîä ïîëüçîâàòåëåì òðåáóåò ïàðîëÿ:

Quote:

maxim@localhost:~$ ssh -i /home/maxim/.ssh/id_dsa_maxim maxim@192.168.1.2
maxim@192.168.1.2's password:
Permission denied, please try again.
maxim@192.168.1.2's password:

Ïðè ýòîì äëÿ ðóòà âñ¸ ðàáîòàåò:

Quote:

maxim@localhost:~$ ssh -i /home/maxim/.ssh/id_dsa root@192.168.1.2

BusyBox v1.4.2 (2007-08-08 08:29:39 CDT) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

root@OpenWrt:~# exit
Connection to 192.168.1.2 closed.

Íî ìíå íàäî ÷òîáû ïîä îáû÷íûì ïîëüçîâàòåëåì ìîæíî áûëî âõîäèòü áåç ïàðîëÿ. Êàê ýòî ñäåëàòü?

à... áëèí. Âñ¸, ðàçîáðàëñÿ. Íóæíî áûëî êàòàëîã íàçûâàòü êàê ".ssh" íà ñåðâåðå à íå ".dropbear"

Òåïåðü ðàáîòàåò :)

Quote:

Originally Posted by Red Dragon

à ïðè òàêèõ ïðàâèëàõ telnet äëÿ äîñòóïà ñíàðóæè çàêðûò?

È â êàêîé ëîã áóäåò ïèñàòüñÿ âûâîä hitcount 4 -m limit --limit 1/minute --limit-burst 1 -j LOG --log-prefix 'SSH brute force attack' ?

Â /var/log/post-firewall.log ?

Íà òåëíåò ïðàâèëà "ðåçêè" íå ðàñïðîñòðàíÿþòñÿ.

Ïèñàòüñÿ áóäåò â ñèñòåìíûé ëîã, òóäà æå, êóäà ïèøóòñÿ ñîîáùåíèÿ î çàãðóçêå è ò.ï. Åãî âèäíî ÷åðåç âåá-ìîðäó.

Êàêàÿ ñâÿçü ìåæäó telnet è dropbear SSHD

Ãîñïîäà,
îáúÿñíèòå òóïîìó, êàêàÿ ñâÿçü ìåæäó òåëíåòîì è dropbear.

Ïî÷åìó åñëè â íàñòðîéêàõ ðóòåðà çàãëóøèòü òåëíåò, òî dropbear íå çàïóñêàåòñÿ?

Áîëåå òîãî, çàõîäèì íà ðóòåð ïî ssh, ñìîòðèì àêòèâíûå ïðîöåññû, âèäèì telnetd. Êèëÿåì åãî, è íàáëþäàåì íåìåäëåííîå óìèðàíèå ñåññèè ssh.

Ò.å. ÿ òàê ïîíèìàþ, ÷òî sh, êîòîðûé çàïóñêàåò post-boot (ðàâíî êàê èâñå îñòàëüíûå ñêðèïòû èç sbin) çàïóñêàåòñÿ èç-ïîä òåëíåòà, è óáèâ ðîäèòåëüñêèé ïðîöåññ, ìû êèëÿåì âñå ÷òî ïîä íèì.

Íî òîãäà ïîëó÷àåòñÿ, ÷òî â êîíôèãóðàöèÿõ îïèñàííûõ âî âñåõ how-to, telnetd îáÿçàòåëüíî äîëæåí áûòü ðàçðåøåí â íàñòðîéêàõ ðóòåðà. Ýòî òàê?

Êðîìå òîãî, ìû èìååì ïîåíöèàëüíóþ äûðó â ðóòåðå. ß ïðàâ?

Quote:

Originally Posted by ost

îáúÿñíèòå òóïîìó, êàêàÿ ñâÿçü ìåæäó òåëíåòîì è dropbear.

Íåò íè êàêîé ñâÿçè ìåæäó òåëíåòÄ è äðîïáèð. Ýòî äâå ðàçíûå íå çàâèñèìûå äðóã îò äðóãà ïðîãðàììû è ïðîöåññà.
Îïèñàííàÿ Âàìè ñèòóàöèÿ âîçìîæíà â òîì ñëó÷àå, åñëè äðîïáèð Âû çàïóñòèëè íå èç ïîñò-áóò ñêðèïòà, à ðó÷êàìè èç ñåñèè òåëåòà.

Quote:

Originally Posted by EugeenB

Îïèñàííàÿ Âàìè ñèòóàöèÿ âîçìîæíà â òîì ñëó÷àå, åñëè äðîïáèð Âû çàïóñòèëè íå èç ïîñò-áóò ñêðèïòà, à ðó÷êàìè èç ñåñèè òåëåòà.

Êàáû òàê, ÿ áû íå ñòàë çàäàâàòü âîïðîñ â êîíôå.

Âåðñèÿ ïðîøèâêè 10-ÿ. Æåëåçî WL-500gpv2.

1. Ïðè îòêëþ÷åíèè òåëíåò â íàñòðîéêàõ post-boot íå îòðàáàòûâàåò
2. Ïðè âêëþ÷åíèè òåëíåò post-boot èñïðàâíî ðàáîòàåò, íî âñå çàïóùåííîå èç íåãî óìèðàåò ïðè óáèéñòâå òåëíåòà.

Êòî-íèáóäü ìîæåò ïîâòîðèòü ýòî ó ñåáÿ?

Ïîâòîðèòü íå ïîëó÷àåòñÿ :(

Code:

[admin@wl500gP root]$ ps PID Uid VmSize Stat Command 1 admin 628 S /sbin/init 2 admin SW [keventd] 3 admin RWN [ksoftirqd_CPU0] 4 admin SW [kswapd] 5 admin SW [bdflush] 6 admin SW [kupdated] 7 admin SW [mtdblockd] 62 admin 396 S httpd vlan1 64 admin 552 S nas /tmp/nas.lan.conf /tmp/nas.lan.pid lan 70 nobody 464 S [dnsmasq] 71 admin SW [khubd] 80 admin 260 S p9100d -f /dev/usb/lp0 0 84 admin SW [usb-storage-0] 87 admin SW [scsi_eh_0] 92 admin 428 S udhcpc -i vlan1 -p /var/run/udhcpc0.pid -s /tmp/udhcpc 94 admin 476 S watchdog 97 admin 344 S ntp 105 admin 480 S dropbear 112 admin SW [kjournald] 113 admin SW [kjournald] 136 admin 896 S /opt/sbin/syslog-ng 141 admin 416 S /opt/sbin/cron 145 admin 696 S /usr/sbin/pppd file /opt/etc/ppp/belpak.pppd 154 admin 436 S /usr/sbin/ez-ipupdate -c /opt/etc/dyndns.conf 156 admin 692 S /usr/sbin/pppd file /opt/etc/ppp/guest.pppd 344 admin 712 S dropbear 345 admin 576 S -sh 543 admin 392 R ps

Ìîæíî óâèäåòü âûâîäû êîìàíä

Code:

ls -l /tmp/local/sbin/

è

Code:

cat /tmp/local/sbin/post-boot

Óáèë... âñå íîðìàëüíî ðàáîòàåò... Âûêëþ÷àòü òîæå ïðîáîâàë, íî ðåøèë âñå-òàêè îñòàâèòü, ïðîñòî íàðóæó ýòîò ïîðò íå ñâå÷ó...

óñòàíîâèòå ïîëíîöåííûé ps:

ipkg install procps

Ñìîòðèòå ó êàêîãî ïðîöåññà êòî ðîäèòåëü (ïîëå PPID) êîììàíäîé:

ps -AF

Òîãäà óæ åñëè ñòàâèòü, òî htop...

Quote:

Originally Posted by Lupo_Alberto

Ïîâòîðèòü íå ïîëó÷àåòñÿ :(
Ìîæíî óâèäåòü âûâîäû êîìàíä

Code:

[dima214@WL-500gpv2 root]$ ps PID Uid VmSize Stat Command 1 dima214 636 S /sbin/init 2 dima214 SW [keventd] 3 dima214 SWN [ksoftirqd_CPU0] 4 dima214 SW [kswapd] 5 dima214 SW [bdflush] 6 dima214 SW [kupdated] 7 dima214 SW [mtdblockd] 59 dima214 328 S telnetd 64 dima214 380 S httpd vlan1 69 dima214 408 S syslogd -m 0 -O /tmp/syslog.log -S -l 7 70 dima214 364 S klogd 75 nobody 472 S [dnsmasq] 77 dima214 SW [khubd] 89 dima214 332 S /usr/sbin/igmpproxy -c /etc/igmpproxy.conf 92 dima214 748 S pppd file /tmp/ppp/options.wan0 94 dima214 448 S watchdog 96 dima214 344 S ntp 97 dima214 460 S sh -c /usr/sbin/pptp --idle-wait 0 ppp.lan --nolaunchpppd --nobuffer --sync 100 dima214 436 S pptp: GRE-to-PPP gateway on /dev/ptmx--nolaunchpppd --nobuffer --sync 107 dima214 440 S pptp: call manager for 10.10.3.40 --nolaunchpppd --nobuffer --sync 109 dima214 468 S dropbear 141 dima214 492 S upnp -D -L br0 -W ppp0 143 dima214 548 S -sh 146 dima214 396 R ps [dima214@WL-500gpv2 root]$

Code:

[dima214@WL-500gpv2 root]$ ls -la /tmp/local/sbin/ drwxr-xr-x 1 dima214 root 0 Aug 28 21:38 . drwxr-xr-x 1 dima214 root 0 Jan 1 2000 .. -rwxr-xr-x 1 dima214 root 20 Aug 28 21:40 post-boot [dima214@WL-500gpv2 root]$

è

Code:

[dima214@WL-500gpv2 root]$ cat /tmp/local/sbin/post-boot #!/bin/sh dropbear [dima214@WL-500gpv2 root]$

Åäèíñòâåííàÿ ðàçíèöà, êîòîðóþ ÿ âèæó ýòî òî, ÷òî ÿ ïîìåíÿë äåôîëòíîå èìÿ admin íà ñâî¸.
Ãäå êîïàòü?

Quote:

Originally Posted by al37919

óñòàíîâèòå ïîëíîöåííûé ps:

ipkg install procps

Ñìîòðèòå ó êàêîãî ïðîöåññà êòî ðîäèòåëü (ïîëå PPID) êîììàíäîé:

ps -AF

Ïîêà íå ãîòîâ. ß åãî òîëüêî äâà äíÿ êàê óñòàíîâèë, äèñê íå öåïëÿë.
Íî ìûñëü âû ìíå ïðàâèëüíóþ ïîäàëè. ß top ñíÿë

Code:

Mem: 14424K used, 15740K free, 0K shrd, 1760K buff, 6116K cached Load average: 0.00, 0.02, 0.00 (State: S=sleeping R=running, W=waiting) PID USER STATUS RSS PPID %CPU %MEM COMMAND 262 dima214 R 444 143 0.9 1.4 top 92 dima214 S 748 1 0.0 2.4 pppd 185 dima214 S 716 109 0.0 2.3 dropbear 1 dima214 S 636 0 0.0 2.1 init 143 dima214 S 548 59 0.0 1.8 sh 186 dima214 S 512 185 0.0 1.6 sh 141 dima214 S 492 1 0.0 1.6 upnp 109 dima214 S 480 1 0.0 1.5 dropbear 75 nobody S 472 1 0.0 1.5 dnsmasq 97 dima214 S 460 92 0.0 1.5 sh 94 dima214 S 448 1 0.0 1.4 watchdog 107 dima214 S 440 1 0.0 1.4 pptp 100 dima214 S 436 97 0.0 1.4 pptp 69 dima214 S 408 1 0.0 1.3 syslogd 64 dima214 S 380 1 0.0 1.2 httpd 70 dima214 S 364 1 0.0 1.2 klogd 96 dima214 S 344 94 0.0 1.1 ntp 59 dima214 S 332 1 0.0 1.1 telnetd 89 dima214 S 332 1 0.0 1.1 igmpproxy 3 dima214 SWN 0 1 0.0 0.0 ksoftirqd_CPU0 7 dima214 SW 0 1 0.0 0.0 mtdblockd 77 dima214 SW 0 1 0.0 0.0 khubd 2 dima214 SW 0 1 0.0 0.0 keventd 6 dima214 SW 0 1 0.0 0.0 kupdated 4 dima214 SW 0 1 0.0 0.0 kswapd 5 dima214 SW 0 1 0.0 0.0 bdflush

Òîãäà âîîáùå ìèñòèêà, parent êàê è ïîëîæåíî init.
Íî ñòîèò óáèòü òåëíåò sshd ïàäàåò... :mad:

êðûøà òèõî åäåò.

Ïðîøó ó âñåõ ïðîùåíèÿ. Âîïðîñ ñíÿò.

Ó ìåíÿ â putty â íàñòðîéêàõ ñåññèè 23-é ïîðò ñòîÿë :confused:
à far ÷åñòíî ïî winscp ðàáîòàåò.

Quote:

Originally Posted by al37919

èñõîäíî ðîóòåð sftp íå ïîääåðæèâàåò. ×òîáû âêëþ÷èòü ïîääåðæêó sftp íàäî ñäåëàòü
ipkg install openssh
Îòòóäà íóæåí åäèíñòâåííûé ôàéë /opt/libexec/sftp-server åãî ìîæíî ñêîïèðîâàòü êóäà-íèáóäü, ïîòîì óäàëèòü openssh, ïîòîì âåðíóòü sftp-server íà òî æå ìåñòî.

ñïàñèáî çà íàâîäêó. ïîìîãëî

Òàê êàêîå îïòèìàëüíîå ïðàâèëî äëÿ ssh è telneta ??? Æäó îòâåòà è ÷åì îíî ñîñîáåíî ?

Åùå ðåøåíèå - ñîáðàòü è ïîñòàâèòü portsentry. Îò ñêàíà ïîðòîâ òîæå çàùèùàåò.

Óâàæàåìûå ãóðó! Âñåòàêè åñëè ìîæíî ñôîðìóëèðóéòå êîíêðåòíûå äåéñòâèÿ êàê,êóäà è ÷òî íóæíî âïèñûâàòü äëÿ çàùèòû ñîåäèíåíèÿ.Ê ñîæàëåíèþ â ýòîì èíòåðåñíîì âîïðîñå ñîâñåì íå ðàçáèðàþñü:o

Âîò òåìà ïîñâåæåå. Áëèæå ê êîíöó ïðèâîäèòñÿ ðàáîòàþùèé âàðèàíò.
http://wl500g.info/showthread.php?t=11436

Íå çàïóñêàåòñÿ sftp-server

Ïðîáëåìà â ñëåäóþùåì.
Óñòàíîâèë ipkg install openssh-sftp-server
Óñòàíîâêà ïðîøëà óñïåøíî, íî ïðè çàïóñêà sftp-server âûäàåòñÿ îøèáêà-file not found, õîòÿ ôàéë ëåæèò â opt/libexec
Ïåðå÷èòàë âåñü ôîðóì, íàïèñàíî, ÷òî sftp-server äîëæåí çàïóñêàòü dropbear
Ñàì dropbear ó ìåíÿ çàïóñêàåòñÿ, íî íå çàïóñêàåò sftp-server
×åãî íå õâàòàåò äëÿ åãî çàïóñêà?

Quote:

Originally Posted by sergeich

Ïðîáëåìà â ñëåäóþùåì.
Óñòàíîâèë ipkg install openssh-sftp-server
Óñòàíîâêà ïðîøëà óñïåøíî, íî ïðè çàïóñêà sftp-server âûäàåòñÿ îøèáêà-file not found, õîòÿ ôàéë ëåæèò â opt/libexec
Ïåðå÷èòàë âåñü ôîðóì, íàïèñàíî, ÷òî sftp-server äîëæåí çàïóñêàòü dropbear
Ñàì dropbear ó ìåíÿ çàïóñêàåòñÿ, íî íå çàïóñêàåò sftp-server
×åãî íå õâàòàåò äëÿ åãî çàïóñêà?

Ïðàâà íà ôàéëå êàêèå?
chmod +x ñäåëàéòå.

Ïðàâà íà çàïóñê áûëè...òîæ ñàìîå..
Ìîæåò äåëî â òîì, ÷òî ÿ ïàïêó opt ñìîíòèðîâàë òàê:mount /tmp/local/opt /opt
òî åñòü â ïàìÿòè ðîóòåðà..
Ñìîíòèðîâàëàñü îê, äà è óñòàíîâêà ïðîøëà óñïåøíî..

Quote:

Originally Posted by sergeich

Ïðàâà íà çàïóñê áûëè...òîæ ñàìîå..
Ìîæåò äåëî â òîì, ÷òî ÿ ïàïêó opt ñìîíòèðîâàë òàê:mount /tmp/local/opt /opt
òî åñòü â ïàìÿòè ðîóòåðà..
Ñìîíòèðîâàëàñü îê, äà è óñòàíîâêà ïðîøëà óñïåøíî..

Ïóòü äî sftp ïîëíîñòüþ óêàçàí?

Quote:

Originally Posted by vectorm

Ïóòü äî sftp ïîëíîñòüþ óêàçàí?

Äà, ñïàñèáî, ÿ ðàçîáðàëñÿ. Íå õâàòàëî ôàéëà libcrypto.so.0.9.7 â ïàïêå lib
Áåç íåãî íå çàïóñêàëñÿ, õîòÿ íà ôîðóìå ïðî÷èòàë, ÷òî äîñòàòî÷íî òîëüêî ôàéëà ñàìîãî ñåðâåðà sftp-server

Òàêàÿ æå ïðîáëåìà

Íå çàïóñêàåòñÿ sftp-server. ß òàê ïîíèìàþ åãî äîëæåí çàïóñêàòü dropbear? Ñàì dropbear ó ìåíÿ åñòü â ñïèñêå ïðîöåñîâ, à sftp-server - íåò. Ïðè ðó÷íîì çàïóñêå sftp-server îí îòâàëèâàåòñÿ ïî òàéìàóòó. Â ÷åì ìîæåò áûòü äåëî?

Code:

[admin@WL500G root]$ ipkg list_installed | grep ssh openssh-sftp-server - 5.1p1-1 - sftp-server only from a FREE version of the SSH protocol suite of network connectivity tools. [admin@WL500G root]$ ipkg files openssh-sftp-server Package openssh-sftp-server (5.1p1-1) is installed on /opt/ and has the following files: /opt/libexec/sftp-server Successfully terminated. [admin@WL500G root]$ ls -al /opt/libexec/ drwxr-xr-x 3 admin root 4096 Jan 12 14:40 . drwxr-xr-x 16 admin root 4096 Jan 12 15:48 .. drwxr-xr-x 2 admin root 4096 Jan 12 11:44 awk -rwxrwxr-x 1 admin root 64356 Jul 23 04:06 sftp-server [admin@WL500G root]$ ps ax PID TTY STAT TIME COMMAND 1 ? S 0:01 /sbin/init 2 ? S 0:00 [keventd] 3 ? SN 0:02 [ksoftirqd_CPU0] 4 ? S 0:00 [kswapd] 5 ? S 0:00 [bdflush] 6 ? S 0:00 [kupdated] 7 ? S 0:00 [mtdblockd] 60 ? S 0:00 telnetd 65 ? S 0:00 httpd vlan1 68 ? S 0:00 syslogd -m 0 -O /tmp/syslog.log -S -l 7 71 ? S 0:00 klogd 76 ? S 0:00 [dnsmasq] 78 ? S 0:00 [khubd] 88 ? Ss 0:00 waveservermain 90 ? Ss 0:00 rcamdmain 96 ? S 0:00 [usb-storage-0] 97 ? S 0:00 [scsi_eh_0] 109 ? Ss 0:00 watchdog 112 ? Ss 0:00 ntp 119 ? S 0:00 dropbear -p 443 125 ? S 0:00 upnp -D -L br0 -W vlan1 129 ? S 0:00 [kjournald] 132 ? Ss 0:00 /usr/sbin/vsftpd 152 ? Ss 0:00 dropbear -p 443 153 pts/0 Ss 0:00 -sh 160 pts/0 R+ 0:00 ps ax [admin@WL500G root]$ cat /usr/local/sbin/post-mount #!/bin/sh #mount drives /bin/mount -o sync,noatime,rw /dev/discs/disc0/disc /opt #enable swap /sbin/mkswap /opt/swap.file > /dev/null 2>&1 /sbin/swapon /opt/swap.file [admin@WL500G root]$ cat /usr/local/sbin/post-firewall #!/bin/sh iptables -P INPUT DROP iptables -D INPUT -j DROP iptables -A INPUT -p tcp --syn --dport 443 -j ACCEPT [admin@WL500G root]$ cat /usr/local/sbin/post-boot #!/bin/sh dropbear -p 443 > /dev/null 2>&1

Âîïðîñ ñíÿò

Îêàçàëîñü ñàì äóðàê. Ïðîöåññ sftp-server ïîÿâëÿåòñÿ, êîãäà ïîïûòàåøñÿ ñîåäèíèòüñÿ ñ ñåðâåðîì íàïðèìåð èç WinSPC. Â îáû÷íîì ñîñòîÿíèè åãî â ñïèñêå íå áóäåò.

WinSPC - êëàññíàÿ øòóêà.

Ïîìîãèòå èçáàâèòüñÿ îò ëîìàëüùèêîâ ftp... (ñðî÷íî)

Âîò òàêèå ëîãè âåñü äåíü:

Jan 31 15:36:05 vsftpd[5493]: CONNECT: Client "122.116.180.110"
Jan 31 15:36:06 vsftpd[5492]: [linux] FAIL LOGIN: Client "122.116.180.110"
Jan 31 15:36:07 vsftpd[5492]: [linux] FAIL LOGIN: Client "122.116.180.110"
Jan 31 15:36:09 vsftpd[5492]: [linux] FAIL LOGIN: Client "122.116.180.110"
Jan 31 15:36:11 vsftpd[5495]: CONNECT: Client "122.116.180.110"
Jan 31 15:36:12 vsftpd[5494]: [linux] FAIL LOGIN: Client "122.116.180.110"
Jan 31 15:36:14 vsftpd[5494]: [linux] FAIL LOGIN: Client "122.116.180.110"
Jan 31 15:36:16 vsftpd[5494]: [linux] FAIL LOGIN: Client "122.116.180.110"

Âîïðîñ â òîì êàê íà ðàáîòàþùåì ðîóòåðå çàêðûòü ïîðò 21 íà äîñòóï èçâíå. Îñòàíàâëèâàòü è ïåðåãðóæàòü î÷åíü íå õî÷åòñÿ.

Ïðîøèâêà Îëåãà ïîñëåäíÿÿ.

Ïîêà ñîâñåì çàêðûë äîñòóï ïî 21 ïîðòó:

iptables -I INPUT -p tcp --dport 21 -j DROP

Êàê çàêðûòü äîñòóï òîëüêî èçâíå?

Âàì ïîìîæåò vsftpd c ïîääåðæêîé tcpwrappers:
http://wl500g.info/showpost.php?p=119458&postcount=132

Â ôàéëå hosts.allow ïðîïèñàòü ñòðî÷êó

Code:

vsftpd: 122.116.180.110: DENY

Åñëè ÿ íå îøèáàþñü..

Åñëè âàì íóæíî, ÷òîá äîñòóï èìåëè òîëüêî ëîêàëüíûå ïîëüçîâàòåëè, òî
ïðîïèøèòå â êîíôèãå vsftpd ÿâíûì îáðàçîì

Code:

listen_address=âíóòðåííèé IP ðîóòåðà

è óäàëèòå âñå ïðàâèëà êàñàåìî DNAT ïî 21 ïîðòó â iptables.

Åñëè âû ðàáîòàåòå c ÔÒÏ ÷åðåç âåá ìîðäó, òî ïðåäïîëîæó, ÷òî íàäî ñäåëàòü òàê
USB application/FTP sever/Enable FTP Server: Yes, LAN only

Ñïàñèáî çà áûñòðûé îòâåò.

Ó ìåíÿ ftp èç ïðîøèâêè ðàáîòàåò, íåëüçÿ ëè îáîéòèñü áåç óñòàíîâêè äðóãîé âåðñèè vsftpd? Êàê íèáóäü íà óðîâíå iptables ðàçðåøèòü äîñòóï íà ftp äëÿ âíóòðåííåé ñåòè è çàïðåòèòü äëÿ âíåøíåé?

Êñòàòè, îøèáñÿ. Ïðîøèâêà îò ôîðóìíûõ ðàçðàáîò÷èêîâ 10-d7.