If you are coming to Fedora from Ubuntu you may be surprised that installing the package doesn’t automatically start the SSH daemon on boot. We can change this with the following command, run as root:
systemctl enable sshd.service
The next time you boot your SSH server should have started automatically.
As a follow-up to the previous article on how to browse the web via an SSH tunnel in Firefox we’ve been asked to show how to do the same with Internet Explorer. The Putty set-up remains the same; once that’s complete, open Internet Explorer (we are using IE 9) and go to Tools -> Internet Options (you may have to hit Alt to bring up the top menu):
Go to Settings:
Choose LAN settings:
Tick “Use proxy server for your LAN” and click Advanced:
Make sure the top four lines are blank in all fields except for the SOCKS port – here put:
127.0.0.1
and the port we used in Putty:
2048
Make sure the “Use the same proxy server for all protocols” box is unticked.
Hit OK -> OK -> Apply -> OK, open up your SSH tunnel in Putty and you should be ready to browse the internet remotely!
If you have the ability to SSH into a remote machine you also have the ability to direct your web browser’s traffic through SSH to that machine. This can be quite handy for browsing the (remote) local network without opening a HTTP port on the firewall.
First, install Putty and Firefox. Putty can be found here and Firefox here. If you’re not sure which file to download for Putty, just go for putty.exe. Once you’ve downloaded Putty, open it and you should see a screen like this:
Enter in the remote computer’s IP address and SSH port number (usually 22 unless you changed it) and test the connection to make sure you can log in. If that works, disconnect and go to Connection -> SSH -> Tunnels like so:
then change the selection from Local to Dynamic. After that, enter 2048 into the “Source port” field and click Add. Your screen should now look like:
Note the D in front of the source port number – that should be there.
Scroll back up on the left until you get back to the original Session window. Check the IP address and port numbers and enter a name in the “Saved Sessions” box, then click Save. Now you can load these settings again next time you open Putty.
The version of Firefox we’re using for today’s example is 18.0.2. Go to Tools -> Options -> Advanced (you may have to hit Alt to bring up the Tools menu at the top):
Now choose Network then Settings. You should see a window like this:
Now choose “Manual proxy configuration” and enter localhost in SOCKS Host, and 2048 in the corresponding Port field like so:
Click OK then again on the previous screen, open your Putty connection and the next URL you enter should be tunneled through to your remote server! To undo this, simply go into Firefox and put the above screen back to “Use system proxy settings”.
There are many reasons you may be using an SSH port other than 22; perhaps you changed it as a security measure, or perhaps you have multiple machines behind your firewall which you are port forwarding to and thus have to use other ports in addition to 22. Rsync is an extremely powerful file synchronization tool which by default uses SSH to connect your source and destination, thus if you have changed your SSH port you will need to tell rsync. This can be easily done with the e switch like so (using 2222 as the new SSH port as an example):
rsync -e “ssh -p 2222” /path/to/source [email protected]:/path/to/destination
As a practical example using the other options -avzP (our typical selection) your command might look like:
rsync -avzP -e “ssh -p 2222” /home/user/myfile [email protected]:/home/user/
Following on from yesterday’s post, here is how to enter or leave maintenance mode on an ESXi host via SSH:
vim-cmd hostsvc/maintenance_mode_enter
to go into maintenance mode – and to leave it:
vim-cmd hostsvc/maintenance_mode_exit
If you’re interested in other useful commands, you can see more hostsvc options by running:
vim-cmd hostsvc
This is a useful command to know as it is one of the critical steps in applying some patches to ESXi remotely.
If you need to know if a host is in maintenance mode via the command line, SSH into your server and run the following:
vim-cmd hostsvc/hostsummary | grep -i maintenance
This will return the following line (in this example the host is NOT in maintenance mode):
inMaintenanceMode = false,
To see the entire host summary printout without filtering everything apart from maintenance, run:
vim-cmd hostsvc/hostsummary
…but you’ll soon see why grep is useful here!
Sometimes you may wish to clear the terminal window, whether it be to hide what you’ve just done, clear some irrelevant/distracting output or any other reason. The best command to do this is simple:
reset
This completely clears the output shown in your terminal window but doesn’t log you out. If you want to keep your output in the buffer (i.e. so you can scroll back up to it) but still clear the terminal you can see you can use the following key combination:
ctrl+L
This pushes the output up above your prompt and puts the prompt at the top of your window.
Being able to log in to your server remotely via SSH is an incredibly powerful way of remotely managing your system. With so many devices now able to support consoles (just about any current smartphone or current OS, really) you can check on things, update or make changes from just about anywhere.
One of the less positive consequences of opening up your SSH port to the wider world is that you’re also exposing your server to everyone else in the world, not just yourself. There are many computers and virus-born botnets out there who scan IP addresses for open ports and try to brute-force their way in to steal data, generally cause destruction or create another bot. One good way of protecting yourself is installing a program which monitors the attempted logins via SSH and blocks any IP addresses which match an undesired pattern: Denyhosts.
You can install denyhosts by entering the following:
sudo apt-get install denyhosts
This installs denyhosts on your system, which starts automatically once installed and also on boot. You can edit the settings with the following file:
/etc/denyhosts.conf
Blocked IPs are listed in:
/etc/hosts.deny
It’s not unusual to have hundreds of entries after a couple of months. The default settings are reasonably good; you do have the freedom to make them as lenient or paranoid as you care to which is handy for tailoring it to your specific needs (e.g. strict rules re: logging in as accounts that don’t exist or the root account). Be aware that if you mistype your own password enough times you may ban your ou cown IP address, which might be inconvenient if you don’t have physical access to the server or another IP to fix!
Denyhosts is a quick, easy and powerful way to begin securing your SSH-accessible servers – as far as we’re concerned it or an equivalent program are a must if you’re opening up a SSH port to the outside world.