New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

autossh tunnel from sensor to server needs to be more robust #239

Closed
GoogleCodeExporter opened this Issue Mar 24, 2015 · 13 comments

Comments

Projects
None yet
1 participant
@GoogleCodeExporter
Using OpenSSH's built in connection monitoring
The newer versions of OpenSSH have their own method of checking if the 
connection is still alive. You can enable this by setting the 
ServerAliveInterval and ServerAliveCountMax options (either in your ssh_config 
file or on the command line). For example
autossh -M 0 -q -f -N -o "ServerAliveInterval 60" -o "ServerAliveCountMax 3" -R 
8081:localhost:80 my.linuxbox.at.home
The above command will make ssh send a keep-alive request if no other data has 
been sent for 60 seconds, if it doesn't receive a reply after 3 attempts it 
will close the connection. autossh will then detect its been closed and attempt 
re-establish it.
The "-M 0" option disables autossh's own monitoring which uses separate ports 
and is less reliable.
Note: this only works with SSH protocol version 2, which is usually enabled by 
default anyway (because version 1 has security flaws

Original issue reported on code.google.com by doug.bu...@gmail.com on 22 Mar 2012 at 2:36

@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Also set AUTOSSH_GATETIME to 0:

"Startup behaviour
     If the ssh session fails with an exit status of 1 on the very first try, autossh

     1.      will assume that there is some problem with syntax or the connection setup, and will exit rather than retrying;

     2.      There is a "starting gate" time. If the first ssh process fails within the first few seconds of being started, autossh assumes that it never made it "out of the starting
             gate", and exits. This is to handle initial failed authentication, connection, etc. This time is 30 seconds by default, and can be adjusted (see the AUTOSSH_GATETIME envi‐
             ronment variable below). If AUTOSSH_GATETIME is set to 0, then both behaviours are disabled: there is no "starting gate", and autossh will restart even if ssh fails on the
             first run with an exit status of 1."

Original comment by doug.bu...@gmail.com on 4 May 2012 at 7:00

  • Changed state: Accepted
  • Added labels: ****
  • Removed labels: ****
Also set AUTOSSH_GATETIME to 0:

"Startup behaviour
     If the ssh session fails with an exit status of 1 on the very first try, autossh

     1.      will assume that there is some problem with syntax or the connection setup, and will exit rather than retrying;

     2.      There is a "starting gate" time. If the first ssh process fails within the first few seconds of being started, autossh assumes that it never made it "out of the starting
             gate", and exits. This is to handle initial failed authentication, connection, etc. This time is 30 seconds by default, and can be adjusted (see the AUTOSSH_GATETIME envi‐
             ronment variable below). If AUTOSSH_GATETIME is set to 0, then both behaviours are disabled: there is no "starting gate", and autossh will restart even if ssh fails on the
             first run with an exit status of 1."

Original comment by doug.bu...@gmail.com on 4 May 2012 at 7:00

  • Changed state: Accepted
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

export AUTOSSH_GATETIME=0
/usr/bin/autossh -M 0 -f -q -N -o "ServerAliveInterval 60" -o 
"ServerAliveCountMax 3" -i "$KEY" -L 3306:127.0.0.1:3306 
$SSH_USERNAME@$SERVERNAME

Original comment by doug.bu...@gmail.com on 4 May 2012 at 9:01

  • Added labels: ****
  • Removed labels: ****
export AUTOSSH_GATETIME=0
/usr/bin/autossh -M 0 -f -q -N -o "ServerAliveInterval 60" -o 
"ServerAliveCountMax 3" -i "$KEY" -L 3306:127.0.0.1:3306 
$SSH_USERNAME@$SERVERNAME

Original comment by doug.bu...@gmail.com on 4 May 2012 at 9:01

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

[deleted comment]
[deleted comment]
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Packaged /usr/local/bin/setup:

/usr/bin/fpm -s dir -t deb -n securityonion-setup -v 20120508 
/usr/local/bin/setup

Original comment by doug.bu...@gmail.com on 7 May 2012 at 2:34

  • Added labels: ****
  • Removed labels: ****
Packaged /usr/local/bin/setup:

/usr/bin/fpm -s dir -t deb -n securityonion-setup -v 20120508 
/usr/local/bin/setup

Original comment by doug.bu...@gmail.com on 7 May 2012 at 2:34

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Packaged NSM scripts:

/usr/bin/fpm -s dir -t deb -n securityonion-nsmnow-admin-scripts -v 20120508 
/etc/init.d/nsm* /usr/share/nsmnow/ /usr/local/sbin/nsm* /usr/local/lib/nsmnow/ 
/etc/cron.d/sensor-* /etc/cron.d/nsm* /etc/init/securityonion.conf

Original comment by doug.bu...@gmail.com on 7 May 2012 at 2:34

  • Added labels: ****
  • Removed labels: ****
Packaged NSM scripts:

/usr/bin/fpm -s dir -t deb -n securityonion-nsmnow-admin-scripts -v 20120508 
/etc/init.d/nsm* /usr/share/nsmnow/ /usr/local/sbin/nsm* /usr/local/lib/nsmnow/ 
/etc/cron.d/sensor-* /etc/cron.d/nsm* /etc/init/securityonion.conf

Original comment by doug.bu...@gmail.com on 7 May 2012 at 2:34

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Added the following to security-onion-upgrade.sh:


sed -i 's| |=|g' $CONF
source $CONF
if [ "$VERSION" = "20120427" ]; then
        NEW="20120508"
        echo "**********************************************"   | $LOGGER
        echo "* Upgrading from $VERSION to $NEW."               | $LOGGER
        echo "**********************************************"   | $LOGGER
        DIR="/nsm/backup/$NEW"
        mkdir -p $DIR                                           | $LOGGER
        cd $DIR

        for FILE in securityonion-setup_20120508_i386.deb securityonion-nsmnow-admin-scripts_20120508_i386.deb; do
                echo -n "* Downloading $FILE..."                | $LOGGER
                wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
                if [ $? -eq 1 ]; then
                        echo "FAIL"     | $LOGGER
                        exit 1
                else
                        echo "OK"       | $LOGGER
                fi
        done

        echo -n "* Installing downloaded packages..." | $LOGGER
        dpkg -i *.deb                                           >> $LOG
        if [ $? -eq 1 ]; then
                echo "FAIL"     | $LOGGER
                exit 1
        else
                echo "OK"       | $LOGGER
        fi

        sed -i "s|VERSION=$VERSION|VERSION=$NEW|g" $CONF        | $LOGGER
        echo "* Upgrade to $NEW complete."                      | $LOGGER
        echo 
fi

Original comment by doug.bu...@gmail.com on 7 May 2012 at 2:35

  • Added labels: ****
  • Removed labels: ****
Added the following to security-onion-upgrade.sh:


sed -i 's| |=|g' $CONF
source $CONF
if [ "$VERSION" = "20120427" ]; then
        NEW="20120508"
        echo "**********************************************"   | $LOGGER
        echo "* Upgrading from $VERSION to $NEW."               | $LOGGER
        echo "**********************************************"   | $LOGGER
        DIR="/nsm/backup/$NEW"
        mkdir -p $DIR                                           | $LOGGER
        cd $DIR

        for FILE in securityonion-setup_20120508_i386.deb securityonion-nsmnow-admin-scripts_20120508_i386.deb; do
                echo -n "* Downloading $FILE..."                | $LOGGER
                wget -q http://sourceforge.net/projects/security-onion/files/$NEW/$FILE -O $FILE | $LOGGER
                if [ $? -eq 1 ]; then
                        echo "FAIL"     | $LOGGER
                        exit 1
                else
                        echo "OK"       | $LOGGER
                fi
        done

        echo -n "* Installing downloaded packages..." | $LOGGER
        dpkg -i *.deb                                           >> $LOG
        if [ $? -eq 1 ]; then
                echo "FAIL"     | $LOGGER
                exit 1
        else
                echo "OK"       | $LOGGER
        fi

        sed -i "s|VERSION=$VERSION|VERSION=$NEW|g" $CONF        | $LOGGER
        echo "* Upgrade to $NEW complete."                      | $LOGGER
        echo 
fi

Original comment by doug.bu...@gmail.com on 7 May 2012 at 2:35

  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Original comment by doug.bu...@gmail.com on 7 May 2012 at 3:02

  • Changed title: autossh tunnel from sensor to server needs to be more robust
  • Added labels: ****
  • Removed labels: ****

Original comment by doug.bu...@gmail.com on 7 May 2012 at 3:02

  • Changed title: autossh tunnel from sensor to server needs to be more robust
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Tested by:
Tom De Vries
Jason Boss
David Zawdie
Mark Hillick
Liam Randall

Original comment by doug.bu...@gmail.com on 8 May 2012 at 10:56

  • Changed state: Started
  • Added labels: ****
  • Removed labels: ****
Tested by:
Tom De Vries
Jason Boss
David Zawdie
Mark Hillick
Liam Randall

Original comment by doug.bu...@gmail.com on 8 May 2012 at 10:56

  • Changed state: Started
  • Added labels: ****
  • Removed labels: ****
@GoogleCodeExporter

This comment has been minimized.

Show comment
Hide comment
@GoogleCodeExporter

GoogleCodeExporter Mar 24, 2015

Published:
http://securityonion.blogspot.com/2012/05/security-onion-20120508-now-available.
html

Original comment by doug.bu...@gmail.com on 8 May 2012 at 10:56

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Published:
http://securityonion.blogspot.com/2012/05/security-onion-20120508-now-available.
html

Original comment by doug.bu...@gmail.com on 8 May 2012 at 10:56

  • Changed state: Verified
  • Added labels: ****
  • Removed labels: ****
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment