It is hard to trace or decrypt the data by sniffing a ssh session. Hardly we get the information about the data by sniffing the packet streams in a ssh session
Try with #tcpdump -w ssh_sniff.log -i eth0 dst port 22 and analyze the data using ethereal.
The out put encrypted and send across the wire.
So here using the secure id authentication instead of the password login will be more secure so that the username and password will not be exposed.
SSH is based on PKI, There is a public key and a Private Key. In "known_host" file in users ~/.ssh directory resides the public key of the remote server. When SSH clients make the connection it encrypt the data to server using the server's public key. The Public has to be shared with the client and one and only server which created or has the private key can be decrypted.
Creating the Keybased authentication in SSH:
User based keypair:
$ssh-keygen -t rsa
This will start creating the private as well public key by asking the path of the file that to be stored.
Then ends up with the key finger print. This key finger print will be unique for each and every keys.
So end result will be creating two keys
- id_rsa the Private key
- id_rsa.pub The Public key
#scp id_rsa.pub user@remotehost:
Then in remote system
#cat id_rsa.pub > ~/.ssh/authorized_keys
#chmod 600 ~/.ssh/authorized_keys
Now try connecting to the server
If any errors occured will be logged to /var/log/secure
Always check the authorized_keys files for tampering, since it provides the password less login, it is an attack vector. So always ensure that the file is not tampered. Any usual entries in this file should be taken care with high precaution
Port Forwarding Using SSH:
This will create a Psuedo VPNs. Using this tunnel we can encrypt the data and secure the communication.
Eg:- the telnet/vftp can be secured using the ssh tunnel by making the communication through SSH Tunnel.
For Eg:- Securing the Telnet access.
change the binding address parameter in xinetd for telnetd
bind = 127.0.0.1
restart the xinetd then the service will be available only to the loopback adaptor.
Now use tunneling to forward the port.
Local (127.0.0.1:2323) -> using SSH Tunnel -> RemoteHost (127.0.0.1:23)
# ssh -L 2323:127.0.0.1:23 192.168.1.100
This will bind the Remote host's(192.168.1.100) loopback (127.0.0.1) adaptor port 23 to the localhost's loopback adaptor (127.0.0.1) port of 2323.
# Now telnet to the 127.0.0.1 locally. The connection will be establised over the SSH tunnel.
This utility is available under almost all the linux disros. IT generates a bit matching unique string for a given file. This used to check the integrity of the binary file normally used to download.
Create a test.txt file and check the md5sum.
#seq 10000 > test.txt
This will show a unique key for the file test.txt file. Now make a note of this value. And try moving the test.txt file accross the wire and test.
Both strings will be the same.
Testing the same by modyfying the file will change the md5sum string. So this can be used to confirm the same package has been downloaded without the corruption over the wire. IF the content has been changed and made to remain unchanged then the md5sum will be the same as original. This means that the md5sum is depend upon the content of the file. i.e, Renaming the the binaries will not change the md5sum. This is usefull to find out any impact of Man in Middle attack for the downloaded binaries or to check the integrity of the open source packages that downloaded.