Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How to get ssh access from almost anywhere in the world to your server with ssl encypted security!
New on LowEndTalk? Please Register and read our Community Rules.

How to get ssh access from almost anywhere in the world to your server with ssl encypted security!

speedy007speedy007 Member
edited January 2012 in Tutorials

I have learnt a lot from this forum and I am sure I will learn a lot more, so today I decided to give a little back to good people of this forum.
Disclaimer: I would like to say that I personally have used and setup web-based shell access and I am using it every day and I believe it is secure enough for me to use, but I take no responsibility in regards to the security of your server or your shell prompt!
Now the pleasantries are out of the way let’s get on with it!
Prerequisites:
Ubuntu/Debian or its variation server: (Because I am good at it, you could use your own choice I believe!)
Apache2 server: (Again I know apache so I am using this if you know any other i.e. nginx or lightttpd please use that but I am not familiar with any other than apache)
nano text editor: Just apt-get install nano if you dont have it already

Now log in to your server with ssh, I would strongly suggest using a normal user then just type sudo su and your user password and you will become root for as long as you want, once you finished with it just type exit and you will be back to normal user. (If you need to know how to use sudo please Google it)
Once you are logged in to your server and got root privileges you need to download “shellinabox”
To download shellinabox
Type wget http://shellinabox.googlecode.com/files/shellinabox_2.10-1_i386.deb (this is for 32bit)
or
Type wget http://shellinabox.googlecode.com/files/shellinabox_2.10-1_amd64.deb this is for 64bit)
Now type
dpkg –i shellinabox_2.10-1_amd64.deb (for 64bit)
or
dpkg –i shellinabox_2.10-1_i386.deb (for 32bit)
Once it’s install it will be running on localhost:4200
You could change the port 4200 to any other if you desire just type
nano /etc/default/shellinabox
once done just press Ctrl and x key and nano will ask you if you want save before exit so type yes in to terminal and press enter this will save and exit nano
and change default port to your desire one and restart shellinabox for new setting to take affect by typing
invoke-rc.d shellinabox restart
Now ShellinAbox is up and running so we need to create vhost in apache which is easy enough, but before you create vhost I would suggest you to go to http://co.cc and get a yourfreedomain.co.cc from them and point that free domain to the ip address of your server with A record, (please Google it if you don’t know how to setup an A record)
Once this is done come back to your server and set up vhost like I did as below:
Type nano /etc/apache2/sites-available/yourfreedomain.co.cc
And type/paste as pastebin link below in to nano window and once done just press Ctrl and x key and nano will ask you if you want save before exit so type yes in to terminal and press enter this will save you vhost your yourfreedomain.co.cc and exit nano at the same time.

http://pastebin.com/etftEg5U

You’re not done yet, far from it…!

You need to create server.crt and server.key for your shellinabox vhost, don’t worry I will show you how to easily do it. You need openssl installed for this so if you don’t have it just type:
apt-get install openssl
Now to create a self-signed certificate type:
openssl genrsa -des3 -out server.key 4096
Next create a certificate signing request with it. This command will prompt for a series of things (country, state or province, etc.). Make sure that "Common Name” matches yourfreedomain.co.cc . I also suggest not making a challenge password at this point, since it'll just mean more typing for you.

execute the command below and type what needs to be typed
openssl req -new -key server.key -out server.csr
Now sign the certificate signing request. This ceritificate will lasts 999 days you can change it if you want, now type:
openssl x509 -req -days 999 -in server.csr -signkey server.key -out server.crt
Make a version of the server.key which doesn't need a password every time you restart apache2 server:
openssl rsa -in server.key -out server.key.insecure
then type

mv server.key server.key.secure
then type

mv server.key.insecure server.key
These files are quite sensitive and should be guarded for permissions very carefully.
Now step two of the ssl certificate:
type
mkdir /etc/apache2/ssl/
then type
cp server.key /etc/apache2/ssl/
then type
cp server.crt /etc/apache2/ssl/

Your ssl certificate is created and moved to right place.
Now type
nano /etc/apache2/httpd.conf
now type
NameVirtualHost *:443
And press Ctrl and x key type yes into prompt and press enter key that will save and exit nano

So far so good I hope ;)
Now we need to create .htpasswd file for secure login prompt over https.
Just go to http://www.htaccesstools.com/htpasswd-generator/
Go to bottom of the page put your desire username and desire password and it will give you encrypted password with your user name which we will use to secure our yourfreedomain.co.cc
I got myfreedomainuser:$apr1$nHujQmK2$Mou85BxOXg6oyMfm3Rwdw.
You can see my username: myfreedomainuser but my password is encrypted but my password is myfreedomainpassword which I would use to loin to yourfreedomain.co.cc
Once you get your username/password sorted we need to use nano again to create a .htpasswd file
Just type:
nano /var/bin/.htpasswd
onece in to nano editor copy your username/password (from above site where you just created your own username and encrypted password) if you write click in to nano it will paste what ever text is copied in to memory.
So my /var/bin/.htpasswd would have one line in it as below
myfreedomainuser:$apr1$nHujQmK2$Mou85BxOXg6oyMfm3Rwdw.

Once you pasted your username/password just press Ctrl and x key and type yes to the prompt and that should save and exit nano.

Now we need to make sure there are few apache2 mods are enabled and also our new vhost is also enabled for all this to work.
So type
a2ensite yourfreedomain.co.cc
then type
a2enmod ssl
then type
a2enmod proxy
now type
/etc/init.d/apache2 reload
And that’s it!
If all have gone as we planned going to our domain yourfreedomain.co.cc would send you to https:// yourfreedomain.co.cc and give you warning about the self signed certificate which is fine as you just accept it then it will pop up a box to put username/password so please put in your username you chose when you encrypted it and your password which again you chose when you encrypted it at http://www.htaccesstools.com/htpasswd-generator/

Once you are on your domain you would see a terminal asking for your server username which you should type in and then your password; while tying a password you will not see anything being typed, and as you should know that it’s normal for unix not to show anything while typing a password.
Now this is it, you are logged in to your server via https and you are enjoying all the security of ssl encryption and can ssh in to your server from any where in the world regardless of the security they have put in place!
If I have made any mistakes in typing or otherwise please feel free to let me know, this is a very first tutorial I have ever written in my life! so I am sure there may be mistakes in this! If you share this tutorial with others please just give credit where it’s due, thank you for your understanding.
P.S.: Just change yourfreedomain.co.cc to your actual free domain from http://co.cc

Comments

  • While this looks interesting, I wouldn't put it on a production server... at best I'd run it on a VPS that I use to test optimizations, but the idea is decent :)

  • speedy007speedy007 Member
    edited January 2012

    While this looks interesting, I wouldn't put it on a production server... at best I'd run it on a VPS that I use to test optimizations, but the idea is decent :)

    The idea is to get a cheap as chips VPS and use that as a gateway machine from there you could easily get in to any other machine with ssh [email protected]
    like onepoundhosting got nice xen for £12.00 a year, that would be ideal gateway VPS.
    and the fact is you are the only one who knows your free domain and you are the only one who is supposed to be using it anyway.

  • In that case I'd just use a subdomain and protect it via whitelist... ofc that's a lot of effort for just a ssh connection.

  • speedy007speedy007 Member
    edited January 2012

    In that case I'd just use a subdomain and protect it via whitelist... ofc that's a lot of effort for just a ssh connection.

    n how would you do it care to share? Not being funy just want to know.
    Just a ssh connection for you, but for me it means a lot as I work behind a mammoth firewall and proxy gateway servers so setting the ssh with shellinabox is much needed remedy for my problems as I can ssh to all my VPSs and manage them while on my break at work.

  • I'd just block every IP range but the IPs assigned to my company/home on the VPS I use to host the ssh tunnel... debain iptables example:

    iptables -A INPUT -p tcp --destination-port * -s ! YOURIP -j DROP

    Not guaranteed to work as I have not tested it, do not attempt on a VM or server unless it is backed up and you can "afford" to loose it.

  • speedy007speedy007 Member
    edited January 2012

    I'd just block every IP range but the IPs assigned to my company/home on the VPS I use to host the ssh tunnel... debain iptables example:

    iptables -A INPUT -p tcp --destination-port * -s ! YOURIP -j DROP
    Not guaranteed to work as I have not tested it, do not attempt on a VM or server unless it is backed up and you can "afford" to loose it.

    To be hoenst to avoid all this kind of uncetainty I came up with this shellinabox solution, works from anywhere in the world from almost any browser, no problems, no other setting to do, and just pure ssh over ssl.

  • I'm sure, but assuming it was figured out, it'd be perfect for VMs because then it'd prevent hackers and other low life's from using your shellinabox for their own gain because lets face it it does act as a proxy and a very open one at that. (assuming I'm right)...

  • speedy007speedy007 Member
    edited January 2012

    I'm sure, but assuming it was figured out, it'd be perfect for VMs because then it'd prevent hackers and other low life's from using your shellinabox for their own gain because lets face it it does act as a proxy and a very open one at that. (assuming I'm right)...

    How in god's green world hacker gonna know your web domain login username and password as it is protected and encrypted in side /var/bin/.htpasswd, there are more chances of him getting in to your VPS from your ip then via your shellinabox domain! and if some how he guessed your username and a password and got to your shellinabox, he still needs to figure out your server login details! which if one is not stupid enough to keep root login enabled, it is next to inpossible to guess your server login username then password!

  • BlueVMBlueVM Member
    edited January 2012

    The thing about .htpassword is that as far as I know its not default to have a maximum number of attempts.. so cracking it on that $12 VPS would take a bot about 2 - 4 hours... with a standard username and password.

    I wasn't saying "hey you you need to do this" it was a idea for making it more secure... not saying your method isn't already secure, but in my experience the harder you tie things down the less likely they are to be broken into. Also just FYI co.cc lists every domain they have in a rotating directory... (or at least when they launched they did).

    I did like your idea and I'm probably going to use it, but for the benefit of others I give out ideas like the one above...

  • speedy007speedy007 Member
    edited January 2012

    Please dont get me wrong I like ur whitelist idea but the purpose of the setting i have done is to get ssh access from anywhere in the world over ssl n as far as brute force bot is concern well they bring down even well tight indestrial servers so only way to get complete security u just need ur box to be disconnected from anykind of network but that would defeat the whole purpose. I personally like the idea of getting access from anywhere, just like i am typing this reply from a moving car on a motorway. ;)
    And as far as co.cc is concern it upto u where u wanna get ur domain from i just suggested a service i know happened to be free ;)

  • Fair enough... I like the idea as well :)

  • Hmm, complicated :P
    But good for some people maybe.

    A better idea (for me) is to redirect several ports to one vps, so I can login to it via the same box, just a different port. But I don't know :P

    But this maybe is cool to have a quick interface, just to click and get into the selected server :P

  • WhizzWrWhizzWr Member
    edited January 2012

    Putting aside the fact it's being complicated and more prone to some kind of attack.
    If your idea is to access SSH from around the globe, why don't you just put it on port 443?
    Yep it is possible, for SSH server to coexist with SSL webserver, by means of extra proxy.

    Talking about mobile access, there are a lot of full-blown SSH client that is available on virtually every mobile platform, from J2ME to iOS.

    Inherently, for this kind of purpose browsers are less secure than most SSH client, I have read somewhere--a research paper actually--that the browser "private browsing" is actually not-so-private. Data can still be extracted from memory should your system be compromised. That's assuming you are using the most secure way of browsing, using private-mode, TLS and whatnot.
    On the other hand, recently PuTTY developer made a fuss about how the SSH private key is not properly removed from memory after it's being used. He said PuTTY can be exploited, and so this is a bug and thus he made a bug fix.

    As example, PuTTY will refuse to save any kind of password, and SSH convention encourages the use of key authentication. What about key auth in shellinbox?
    Meanwhile, major browser will ask you to save your password by default every time you enter it. Given that only apllied to the Htpassword auth, not the SSH auth. Then again, there is memory leak and cache digging.

    I might sound as paranoid, but I'm not, just pointing out what I might think to be useful for everyone.

    Well, several things I'd like to suggest:
    1.Go get a real certificate instead of the self-signed one. At least MitM attempt would be more obvious.
    2.Load mod_evasive/mod_security into Apache to help prevent the bruteforce attack.

  • @speedy007 said: works from anywhere in the world

    Well I'm in a doubt about Antarctica.

  • @livingvirtual said: Well I'm in a doubt about Antarctica.

    How exactly do you think the research teams communicate with the rest of the world? Despite my dislike for large-packet transmission, their satellite links work just fine during nominal conditions.

  • speedy007speedy007 Member
    edited January 2012

    @livingvirtual Well I'm in a doubt about Antarctica.

    Well for smartass such as yourself I should have put almost any where from the world! But if you are clever enough then you would know that for this to work you do need internet access and if you do have internat access in Antarctica you should be able ssh, but hey if you don't like this tutorial don't use it, simples! ;)

  • Nah! It's a great tutorial..I was just joking around..I guess we had the Antarctica thing before here somewhere..:D

  • I'm with the others above on this. You're exposing your server to unnecessary security risks.

    If you can't access it because you're behind a mammoth firewall, and don't have sufficient privileges to request the port be opened, chances are you shouldn't be accessing it.

    By decreasing your own VPS security you're also circumventing the security of wherever you're accessing it from.

    Unless the situation is similar to the great firewall of China - Two wrongs definitely do not make a right in my opinion.

    It's a good tutorial, just I don't agree with the content or concepts.

Sign In or Register to comment.