#StackBounty: #kernel #ssh #18.04 #firewall #ufw UFW Allows 22 for IPv4 and IPv6 but SSH Disconnects When Enabling

Bounty: 50

sudo ufw disable followed by sudo ufw enable kicks me out of SSH

DMESG reports

[UFW BLOCK] IN=eth0 OUT= MAC=30:........ SRC=192.168.1.me DST=192.168.1.server LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=15776 DF PROTO=TCP SPT=55640 DPT=22 WINDOW=253 RES=0x00 ACK URGP=0

I can log back in without having to change rules via the console (UFW still enabled).

This started after upgrading Xenial (16.04) from kernel 4.4 to 4.15 (HWE). Upgrading to 18.04.1 did not solve the issue.

Versions:

  • iptables v1.6.1
  • ufw 0.35
  • 4.15.0-29-generic #31-Ubuntu
  • Ubuntu 18.04.1 LTS

UFW status verbose is (some rules were omitted, but they are all ALLOW)

Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
22 (v6)                    ALLOW IN    Anywhere (v6)

Why is this happening, or at least, how to revert to the expected behavior?

I looked at this answer, and I am not sure it applies, but here’s /etc/ufw/before.rules

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT


Get this bounty!!!

#StackBounty: #docker #ssh Accessing Files on a Windows Docker Container Easily

Bounty: 50

Summary

So I’m trying to figure out a way to use docker to be able to spin up testing environments for customers rather easily. Basically, I’ve got a customized piece of software that want to install to a Windows docker container (microsoft/windowsservercore), and I need to be able to access the program folder for that software (C:Program FilesSOFTWARE_NAME) as it has some logs, imports/exports, and other miscellaneous configuration files. The installation part was easy, and I figured that after a few hours of messing around with docker and learning how it works, but transferring files in a simple manner is proving far more difficult than I would expect. I’m well aware of the docker cp command, but I’d like something that allows for the files to be viewed in a file browser to allow testers to quickly/easily view log/configuration files from the container.

Background (what I’ve tried):

I’ve spent 20+ hours monkeying around with running an SSH server on the docker container, so I could just ssh in and move files back and forth, but I’ve had no luck. I’ve spent most of my time trying to configure OpenSSH, and I can get it installed, but there appears to be something wrong with the default configuration file provided with my installation, as I can’t get it up and running unless I start it manually via command line by running sshd -d. Strangely, this runs just fine, but it isn’t really a viable solution as it is running in debug mode and shuts down as soon as the connection is closed. I can provide more detail on what I’ve tested with this, but it seems like it might be a dead end (even though I feel like this should be extremely simple). I’ve followed every guide I can find (though half are specific to linux containers), and haven’t gotten any of them to work, and half the posts I’ve found just say “why would you want to use ssh when you can just use the built in docker commands”. I want to use ssh because it’s simpler from an end users perspective, and I’d rather tell a tester to ssh to a particular IP than make them interact with docker via the command line.

EDIT: Using OpenSSH

Starting server using net start sshd, which reports it starting successfully, however, the service stops immediately if I haven’t generated at least an RSA or DSA key using:

ssh-keygen.exe -f "C:\Program Files\OpenSSH-Win64/./ssh_host_rsa_key" -t rsa

And modifying the permissions using:

icacls "C:Program FilesOpenSSH-Win64/" /grant sshd:(OI)(CI)F /T

and

icacls "C:Program FilesOpenSSH-Win64/" /grant ContainerAdministrator:(OI)(CI)F /T

Again, I’m using the default supplied sshd_config file, but I’ve tried just about every adjustment of those settings I can find and none of them help.

I also attempted to setup Volumes to do this, but because the installation of our software is done at compile time in docker, the folder that I want to map as a container is already populated with files, which seems to make docker fail when I try to start the container with the volume attached. This section of documentation seems to say this should be possible, but I can’t get it to work. Keep getting errors when I try to start the container saying “the directory is not empty”.

EDIT: Command used:

docker run -it -d -p 9999:9092 --mount source=my_volume,destination=C:/temp my_container

Running this on a ProxMox VM.

At this point, I’m running out of ideas, and something that I feel like should be incredibly simple is taking me far too many hours to figure out. It particularly frustrates me that I see so many blog posts saying “Just use the built in docker cp command!” when that is honestly a pretty bad solution when you’re going to be browsing lots of files and viewing/editing them. I really need a method that allows the files to be viewed in a file browser/notepad++.

Is there something obvious here that I’m missing? How is this so difficult? Any help is appreciated.


Get this bounty!!!

#StackBounty: #16.04 #kernel #ssh #firewall #ufw UFW Allows 22 for IPv4 and IPv6 but SSH Disconnects When Enabling

Bounty: 50

sudo ufw disable followed by sudo ufw enable kicks me out of SSH

DMESG reports

[UFW BLOCK] IN=eth0 OUT= MAC=30:........ SRC=192.168.1.me DST=192.168.1.server LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=15776 DF PROTO=TCP SPT=55640 DPT=22 WINDOW=253 RES=0x00 ACK URGP=0

I can log back in without having to change rules via the console (UFW still enabled).

This started after upgrading Xenial (16.04) from kernel 4.4 to 4.15 (HWE). Upgrading to 18.04.1 did not solve the issue.

Versions:

  • iptables v1.6.1
  • ufw 0.35
  • 4.15.0-29-generic #31-Ubuntu
  • Ubuntu 18.04.1 LTS

UFW status verbose is (some rules were omitted, but they are all ALLOW)

Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22                         ALLOW IN    Anywhere
22 (v6)                    ALLOW IN    Anywhere (v6)

Why is this happening, or at least, how to revert to the expected behavior?

I looked at this answer, and I am not sure it applies, but here’s /etc/ufw/before.rules

#
# rules.before
#
# Rules that should be run before the ufw command line added rules. Custom
# rules should be added to one of these chains:
#   ufw-before-input
#   ufw-before-output
#   ufw-before-forward
#

# Don't delete these required lines, otherwise there will be errors
*filter
:ufw-before-input - [0:0]
:ufw-before-output - [0:0]
:ufw-before-forward - [0:0]
:ufw-not-local - [0:0]
# End required lines


# allow all on loopback
-A ufw-before-input -i lo -j ACCEPT
-A ufw-before-output -o lo -j ACCEPT

# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

# drop INVALID packets (logs these in loglevel medium and higher)
-A ufw-before-input -m conntrack --ctstate INVALID -j ufw-logging-deny
-A ufw-before-input -m conntrack --ctstate INVALID -j DROP

# ok icmp codes for INPUT
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

# ok icmp code for FORWARD
-A ufw-before-forward -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-forward -p icmp --icmp-type echo-request -j ACCEPT

# allow dhcp client to work
-A ufw-before-input -p udp --sport 67 --dport 68 -j ACCEPT

#
# ufw-not-local
#
-A ufw-before-input -j ufw-not-local

# if LOCAL, RETURN
-A ufw-not-local -m addrtype --dst-type LOCAL -j RETURN

# if MULTICAST, RETURN
-A ufw-not-local -m addrtype --dst-type MULTICAST -j RETURN

# if BROADCAST, RETURN
-A ufw-not-local -m addrtype --dst-type BROADCAST -j RETURN

# all other non-local packets are dropped
-A ufw-not-local -m limit --limit 3/min --limit-burst 10 -j ufw-logging-deny
-A ufw-not-local -j DROP

# allow MULTICAST mDNS for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 224.0.0.251 --dport 5353 -j ACCEPT

# allow MULTICAST UPnP for service discovery (be sure the MULTICAST line above
# is uncommented)
-A ufw-before-input -p udp -d 239.255.255.250 --dport 1900 -j ACCEPT

# don't delete the 'COMMIT' line or these rules won't be processed
COMMIT


Get this bounty!!!

#StackBounty: #ssh #password #gnome-keyring GNOME keyring daemon sometimes not asking for passphrase

Bounty: 50

I use a CentOS 7.5 machine, set up with pubkey authentication to ssh to remote servers. Normally, as soon as I ssh to the first server, I get a GNOME graphical prompt asking to type my passphrase to unlock the secret key, so it is not asked anymore during the GNOME session.

However, sometimes I get asked for the passphrase directly in the terminal:

Enter passphrase for key '/home/dr01/.ssh/id_rsa': 

This is annoying as then I will have to type it every time I connect to a server.

I see that the GNOME Keyring daemon runs at boot as /usr/bin/gnome-keyring-daemon --start --components=pkcs11. I’ve tried to restart it with various combinations of the options --unlock, --replace, --daemonize, or --start but it hangs, or starts normally but it doesn’t prompt me for the passphrase. A strace didn’t show anything meaningful to me. How can I fix this issue?


Get this bounty!!!

#StackBounty: #windows-7 #ssh #crash #putty #ssh-tunnel PuTTY crashes on exit and requires computer reboot

Bounty: 100

PuTTY crashes when the program tries to exit. When it crashes, the window will freeze and will not close no matter what. Force close will not work, the task manager will not work. pskill from pstools (using administrator command prompt) has no effect– it says the process has been killed, but it remains. Nothing will make the window go away except for a computer reboot.

This has been happening for a few weeks, possibly caused by a recent Windows update, but that’s just a guess. It doesn’t happen every time, but maybe 50% of the time. It crashes whether it is a manual exit invoked by typing “exit” or “logout”, or when it exits itself because the computer has gone to sleep.

It only happens when I use port tunneling. I always have several PuTTY windows open, and the only one that crashes is the one with a port tunnel open.

Before the most recent crash, I opened the PuTTY log to see what it said. The final line was “Server sent command exit status 0”, which seems normal.

server exit status 0

Here is a screenshot of my port tunnelling settings, in case that’s relevant:

port tunnel D9090

Here is the Windows error box, which identifies the type of error as “AppHangB1”:

enter image description here

Google has given me zero results. Searches for this type of crash have told me that it’s often caused by a buggy driver, so that’s one possible avenue, if anyone knows what I should try to update/roll back.

I updated PuTTY to the most recent version to no effect. I have not tried updating the remote computer (which I control) or my router, but I’d hope that neither of them are related to this kind of crash, which seems related to Windows itself.

Windows 7


Get this bounty!!!

#StackBounty: #ssh #rsa #ssh-host-key #github Why are the gitlab SSH host key fingerprints not matching?

Bounty: 50

I tried to log into my university’s gitlab via SSH. As expected, I was warned that the host is not known. Therefore, I tried to find the SSH host key on the “current configuration” page in the manual. However, I found that the key does not match the key that SSH shows me on the first connect.

To demonstrate this, here you can find the respective “instance_configuration” page for gitlab.com. The RSA-SHA256 fingerprint is said to be

2fdd0c7dfa7d9381f847266c800eafc96f5866fe859c4f1cf87da885c82e333a

Using the script I found on this superuser post (or when connecting via SSH for the first time) I am told that the RSA-SHA256 for the SSH host is

ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ

which is

44e405bcf4e11ab5b846e58ba0bf6dabd23dcc9e367cae17cb0c91b5b3b3fc44

in hexadecimal (and hopefully matches what you see… or not).

My questions: Should’nt these be equal? Did I miss something? How can I verify that the SSH connection is secure?


Get this bounty!!!

#StackBounty: #ssh #rsa #ssh-host-key #github Why are the gitlab SSH host keys not matching?

Bounty: 50

I tried to log into my university’s gitlab via SSH. As expected, I was warned that the host is not known. Therefore, I tried to find the SSH host key on the “current configuration” page in the manual. However, I found that the key does not match the key that SSH shows me on the first connect.

To demonstrate this, here you can find the respective “instance_configuration” page for gitlab.com. The RSA-SHA256 fingerprint is said to be

2fdd0c7dfa7d9381f847266c800eafc96f5866fe859c4f1cf87da885c82e333a

Using the script I found on this superuser post (or when connecting via SSH for the first time) I am told that the RSA-SHA256 for the SSH host is

ROQFvPThGrW4RuWLoL9tq9I9zJ42fK4XywyRtbOz/EQ

which is

44e405bcf4e11ab5b846e58ba0bf6dabd23dcc9e367cae17cb0c91b5b3b3fc44

in hexadecimal (and hopefully matches what you see… or not).

My questions: Should these not be equal? Did I miss something?


Get this bounty!!!

#StackBounty: #ubuntu #ssh #amazon-ec2 #openvpn OpenVPN client on Amazon EC2 leading to SSH disconnect

Bounty: 200

I am running Ubuntu 14.04 on Amazon EC2.. I am trying to connect the EC2 instance to an OpenVPN so the traffic routes through the VPN..

When I do a sudo openvpn --config <config>.ovpn, the SSH connection disconnects, and I am unable to connect to it anymore

Below is the ovpn config file:

setenv FORWARD_COMPATIBLE 1
setenv UV_SERVERID 581
client
dev tun
proto udp
remote 45.64.105.207 8292
nobind
persist-key
persist-tun
ns-cert-type server
key-direction 1
push-peer-info
comp-lzo
explicit-exit-notify
verb 3
mute 20
reneg-sec 86400
mute-replay-warnings
max-routes 1000

Below is the output of the OpenVPN connection or what I last see of it..

Wed Jul 15 10:23:05 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Wed Jul 15 10:23:05 2015 Control Channel Authentication: tls-auth using INLINE static key file
Wed Jul 15 10:23:05 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 15 10:23:05 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 15 10:23:05 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Wed Jul 15 10:23:05 2015 UDPv4 link local: [undef]
Wed Jul 15 10:23:05 2015 UDPv4 link remote: [AF_INET]182.18.155.184:8292
Wed Jul 15 10:23:05 2015 TLS: Initial packet from [AF_INET]182.18.155.184:8292, sid=c67100ed 4ce7c879
Wed Jul 15 10:23:07 2015 VERIFY OK: depth=1, C=.., ST=.., L=.., O=.., OU=.., CN=ASCA, emailAddress=..
Wed Jul 15 10:23:07 2015 VERIFY OK: nsCertType=SERVER
Wed Jul 15 10:23:07 2015 VERIFY OK: depth=0, C=.., ST=.., L=.., O=.., OU=.., CN=SERVER195, emailAddress=..
Wed Jul 15 10:23:12 2015 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jul 15 10:23:12 2015 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 15 10:23:12 2015 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Wed Jul 15 10:23:12 2015 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Wed Jul 15 10:23:12 2015 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Wed Jul 15 10:23:12 2015 [SERVER195] Peer Connection Initiated with [AF_INET]182.18.155.184:8292
Wed Jul 15 10:23:14 2015 SENT CONTROL [SERVER195]: 'PUSH_REQUEST' (status=1)
Wed Jul 15 10:23:15 2015 PUSH: Received control message: 'PUSH_REPLY,sndbuf 262144,rcvbuf 262144,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 198.18.0.1,ping 10,ping-restart 90,comp-lzo no,route-gateway 198.18.0.1,topology subnet,ifconfig 198.18.1.134 255.255.240.0'
Wed Jul 15 10:23:15 2015 OPTIONS IMPORT: timers and/or timeouts modified
Wed Jul 15 10:23:15 2015 OPTIONS IMPORT: LZO parms modified
Wed Jul 15 10:23:15 2015 OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
Wed Jul 15 10:23:15 2015 Socket Buffers: R=[131072->425984] S=[131072->425984]


Get this bounty!!!

#StackBounty: #windows #ssh #proxy #tunnel #socks How to create a transparent tunnel through socks on windows?

Bounty: 100

I want to make a tunnel – listen some fixed port on my local machine and every traffic it gets to be sent over SOCKS proxy (with authentication) to some specific fixed host&port behind that proxy and back.
On windows.
It should behave like ssh port forwarding tunnel but with authenticated SOCKS proxy in between.
How can I achieve that?


Get this bounty!!!

#StackBounty: #shell #ssh #terminal #clipboard Bash commands get truncated when pasting multiple commands to terminal

Bounty: 50

I copy/pasted the following 100 lines into my terminal (xterm) to execute those on a server I am connected to over ssh:

mv /long/path/to/file1 /longer/path/to/file1
mv /long/path/to/file2 /longer/path/to/file2
...
mv /long/path/to/file99 /longer/path/to/file99
mv /long/path/to/file100 /longer/path/to/file100

Unfortunately, after the copy/paste, I could not find my 100 files under /longer/path/to/

Looking at the bash history on the server I am connected to over ssh, I can see that after the first 20 commands, most of the commands got truncated:

mv /long/path/to/file1 /longer/path/to/file1
...
mv /long/path/to/file20 /longer/path/to/file20
mv /long/path/to/fi
mv /long/path/to/fi
mv /long/path/to/file23 /longer/p
mv /long/path/to/file24 /longer/path
mv /long/path/to/file25 /longer/p
mv /long/path/to/file26 /longer/p
mv /long/path/to/file27 /longer/path/t
mv /long/path/to/file28 /longer/path/to/fil
mv /long/path/to/file29 /longer/path/to/fil
mv /long/path/to/file30 /longer/path/to/file
mv /long/path/to/file31 /longer/path/to/file
...

I could find answers about how to work around this issue:

But I could not find an explanation over what is exactly happening. Notably:

  • is it a terminal-related issue (Xterm in my case)?
  • the copy/paste occurs over ssh: does this generate or magnify the issue?
  • is it a bash-related issue on the server? Would it maybe not happen with another shell?


Get this bounty!!!