Perguntas[ssh](unix)

Fundo

Estou configurando um backup rsync via serviço SSH via SystemD. No fim das contas, isso não está funcionando devido ao SElinux local; exemplo mínimo reproduzível:

[Unit]
Description=Rsync backup service

[Service]
Type=oneshot
User=myuser
ExecStart=/usr/bin/ssh -vvv 192.168.1.10 "ls -lah"

Se eu, setenforce 0antes de iniciar o serviço, tudo funciona como esperado e recebo a listagem de diretórios solicitada. Se o SElinux estiver impondo, recebo um erro do SystemD:

Starting backup.service - Rsync backup service...
backup.service: Main process exited, code=exited, status=203/EXEC
backup.service: Failed with result 'exit-code'.
Failed to start backup.service - Rsync backup service

Da mesma forma, se eu executar via SystemD com rsync, vejo o processo filho encerrado com -13:

rsync: [sender] Failed to exec /usr/bin/ssh: Permission denied (13)

Coisas que verifiquei

• Todos os comandos funcionam conforme o esperado quando executados em um terminal, independentemente do estado imposto pelo SElinux.

• Estou executando como meu usuário ( ExecStart=/usr/bin/whoami):

  whoami[726624]: myuser
  

• Posso acessar o binário ssh ( ExecStart=/usr/bin/which ssh):

  which[727067]: /usr/bin/ssh
  

• Posso acessar meu .sshdiretório de usuários (não publicarei registros disso por motivos óbvios).

• De acordo com esta publicação do SO, o SElinux pode bloquear portas não padrão. Eu permiti apenas a porta padrão (o rsync usa uma porta diferente?), mas isso deve funcionar, já que o caso de teste base não usa uma porta diferente:

  # semanage port -l | grep ssh
  ssh_port_t                     tcp      22
  

Pergunta

O que faria o SElinux bloquear tentativas de SSH somente do SystemD, apesar de usar portas padrão e ter permissões totais para os arquivos envolvidos?

Edição 1

Verificando mensagens de negação explicitamente:

# ausearch -m AVC,USER_AVC,SELINUX_ERR,USER_SELINUX_ERR
...
type=AVC msg=audit(1743626691.891:17160): avc:  denied  { execute } for  pid=728337 comm="(ssh)" name="ssh" dev="dm-0" ino=3077371 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file permissive=0
# journalctl -t setroubleshoot
-- No entries --
# dmesg | grep -i -e type=1300 -e type=1400
#

Admito que meu SElinux não é dos melhores e não tenho muita certeza do que fazer com isso. Estou folheando a documentação, mas ela é... volumosa... às vezes.

Estou seguindo o guia da Altera para executar Linux na placa DE1-SoC, especificamente a seção 5.3 - Instalando o driver.

As instruções fornecidas no guia são para um host Windows, e estou em um host Linux (atualmente não tenho nenhum host Windows disponível para uso permanente). Estou seguindo as instruções, mas não consigo fazer ssh no dispositivo, e esgotei todos os meus esforços tentando solucionar o problema.

$ uname -r
5.15.0-124-generic

Para formar uma linha de base, na inicialização do host, antes mesmo de conectar a placa via USB:

$ ls -al /lib/modules/"$(uname -r)"/kernel/drivers/usb/serial/usbserial.ko
-rw-r--r-- 1 root root 116161 Sep 27  2024 /lib/modules/5.15.0-124-generic/kernel/drivers/usb/serial/usbserial.ko
$ ls -al /lib/modules/"$(uname -r)"/kernel/drivers/usb/serial/cp210x.ko
-rw-r--r-- 1 root root 79865 Sep 27  2024 /lib/modules/5.15.0-124-generic/kernel/drivers/usb/serial/cp210x.ko

$ lsmod | grep cp210x
$ sudo modprobe usbserial
$ sudo modprobe cp210x
$ lsmod | grep cp210x
cp210x                 40960  0
usbserial              57344  1 cp210x

Significa que carreguei o driver com sucesso.

$ dmesg | grep -i usb
...
[   30.186227] usb 2-3: current rate 16000 is different from the runtime rate 48000
[  124.301044] usbcore: registered new interface driver usbserial_generic
[  124.301067] usbserial: USB Serial support registered for generic
[  128.825043] usbcore: registered new interface driver cp210x
[  128.825069] usbserial: USB Serial support registered for cp210x

Correspondente às cargas de cima.

$ dmesg | grep -i tty
[    0.006788] ACPI: SSDT 0x0000000074487000 002357 (v02 ALASKA TbtTypeC 00000000 INTL 20200717)
[    0.117362] printk: console [tty0] enabled
[    0.401844] 00:01: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A
$ lsusb
...
$ ls /dev/tty*
...

$ lsusbtraz um monte de dispositivos e $ ls /dev/tty*lista um monte de terminais. A placa não está aparecendo, é claro, ela está desconectada, pois estou formando a linha de base.

Agora conecto a placa e a ligo.

$ dmesg | grep -i usb
...
[  128.825069] usbserial: USB Serial support registered for cp210x
[  244.712211] usb 1-1: new high-speed USB device number 5 using xhci_hcd
[  244.860515] usb 1-1: New USB device found, idVendor=09fb, idProduct=6810, bcdDevice= 0.01
[  244.860527] usb 1-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0

idVendor e idProduct estão identificados corretamente.

$ dmesg | grep -i tty[    0.006788] ACPI: SSDT 0x0000000074487000 002357 (v02 ALASKA TbtTypeC 00000000 INTL 20200717)
[    0.117362] printk: console [tty0] enabled
[    0.401844] 00:01: ttyS0 at I/O 0x3f8 (irq = 4, base_baud = 115200) is a 16550A

Nada mudou.

$ lsusb
...
Bus 001 Device 005: ID 09fb:6810 Altera

Esta linha é adicionada.

$ ls /dev/tty* Exibe exatamente a mesma lista - nada mudou.

Como mencionado acima, estou sem ideias. Agradeceria qualquer tipo de ajuda, para que eu possa fazer ssh para a placa e começar a comunicação entre o núcleo ARM e o FPGA.

Eu sei que esse é um assunto popular, mas não consigo encontrar a solução certa para o meu problema. No meu PC, eu uso scp e ssh com firmware OpenWrt, geralmente eu uso Debian ou Linux Mint sem nenhum problema, mas eu fiz uma instalação nova e agora tenho problemas com o backup da minha configuração de firmware. Aqui está o que eu uso há 2 anos sem nenhum problema.

#  openwrt_backup
# Create tar_main
ssh [email protected] sysupgrade -b /tmp/backup-main-$(date +%F).tar.gz

# Copy to local dir
scp -O [email protected]:/tmp/backup-*.tar.gz james@ninja:/run/media/james/E/openWrt_backup/

O problema agora é que depois do segundo comando, transferir o backup para o meu PC local, nada acontece:

james@ninja:~> scp -O [email protected]:/tmp/backup-*.tar.gz james@ninja:/run/media/james/E/openWrt_backup/
james@ninja:~>      # empty answer??

Ideia? Obrigado

Toda vez que tento executar, sudo rsnapshot -v alpharecebo esse tipo de erro (ocorre em todas as entradas de backup que tenho):

    ERROR: /usr/bin/rsync returned 255 while processing [email protected]:/etc/
    /usr/bin/rsync -a --delete --numeric-ids --relative --delete-excluded \
        --rsh=/usr/bin/ssh -i /home/user/ssh/id_ed25519 \
        [email protected]:/usr/share/ \
        /var/cache/rsnapshot/alpha.0/server_backup/

1. Sim, rsync instalado no servidor e nesta máquina
2. Sim, o rsync funciona se eu tentar copiar manualmente alguns arquivos com essas credenciais de root do remoto
3. Há uma coisa que pode ser potencialmente isso. Quando tentei executar o comando errored out, ele exigiu aspas em torno dos argumentos para o rsh. Caso contrário, ele lançaria um erro de sintaxe. Mas não tenho certeza de como forçar o rsnapshot a fazer isso. E se eu executar o comando errored out com aspas em torno da chave rsh, ele também apresentará um erro com o código 255.
4. O firewall não bloqueia o ssh.
5. O servidor permite apenas autenticação de chave pública
6. Eu hospedo meu servidor Ubuntu no Vultr

Aqui está meu rsnapshot.confarquivo

    #################################################
    # rsnapshot.conf - rsnapshot configuration file #
    #################################################
    #                                               #
    # PLEASE BE AWARE OF THE FOLLOWING RULE:        #
    #                                               #
    # This file requires tabs between elements      #
    #                                               #
    #################################################

    #######################
    # CONFIG FILE VERSION #
    #######################

    config_version  1.2

    ###########################
    # SNAPSHOT ROOT DIRECTORY #
    ###########################

    # All snapshots will be stored under this root directory.
    #
    snapshot_root   /var/cache/rsnapshot/

    # If no_create_root is enabled, rsnapshot will not automatically create the
    # snapshot_root directory. This is particularly useful if you are backing
    # up to removable media, such as a FireWire or USB drive.
    #
    #no_create_root 1

    #################################
    # EXTERNAL PROGRAM DEPENDENCIES #
    #################################

    # LINUX USERS:   Be sure to uncomment "cmd_cp". This gives you extra features.
    # EVERYONE ELSE: Leave "cmd_cp" commented out for compatibility.
    #
    # See the README file or the man page for more details.
    #
    cmd_cp      /bin/cp

    # uncomment this to use the rm program instead of the built-in perl routine.
    #
    cmd_rm      /bin/rm

    # rsync must be enabled for anything to work. This is the only command that
    # must be enabled.
    #
    cmd_rsync   /usr/bin/rsync

    # Uncomment this to enable remote ssh backups over rsync.
    #
    cmd_ssh /usr/bin/ssh

    # Comment this out to disable syslog support.
    #
    cmd_logger  /usr/bin/logger

    # Uncomment this to specify the path to "du" for disk usage checks.
    # If you have an older version of "du", you may also want to check the
    # "du_args" parameter below.
    #
    #cmd_du     /usr/bin/du

    # Uncomment this to specify the path to rsnapshot-diff.
    #
    #cmd_rsnapshot_diff /usr/bin/rsnapshot-diff

    # Specify the path to a script (and any optional arguments) to run right
    # before rsnapshot syncs files
    #
    #cmd_preexec    /path/to/preexec/script

    # Specify the path to a script (and any optional arguments) to run right
    # after rsnapshot syncs files
    #
    #cmd_postexec   /path/to/postexec/script

    # Paths to lvcreate, lvremove, mount and umount commands, for use with
    # Linux LVMs.
    #
    #linux_lvm_cmd_lvcreate /sbin/lvcreate
    #linux_lvm_cmd_lvremove /sbin/lvremove
    #linux_lvm_cmd_mount    /bin/mount
    #linux_lvm_cmd_umount   /bin/umount

    #########################################
    #     BACKUP LEVELS / INTERVALS         #
    # Must be unique and in ascending order #
    # e.g. alpha, beta, gamma, etc.         #
    #########################################

    retain  alpha   6
    retain  beta    7
    retain  gamma   4
    #retain delta   3

    ############################################
    #              GLOBAL OPTIONS              #
    # All are optional, with sensible defaults #
    ############################################

    # Verbose level, 1 through 5.
    # 1     Quiet           Print fatal errors only
    # 2     Default         Print errors and warnings only
    # 3     Verbose         Show equivalent shell commands being executed
    # 4     Extra Verbose   Show extra verbose information
    # 5     Debug mode      Everything
    #
    verbose     2

    # Same as "verbose" above, but controls the amount of data sent to the
    # logfile, if one is being used. The default is 3.
    # If you want the rsync output, you have to set it to 4
    #
    loglevel    3

    # If you enable this, data will be written to the file you specify. The
    # amount of data written is controlled by the "loglevel" parameter.
    #
    logfile /var/log/rsnapshot.log

    # If enabled, rsnapshot will write a lockfile to prevent two instances
    # from running simultaneously (and messing up the snapshot_root).
    # If you enable this, make sure the lockfile directory is not world
    # writable. Otherwise anyone can prevent the program from running.
    #
    lockfile    /var/run/rsnapshot.pid

    # By default, rsnapshot check lockfile, check if PID is running
    # and if not, consider lockfile as stale, then start
    # Enabling this stop rsnapshot if PID in lockfile is not running
    #
    #stop_on_stale_lockfile     0

    # Default rsync args. All rsync commands have at least these options set.
    #
    #rsync_short_args   -a
    #rsync_long_args    --delete --numeric-ids --relative --delete-excluded

    # ssh has no args passed by default, but you can specify some here.
    #
    ssh_args    -i /home/user/ssh/id_ed25519

    # Default arguments for the "du" program (for disk space reporting).
    # The GNU version of "du" is preferred. See the man page for more details.
    # If your version of "du" doesn't support the -h flag, try -k flag instead.
    #
    #du_args    -csh

    # If this is enabled, rsync won't span filesystem partitions within a
    # backup point. This essentially passes the -x option to rsync.
    # The default is 0 (off).
    #
    #one_fs     0

    # The include and exclude parameters, if enabled, simply get passed directly
    # to rsync. If you have multiple include/exclude patterns, put each one on a
    # separate line. Please look up the --include and --exclude options in the
    # rsync man page for more details on how to specify file name patterns.
    #
    #include    ???
    #include    ???
    #exclude    ???
    #exclude    ???

    # The include_file and exclude_file parameters, if enabled, simply get
    # passed directly to rsync. Please look up the --include-from and
    # --exclude-from options in the rsync man page for more details.
    #
    #include_file   /path/to/include/file
    #exclude_file   /path/to/exclude/file

    # If your version of rsync supports --link-dest, consider enabling this.
    # This is the best way to support special files (FIFOs, etc) cross-platform.
    # The default is 0 (off).
    #
    #link_dest  0

    # When sync_first is enabled, it changes the default behaviour of rsnapshot.
    # Normally, when rsnapshot is called with its lowest interval
    # (i.e.: "rsnapshot alpha"), it will sync files AND rotate the lowest
    # intervals. With sync_first enabled, "rsnapshot sync" handles the file sync,
    # and all interval calls simply rotate files. See the man page for more
    # details. The default is 0 (off).
    #
    #sync_first 0

    # If enabled, rsnapshot will move the oldest directory for each interval
    # to [interval_name].delete, then it will remove the lockfile and delete
    # that directory just before it exits. The default is 0 (off).
    #
    #use_lazy_deletes   0

    # Number of rsync re-tries. If you experience any network problems or
    # network card issues that tend to cause ssh to fail with errors like
    # "Corrupted MAC on input", for example, set this to a non-zero value
    # to have the rsync operation re-tried.
    #
    #rsync_numtries 0

    # LVM parameters. Used to backup with creating lvm snapshot before backup
    # and removing it after. This should ensure consistency of data in some special
    # cases
    #
    # LVM snapshot(s) size (lvcreate --size option).
    #
    #linux_lvm_snapshotsize 100M

    # Name to be used when creating the LVM logical volume snapshot(s).
    #
    #linux_lvm_snapshotname rsnapshot

    # Path to the LVM Volume Groups.
    #
    #linux_lvm_vgpath   /dev

    # Mount point to use to temporarily mount the snapshot(s).
    #
    #linux_lvm_mountpath    /path/to/mount/lvm/snapshot/during/backup

    ###############################
    ### BACKUP POINTS / SCRIPTS ###
    ###############################

    # REMOTE SERVER
    backup  [email protected]:/home/ server_backup/
    backup  [email protected]:/etc/  server_backup/

    #backup_script  /usr/local/bin/backup_pgsql.sh  localhost/postgres/
    # You must set linux_lvm_* parameters below before using lvm snapshots
    #backup lvm://vg0/xen-home/ lvm-vg0/xen-home/

    # EXAMPLE.COM
    #backup_exec    /bin/date "+ backup of example.com started at %c"
    #backup [email protected]:/home/ example.com/    +rsync_long_args=--bwlimit=16,exclude=core
    #backup [email protected]:/etc/  example.com/    exclude=mtab,exclude=core
    #backup_exec    ssh [email protected] "mysqldump -A > /var/db/dump/mysql.sql"
    #backup [email protected]:/var/db/dump/  example.com/
    #backup_exec    /bin/date "+ backup of example.com ended at %c"

    # CVS.SOURCEFORGE.NET
    #backup_script  /usr/local/bin/backup_rsnapshot_cvsroot.sh  rsnapshot.cvs.sourceforge.net/

    # RSYNC.SAMBA.ORG
    #backup rsync://rsync.samba.org/r   syncftp/    rsync.samba.org/rsyncftp/

Meus logs sshd têm esta aparência:

2025-01-21T16:47:06.445342+00:00 server sshd[2069]: Connection from 99.11.11.11 port 57908 on 151.131.222.222 port 22 rdomain ""
2025-01-21T16:47:06.445890+00:00 server sshd[2069]: debug1: Local version string SSH-2.0-OpenSSH_9.7p1 Ubuntu-7ubuntu4
2025-01-21T16:47:06.446150+00:00 server sshd[2069]: debug1: Remote protocol version 2.0, remote software version OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
2025-01-21T16:47:06.446387+00:00 server sshd[2069]: debug1: compat_banner: match: OpenSSH_8.9p1 Ubuntu-3ubuntu0.10 pat OpenSSH* compat 0x04000000
2025-01-21T16:47:06.448025+00:00 server sshd[2069]: debug1: permanently_set_uid: 109/65534 [preauth]
2025-01-21T16:47:06.448401+00:00 server sshd[2069]: debug1: list_hostkey_types: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 [preauth]
2025-01-21T16:47:06.448865+00:00 server sshd[2069]: debug1: SSH2_MSG_KEXINIT sent [preauth]
2025-01-21T16:47:06.473088+00:00 server sshd[2069]: debug1: SSH2_MSG_KEXINIT received [preauth]
2025-01-21T16:47:06.473305+00:00 server sshd[2069]: debug1: kex: algorithm: curve25519-sha256 [preauth]
2025-01-21T16:47:06.473602+00:00 server sshd[2069]: debug1: kex: host key algorithm: ssh-ed25519 [preauth]
2025-01-21T16:47:06.473829+00:00 server sshd[2069]: debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none [preauth]
2025-01-21T16:47:06.474193+00:00 server sshd[2069]: debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none [preauth]
2025-01-21T16:47:06.474496+00:00 server sshd[2069]: debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth]
2025-01-21T16:47:06.502026+00:00 server sshd[2069]: debug1: SSH2_MSG_KEX_ECDH_INIT received [preauth]
2025-01-21T16:47:06.509345+00:00 server sshd[2069]: debug1: ssh_packet_send2_wrapped: resetting send seqnr 3 [preauth]
2025-01-21T16:47:06.509768+00:00 server sshd[2069]: debug1: rekey out after 134217728 blocks [preauth]
2025-01-21T16:47:06.510085+00:00 server sshd[2069]: debug1: SSH2_MSG_NEWKEYS sent [preauth]
2025-01-21T16:47:06.510210+00:00 server sshd[2069]: debug1: Sending SSH2_MSG_EXT_INFO [preauth]
2025-01-21T16:47:06.510573+00:00 server sshd[2069]: debug1: expecting SSH2_MSG_NEWKEYS [preauth]
2025-01-21T16:47:06.543286+00:00 server sshd[2069]: debug1: ssh_packet_read_poll2: resetting read seqnr 3 [preauth]
2025-01-21T16:47:06.543606+00:00 server sshd[2069]: debug1: SSH2_MSG_NEWKEYS received [preauth]
2025-01-21T16:47:06.543946+00:00 server sshd[2069]: debug1: rekey in after 134217728 blocks [preauth]
2025-01-21T16:47:06.544260+00:00 server sshd[2069]: debug1: KEX done [preauth]
2025-01-21T16:47:06.636933+00:00 server sshd[2069]: debug1: userauth-request for user root service ssh-connection method none [preauth]
2025-01-21T16:47:06.637064+00:00 server sshd[2069]: debug1: attempt 0 failures 0 [preauth]
2025-01-21T16:47:06.638069+00:00 server sshd[2069]: debug1: PAM: initializing for "root"
2025-01-21T16:47:06.641531+00:00 server sshd[2069]: debug1: PAM: setting PAM_RHOST to "99.11.11.11"
2025-01-21T16:47:06.642045+00:00 server sshd[2069]: debug1: PAM: setting PAM_TTY to "ssh"
2025-01-21T16:47:06.664190+00:00 server sshd[2069]: Connection closed by authenticating user root 99.11.11.11 port 57908 [preauth]
2025-01-21T16:47:06.665162+00:00 server sshd[2069]: debug1: do_cleanup [preauth]
2025-01-21T16:47:06.666011+00:00 server sshd[2069]: debug1: monitor_read_log: child log fd closed
2025-01-21T16:47:06.666354+00:00 server sshd[2069]: debug1: do_cleanup
2025-01-21T16:47:06.666609+00:00 server sshd[2069]: debug1: PAM: cleanup
2025-01-21T16:47:06.667644+00:00 server sshd[2069]: debug1: Killing privsep child 2070
2025-01-21T16:47:06.668031+00:00 server sshd[2069]: debug1: audit_event: unhandled event 12

Minhas regras do iptables são assim:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ufw-before-logging-input  all  --  anywhere             anywhere            
ufw-before-input  all  --  anywhere             anywhere            
ufw-after-input  all  --  anywhere             anywhere            
ufw-after-logging-input  all  --  anywhere             anywhere            
ufw-reject-input  all  --  anywhere             anywhere            
ufw-track-input  all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-forward  all  --  anywhere             anywhere            
ufw-before-forward  all  --  anywhere             anywhere            
ufw-after-forward  all  --  anywhere             anywhere            
ufw-after-logging-forward  all  --  anywhere             anywhere            
ufw-reject-forward  all  --  anywhere             anywhere            
ufw-track-forward  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ufw-before-logging-output  all  --  anywhere             anywhere            
ufw-before-output  all  --  anywhere             anywhere            
ufw-after-output  all  --  anywhere             anywhere            
ufw-after-logging-output  all  --  anywhere             anywhere            
ufw-reject-output  all  --  anywhere             anywhere            
ufw-track-output  all  --  anywhere             anywhere            

Chain ufw-after-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-input (1 references)
target     prot opt source               destination         
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-ns
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn
ufw-skip-to-policy-input  tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootps
ufw-skip-to-policy-input  udp  --  anywhere             anywhere             udp dpt:bootpc
ufw-skip-to-policy-input  all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST

Chain ufw-after-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-after-logging-input (1 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

Chain ufw-after-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-after-output (1 references)
target     prot opt source               destination         

Chain ufw-before-forward (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ufw-user-forward  all  --  anywhere             anywhere            

Chain ufw-before-input (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-logging-deny  all  --  anywhere             anywhere             ctstate INVALID
DROP       all  --  anywhere             anywhere             ctstate INVALID
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere             icmp parameter-problem
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
ufw-not-local  all  --  anywhere             anywhere            
ACCEPT     udp  --  anywhere             mdns.mcast.net       udp dpt:mdns
ACCEPT     udp  --  anywhere             239.200.200.200      udp dpt:1900
ufw-user-input  all  --  anywhere             anywhere            

Chain ufw-before-logging-forward (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-input (1 references)
target     prot opt source               destination         

Chain ufw-before-logging-output (1 references)
target     prot opt source               destination         

Chain ufw-before-output (1 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ufw-user-output  all  --  anywhere             anywhere            

Chain ufw-logging-allow (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW ALLOW] "

Chain ufw-logging-deny (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warn prefix "[UFW BLOCK] "

Chain ufw-not-local (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type MULTICAST
RETURN     all  --  anywhere             anywhere             ADDRTYPE match dst-type BROADCAST
ufw-logging-deny  all  --  anywhere             anywhere             limit: avg 3/min burst 10
DROP       all  --  anywhere             anywhere            

Chain ufw-reject-forward (1 references)
target     prot opt source               destination         

Chain ufw-reject-input (1 references)
target     prot opt source               destination         

Chain ufw-reject-output (1 references)
target     prot opt source               destination         

Chain ufw-skip-to-policy-forward (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-input (7 references)
target     prot opt source               destination         
DROP       all  --  anywhere             anywhere            

Chain ufw-skip-to-policy-output (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-track-forward (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-track-input (1 references)
target     prot opt source               destination         

Chain ufw-track-output (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             ctstate NEW
ACCEPT     udp  --  anywhere             anywhere             ctstate NEW

Chain ufw-user-forward (1 references)
target     prot opt source               destination         

Chain ufw-user-input (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh /* 'dapp_OpenSSH' */
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     udp  --  anywhere             dns.google           udp dpt:domain
ACCEPT     tcp  --  anywhere             dns.google           tcp dpt:domain

Chain ufw-user-limit (0 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warn prefix "[UFW LIMIT BLOCK] "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination         

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination         

Chain ufw-user-output (1 references)
target     prot opt source               destination

Meu arquivo sshd_config:

PermitRootLogin yes


# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# Include /etc/ssh/sshd_config.d/*.conf

# When systemd socket activation is used (the default), the socket
# configuration must be re-generated after changing Port, AddressFamily, or
# ListenAddress.
#
# For changes to take effect, run:
#
#   systemctl daemon-reload
#   systemctl restart ssh.socket
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin prohibit-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

# override default of no subsystems
Subsystem sftp  /usr/lib/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#   X11Forwarding no
#   AllowTcpForwarding no
#   PermitTTY no
#   ForceCommand cvs server

Obrigado pela atenção, espero que alguém possa me ajudar a resolver isso. Passei o dia todo nessa questão.

Se você acha que eu posso usar outra ferramenta para os backups, por favor me avise. Sou novo em administração de sistemas, então agradeceria qualquer ajuda!

Estou tentando fazer backup do meu projeto, bancos de dados e ambiente nginx. Para isso, estou fazendo backup do meu servidor principal e colocando-o em /home/backup/. Tudo funciona no servidor principal.

Então, no meu segundo servidor, estou criando um cron para obter esses arquivos por meio do SCP.

Aqui está meu comando:

0 13  * * * sudo sshpass -p MyPassword sudo scp -P 40511 -r [email protected]:/home/backup /home

Estou usando a porta 40511 como SSH. O comando funciona se for iniciado manualmente, mas não funciona com o cron.

MyPassword contém um "!". Eu tentei com e sem aspas duplas.

O que estou fazendo errado?

Quando pergunto ao Google como o encaminhamento de agentes ssh funciona, ele me dá muitos links para lixo otimizado para SEO explicando como provisionar o ssh-agent. NÃO é isso que estou perguntando.

Atualmente, tenho um problema em que os trabalhos iniciados em uma sessão de tela no lado mais distante de uma conexão VPN falham porque não conseguem se conectar via ssh depois que a VPN falha.

Normalmente, esses trabalhos dependem do encaminhamento de agente do cliente de origem para conectar. Tenho suspeitas sobre o que está errado aqui, mas um melhor entendimento de todo o encaminhamento de agente ajudaria aqui.

Quando eu conecto do host0 para o hosta, o ssh-agent no host0 fornece minha chave privada para o cliente ssh no host0. No hosta, vejo SSH_AUTH_SOCK preenchido referenciando um socket local. Se, no hosta, eu então ssh hostb, o cliente ssh de alguma forma se conecta ao ssh-agent no host0. Presumivelmente, isso está usando um canal alternativo na conexão ssh host0-hosta.

O que está acontecendo em $SSH_AUTH_SOCK no hosta?

(fuser $SSH_AUTH_SOCK sugere que nada está aberto)

No caso da minha sessão de tela, se a sessão SSH que iniciou a sessão de tela tiver terminado e eu iniciar uma nova sessão SSH do host0 para o hosta, as solicitações de chave da sessão de tela serão enviadas pela nova conexão?

No FreeBSD, estou tentando bloquear tentativas de força bruta via ssh com pf na porta 22 usando esta regra:

table <bruteforce> persist
pass log inet proto tcp from any to any port 22 flags S/SA keep state \
    (max-src-conn 3, max-src-conn-rate 3/60, \
    overload <bruteforce> flush global)
block in quick from <bruteforce>

Já carreguei a configuração com doas pfctl -f /etc/pf.confe habilitei o pf com doas pfctl -e. Estou tentando executar ataques de força bruta SSH de um PC diferente do servidor onde estou configurando o firewall (usando SSH). No entanto, quando executo o comando doas pfctl -t bruteforce -T showno servidor, não obtenho nenhum resultado. O bruteforce está sendo executado usando este comando: hydra -l test -P word.txt 192.168.178.82 ssh

Usando o comando doas tcpdump -i em0 port 22eu vejo as requisições.

O arquivo /etc/pf.confé configurado assim:

set block-policy return

scrub in all fragment reassemble no-df max-mss 1440

nat on em0 from 10.0.0.0/24 to any -> (em0)

set skip on lo0

block in all
block out all

block in quick inet6 all
block out quick inet6 all

pass in quick proto tcp from 192.168.178.0/24 to any port 22 keep state

pass in quick proto tcp to any port 443 keep state
pass out quick proto tcp to any port 443 keep state

pass in quick proto tcp from 127.0.0.1 to 127.0.0.1 port 8080 keep state

pass out quick proto udp from any to any port 53
pass in quick proto udp from any to any port 53

pass out quick on epair1a
pass in quick on epair1a from em0 to any
pass in quick on em0 from 10.0.0.0/24 to any

pass in quick on lo0
pass out quick on lo0


table <bruteforce> persist
pass log inet proto tcp from any to any port 22 flags S/SA keep state \
    (max-src-conn 3, max-src-conn-rate 3/60, \
    overload <bruteforce> flush global)
block in quick from <bruteforce>

e arquivo /etc/rc.conf:

#System
clear_tmp_enable="YES"
syslogd_flags="-ss"
hostname="test"
keymap="it.kbd"
sshd_enable="YES"
moused_nondefault_enable="NO"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="NO"
zfs_enable="YES"
auditd_enable="YES"

#Network
ipv6_enable="NO"
ipv6_network_interfaces="none"
ipv6_activate_all_interfaces="NO"
ipv6_gateway_enable="NO"
ifconfig_em0="DHCP"

#Level 2 ISO/OSI: ipfw
firewall_enable="YES"

#Level 3 ISO/OSI: pf
firewall_enable="YES"
firewall_type="client"
firewall_script="/etc/ipfw.rules"
firewall_logging="YES"
firewall_logif="YES"

# Jails
cbsd_workdir="/home/user/jails"
cbsdd_enable="YES"

O arquivo /etc/sysctl.conf:

security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
vfs.zfs.min_auto_ashift=12

#Network
net.inet6.ip6.enable=0
net.inet6.ip6.forwarding="0"
net.inet.ip.fw.verbose_limit=5

#Hardening
kern.securelevel="1"
hw.kbd.keymap_restrict_change="4"    # disallow keymap changes for non-privileged users
kern.ipc.shm_use_phys="1"            # lock shared memory into RAM and prevent it from being paged out to swap (default 0, disabled)
kern.msgbuf_show_timestamp="1"       # display timestamp in msgbuf (default 0)
kern.randompid="1"                # calculate PIDs by the modulus of the integer given, choose a random int (default 0)
net.inet.icmp.drop_redirect="1"      # no redirected ICMP packets (default 0)
net.inet.ip.check_interface="1"      # verify packet arrives on correct interface (default 0)
net.inet.ip.portrange.first="1024"   # use ports 1024 to portrange.last for outgoing connections (default 10000)
net.inet.ip.portrange.randomcps="999" # use random port allocation if less than this many ports per second are allocated (default 10)
net.inet.ip.random_id="1"            # assign a random IP id to each packet leaving the system (default 0)
net.inet.ip.redirect="0"             # do not send IP redirects (default 1)
net.inet.tcp.always_keepalive="0"    # disable tcp keep alive detection for dead peers, keepalive can be spoofed (default 1)
net.inet.tcp.blackhole="2"           # drop tcp packets destined for closed ports (default 0)
net.inet.tcp.drop_synfin="1"         # SYN/FIN packets get dropped on initial connection (default 0)
net.inet.tcp.ecn.enable="0"          # Explicit Congestion Notification disabled unless proper active queue manageme
net.inet.tcp.fast_finwait2_recycle="1" # recycle FIN/WAIT states quickly, helps against DoS, but may cause false RST
net.inet.tcp.finwait2_timeout="5000" # TCP FIN_WAIT_2 timeout waiting for client FIN packet before state close (default 60000, 60 sec)
net.inet.tcp.icmp_may_rst="0"        # icmp may not send RST to avoid spoofed icmp/udp floods (default 1)
net.inet.tcp.keepinit="5000"         # establish connection in five(5) seconds or abort attempt (default 75000, 75 secs)
net.inet.tcp.msl="2500"              # Maximum Segment Lifetime, time the connection spends in TIME_WAIT state (default 30000, 2*MSL = 60 sec)
net.inet.tcp.nolocaltimewait="1"     # remove TIME_WAIT states for the loopback interface (default 0)
net.inet.tcp.path_mtu_discovery="0"  # disable MTU discovery since many hosts drop ICMP type 3 packets (default 1)
net.inet.tcp.rexmit_slop="70"        # reduce the TCP retransmit timer, min+slop=100ms (default 200ms)
net.inet.udp.blackhole="1"           # drop udp packets destined for closed sockets (default 0)
security.bsd.hardlink_check_gid="1"  # unprivileged processes may not create hard links to files owned by other groups (default 0)
security.bsd.hardlink_check_uid="1"  # unprivileged processes may not create hard links to files owned by other users (default 0)
security.bsd.see_other_gids="0"      # groups only see their own processes. root can see all (default 1)
security.bsd.see_other_uids="0"      # users only see their own processes. root can see all (default 1)
security.bsd.stack_guard_page="1"    # stack smashing protection (SSP), ProPolice, defence against buffer overflows
security.bsd.unprivileged_proc_debug="0" # unprivileged processes may not use process debugging (default 1)
security.bsd.unprivileged_read_msgbuf="0" # unprivileged processes may not read the kernel message buffer (default 1)

Você poderia me ajudar a entender por que não consigo bloquear solicitações via força bruta e, portanto, vejo-as bloqueadas com doas pfctl -t bruteforce -T show?

Desde já, obrigado.

Quero fazer meu backup do openwrt com comando do meu terminal local, bem fácil, mas meu problema é depois disso, é quando tento trazer o backup de volta para meu pc local. Aqui está o que tenho por enquanto, a primeira parte está ok:

#!/bin/bash

ssh [email protected] sysupgrade --create-backup /tmp/main_backup.tar.gz 

com esse comando eu crio o backup do meu roteador e quero copiar esse backup para o meu PC local.

Quando me conecto a um macOS Sonoma remoto a partir de um Linux RHEL 8 ssh -J user@portal user@mace, uma vez conectado, executo o vim somefile, recebo alguns caracteres estranhos no canto superior esquerdo da "página" e também no prompt do shell após sair do Vim:

[>4;m

^{nota: não consegui capturar esses bytes corretamente, não sei como posso fazer isso}

Não é a primeira vez que enfrento esse problema com diferentes combinações de sistemas operacionais locais/remotos (Solaris/FreeBSD/AIX/Linux/macOS), mas antes eu só precisava instalar os terminfopacotes nos NIXs remotos para consertar.

No macOS Sonoma, o terminfo xterm-256colorusado pelo RHEL 8 já está em /usr/share/terminfo/78/xterm-256color, e mudar TERMpara xtermnão ajuda.

Alguma ideia do que fazer para resolver o problema?

Em algum momento no passado, sempre que eu tentava uma sshconexão com um servidor sem especificar a senha, ssheu tentava todas as chaves, ssh-agenta ponto de, se houvesse muitas chaves, meu endereço IP ser bloqueado por muitas falhas de conexão.

O comportamento parece ter mudado, pois mesmo que haja uma única chave válida na ssh-agentlista, tenho que incluí-la no comando, por exemplo ssh -i ~/.ssh/alternate-key user@host.

Isso se deve a alguma alteração na configuração ou a uma alteração no comportamento do sshpróprio executável?