Thursday, July 25, 2013

CVS: Changing from extssh to ext

Linux:
find . -name Root -exec sed -i 's/extssh/ext/' {} \;

OSX:
find . -name 'Root' | xargs perl -pi -e 's/extssh/ext/g'

Reverse SSH - Poor man site-to-site communication

Taken from http://toic.org/blog/2009/01/18/reverse-ssh-port-forwarding/

Real life example
I will assume that home PC is connected via dynamically assigned IP address. First thing you will need to make sure you have ssh server installed on your home PC and it should be accessible from Internet. If you have some NAT routers, be sure to forward port 22 to your home PC. Secondly you will need to setup a dyndns account so you can connect to your home PC regardless of IP address changes. Now the goal will be to connect to ssh server on our office PC. so the port in question will be 22 if you wish to forward another port change it in your configuration accordingly. For the purpose of this example i will name my home PC: bhome.dyndns.com office computer name will be bwork.office.com bwork computer uses private IP range of 192.168.0.0/24 with address 192.168.0.100 So if the firewall is preventing outside connections to our bwork computer we must initiate connection from it. We can do this with simple ssh command:

ssh -R 2210:localhost:22 bhome.dyndns.com

So what just happened here? We are initiating ssh connection "ssh" with reverse port forwarding option "-R" which will then open listening port "2210:" who is going to be forwarded back to localhost's port ":22" and all this will happen on remote computer "bhome.dyndns.com". This connection represents the green line in the diagram above, and it's a legit connection as far as corporate firewall is concerned. So if we now open up a terminal on bhome computer, and type in:

ssh -p 2210 localhost

we will try to connect to localhost (bhome.dyndns.com) on port 2210. Since that port is setuped by remote ssh connection it will tunnel the request back via that link to the bwork.office.com computer. This is the red line on the diagram above. Looking from firewall's perspective it's a legit traffic, since it is responding traffic on already initiated link from bwork computer. 


Some more fun with reverse tunnels.
But i have a printer behind that corporate firewall. How can i connect to it? Easy... remember the first example? the command ssh -R is taking 5 arguments of which 4 are mandatory

ssh -R [bind_address:]port:host:hostport

bind_address is the network address on which port will be listening, and forwarded to host (connected to network from which reverse tunnel originated) on hostport. so if we issue the command like this on our bwork pc:

ssh -R 89.xxx.xx.4:2211:192.168.0.10:631 bserver.outside.com

we will get something like this: reverese-ssh4so again we have previously established reverse ssh tunnel listening on port 2210 to channel the ssh connection towards office PC. Now with this new command we established the reverse ssh tunnel (yellow line) towards bserver which will listen for incoming connections on port 2211. When the home pc makes a data connection to port 2211 on bserver (brown line) it is then forwarded to office PC (black line) which is then redirected towards office printer at address 192.168.0.10 on port 631 (violet line). Remember, all this traffic is passing trough corporate firewall as legit traffic, even if the illustration perhaps shows otherwise.

Automating the task
So by now we should have covered the basics on how to bypass corporate firewall in order to get to your office computer and network equipment. Now ssh -R isn't really practical, it consumes one terminal, and as soon as it shuts down there is no tunnel and no outside connectivity for that matter. The easiest thing to do is putting a cron job that will connect to remote server if the connection fails, office computer reboots etc. First of all generate ssh keys, and add them to ssh-agent so that script won't ask you for remote server's password all the time. Next we will add two extra parameters to our command -N and -f so that the connection goes into the background. the command will look like:

ssh -N -f -R [bind_address:]port:host:hostport 

next we need a shell script that will be triggered by the cron. For this example we will use the Real life example 2.

#!/bin/sh
COMMAND="ssh -N -f -R 89.xxx.xx.4:2210:localhost:22 bserver.outside.com"
pgrep -f -x "$COMMAND" > /dev/null 2>&1 || $COMMAND


now edit this code so it suits your needs, and save it in your home dir as reverse_ssh_tunnel.sh Now we need to add a crontab entry which will trigger this script every 5 minutes.

crontab -e

and add:

/5 * /bin/sh /home/username/reverse_ssh_tunnel.sh

If you are connecting to different user name on remote server you can edit your commands so they look like: ssh -R [bind_address]:port:host:host_port username@remote_host

Friday, July 19, 2013

HOW-TO: Virtual Serial ports in Linux

The below instructions are targeted toward CentOS but should work on other Linux Distributions.
This HOW-TO shows how to create 2 virtual serial ports that are linked together as if they were 2 physical serial ports linked together using a NULL-modem cable.

1. Install socat
yum install socat

2. Run socat in a screen instance
screen socat -d -d pty,raw,echo=0 pty,raw,echo=0

You will see something like this on your screen
2012/11/15 15:52:43 socat[24000] N PTY is /dev/pts/2
2012/11/15 15:52:43 socat[24000] N PTY is /dev/pts/3
2012/11/15 15:52:43 socat[24000] N starting data transfer loop with FDs [3,3] and [5,5]

Your first serial port is /dev/pts2 and your 2nd serial port is /dev/pts/3 (those port path can be different from this example). Those will remain linked as long as the socat program is running.
Press CTRL-A d in order to detach from this scree instance

3. Configure and run your first application using /dev/pts/2

4. Configure and run your second application using /dev/pts/3

Voila your 2 applications are communicating using the 2 virtual serial ports.

Note that this is just one application of the socat program. You can for instance link a serial port with a TCP socket and much more. 

Here are some nice links regarding socat
https://help.ubuntu.com/community/VirtualSerialPort
http://justcheckingonall.wordpress.com/2009/06/09/howto-vsp-socat/
http://www.dest-unreach.org/socat/doc/socat.html

Embedding hardware parts in 3D prints

Yesterday I did my first attempt at embedding a nut in a print... The idea was to have the nut (8-32 hex nut) be captive in the print so i...