The ssh application provides you with the ability to
tunnel communications from one host to another through an SSL
connection. Tunnelling works as follows:
On local_machine, one executes
ssh -L local_port:service_machine:service_port user@remote_machine
By way of example, consider the following problem:
While attending a conference, you want to connect to your company's interal web browser, which does not support connections from outside your corporate intranet, however, ssh connections are supported by all machines on your intranet.
To be able to solve this using ssh, your corporate web server (or some other machine in your corporations intranet must provide proxy http service. (A proxy is someone -- or something -- that acts as a substitute for another. The root of the word is Latin for the act of procuring.) A proxy http server will take requests for web pages from a browser and forward them to the internet.
Of what value is a proxy web server?
The cise department runs a proxy web server at proxy.cise.ufl.edu:3128, so to get secure web access to cise department web pages, one can issue the following ssh command:
ssh -L 2000:proxy.cise.ufl.edu:3128 jnw@shine.cise.ufl.eduThen, one can configure a web browser to set localhost:3128 as its proxy. On Firefox, for example, one sets Tools->Options->General->ConnectionSettings->Manual_proxy_configuration so that the HTTP Proxy is localhost and the port is 2000.
You can try a before/after test from outside the cise department, by setting your browser for a direct connection to the internet and trying to load http://delorean.unix-ippd.cise.ufl.edu. (Your browser will time out trying to get there, because its packets are being eaten by our filters.) Then run an ssh tunnel and set your proxy as specified above. You will be able to make contact with the delorean web server.
SSH provides the ability to forward data from applications to an X windows server. If you execute
ssh -X user@remote_host
then the DISPLAY environment variable will be set in your shell on the
remote host and any X applications you run in that shell will
communicate to the X server running on your local host.
You will want to do this in order to remotely run any GUI applications from your Linux host.
Packet sniffing can be critical to understanding whether or not your network is functioning correctly. A packet sniffer intercepts packets in the network protocol stack and reports information about them such as source, destination, port, flags, contents, etc.
You can use packet sniffing to see what kind of information is being passed between hosts to support various protocol requests such as NIS and NFS. It can help you see how your system is really (not) working.
A variety of packet sniffers can be used: snoop
(Solaris), tcpdump, ngrep,
ethereal
tcpdump is a relatively primitive packet sniffer.
You can, for example, specify parameters telling what host,
port, or or network should be the source or destination of
packets to be sniffed. The program will either print packet
headers to stdout or it can save packet data to a file that
can be analyzed later.
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 0 02:20:34.428562 IP tarpon.cise.ufl.edu.4859 > delorean.unix-ippd.cise.ulf.edu.ssh: . ack 424 win 64711 02:20:34.479906 IP m.gtld-servers.net.domain > delorean.unix-ippd.cise.ulf.edu.32768: 9620 FormErr- [0q] 0/0/0 (12) 02:20:34.479925 IP delorean.unix-ippd.cise.ulf.edu.32768 > m.gtld-servers.net.domain: 9620 A? basil.arin.net. (32) 02:20:34.480031 IP m.gtld-servers.net.domain > delorean.unix-ippd.cise.ulf.edu.32768: 36658 FormErr- [0q] 0/0/0 (12) 02:20:34.480031 IP m.gtld-servers.net.domain > delorean.unix-ippd.cise.ulf.edu.32768: 26717 FormErr- [0q] 0/0/0 (12) 02:20:34.480050 IP delorean.unix-ippd.cise.ulf.edu.32768 > m.gtld-servers.net.domain: 36658 A? indigo.arin.net. (33) 02:20:34.480060 IP delorean.unix-ippd.cise.ulf.edu.32768 > m.gtld-servers.net.domain: 26717 A? henna.arin.net. (32) 02:20:34.547615 802.1d config 8000.00:05:73:2c:bc:00.806d root 8000.00:05:73:2c:bc:00 pathcost 0 age 0 max 20 hello 2 fdelay 15 02:20:34.751242 IP m.gtld-servers.net.domain > delorean.unix-ippd.cise.ulf.edu.32768: 36658- 0/8/8 (322) 02:20:34.751466 IP delorean.unix-ippd.cise.ulf.edu.32768 > m3.NSTLD.COM.domain: 16664 [1au] A? indigo.arin.net. (44) 02:20:34.753615 IP m.gtld-servers.net.domain > delorean.unix-ippd.cise.ulf.edu.32768: 9620- 0/8/8 (321) 02:20:34.753725 IP delorean.unix-ippd.cise.ulf.edu.32768 > m3.NSTLD.COM.domain: 62609 [1au] A? basil.arin.net. (43) 02:20:34.756239 IP m.gtld-servers.net.domain > delorean.unix-ippd.cise.ulf.edu.32768: 26717- 0/8/8 (321) 02:20:34.756348 IP delorean.unix-ippd.cise.ulf.edu.32768 > m3.NSTLD.COM.domain: 12886 [1au] A? henna.arin.net. (43) 02:20:35.004338 IP m3.NSTLD.COM.domain > delorean.unix-ippd.cise.ulf.edu.32768: 16664*- 1/8/10 A indigo.arin.net (377)
Unprivileged users (i.e., not root) are not normally allowed to get raw access to network packet data. If you apt-get tcpdump, you will see the ways in which Linux allows you to relax this restriction. Don't do it! Even if you have to! Only root should be able to sniff packets.
Just a small conceptual step higher up is ngrep,
which adds the functionality of grep to
a packet sniffer.
ngrep -wi 'user|pass' tcp port 21
delorean# ngrep -wi 'user|pass' tcp port 21 interface: dmfe0 (128.227.170.64/255.255.255.224) filter: ip and ( tcp port 21 ) match: ((^user|pass\W)|(\Wuser|pass$)|(\Wuser|pass\W)) ###### T 128.227.170.83:32806 -> 128.227.170.82:21 [AP] USER jnw.. #### T 128.227.170.83:32806 -> 128.227.170.82:21 [AP] PASS XXXXXXXX.. ## T 128.227.170.82:21 -> 128.227.170.83:32806 [AP] 230 User jnw logged in... #######
ethereal provides a GUI interface to packet sniffing and
is probably more heavily used than either tcpdump or ngrep.
dsniff is a password sniffer and set of programs to
help administrators check the security of their networks. It can also
be used to mount attacks, thus it is really a double edged sword.