Connect to Router over SSH
Check and install latest version of RouterOS. Will reboot the router. Need to hit Y to confirm upgrade.
system package update install
Upgrade routerboard firmware. Need to hit Y to confirm.
system routerboard upgrade
Initiate a ssh connection to the server or device you want to use as a proxy. You can change the port to something else if so desired.
ssh username@ipaddress -D 1880
Log in and leave the session running
You can now setup your computer or browser to use the Proxy.
Specify SOCKS Host, hostname is either localhost or 127.0.0.1, the port is 1880.
Firefox example below.
Open your Oxidized config
Now edit your groups to include the following, part in bold is what specifies the SSH port. Note it needs to have the vars: line above it.
routeros: username: admin password: password vars: ssh_port: 2222
Save and quit with esc+:wq and run Oxidized
What we are going to do is create a proxy using ssh so we can tunnel our web traffic in Firefox through it.
First, launch putty and setup a SSH connection like you normally would.
Next, in Putty, go to the Connection, SSH, Tunnels. Set source port, change to Dynamic, and add. In this example we are using port 1880.
After you have it set, Open the connection and log in.
Now go to the Proxy settings in Firefox. You can open new tab, type about:preferences, hit enter, search proxy.
Set to Manual proxy configuration, then under SOCKS Host put localhost and the port number from Putty above, 1880 in our case.
You should now be running over the proxy, can test by running a whats my ip address.
This can be particularly useful in cases where you need to access a local IP address range on something like a Ubiquiti radio or router. Or you need to check something from a different IP address.
List AirControl server(s)
Remove from AirControl Server
First you’ll need to SSH into your radio
Next run “mca-provision-list” to list the connection(s) the radio has, or is trying to connect to. If you have had the radio connected to multiple AirControl servers it will show more than one entry.
unknown @ http://192.168.0.1:9081/AC2/report -
To remove, run “mca-provision-rm” with the AirControl address. You can simple use the “http://server-ip”, shouldn’t have to worry about the port number/AC2/report.
XM.v6.1.3# mca-provision-rm http://192.168.0.1
Found 1 entries matching 'http://192.168.0.1':
Removing: unknown @ http://192.168.0.1:9081/AC2/report ...
Found Backup1 on ...
Found Active on ...
Storing Active ... [%100]
Active->Backup ... [%100]
The commands are for CentOS, but should work on Fedora and RedHat.
If semanage is not installed refer to
You would typically use this along with the systems firewall to allow a port through. Guide for
firewalld and iptables. If you change it in the firewall and fail to add/edit it in semanage you can potentially get weird behavior like sshd not wanting to start after changing the port.
Add port semanage port -a -t ssh_port_t -p tcp 2222
The above command allows the sshd service to start, using port 2222.
List allowed ports semanage port -l
You can use grep to filter the results
[admin@localhost ~]# semanage port -l | grep ssh
ssh_port_t tcp 2222, 22
Delete port semanage port -d -p tcp 2222
semanage port -a -t snmp_port_t -p udp 161
Posted in CentOS, Command Line, Fedora, Linux |
Tagged firewall, firewalld, iptables, port, selinux, semanage, snmp, ssh |
Setup SFTP Server
When finished you’ll have a SFTP server setup that is configured so the users are in a chroot environment, and can not ssh, or telnet to the server.
Install SSH server if it is not already
yum install openssh-server openssh-client
Create group that is limited to sftp so they can’t ssh, scp etc.
Add chroot settings to /etc/ssh/sshd_config. The %u is a variable, which is the users username.
Match Group sftpusers
Make ftp directory
Add SFTP user
useradd -g sftpusers -d /sftp -s /sbin/nologin newsftpuser
Create password for new user
Create directory for user
Create directory to put ftp files
chown newsftpuser:sftpusers /sftp/newsftpuser/files/
systemctl restart sshd
Should be good to go. Test it by logging in with your favorite FTP client.
ssh: connect to host 192.168.1.158 port 22: Connection refused
Wrong SSH port. Check /etc/ssh/sshd_config on linux, or in RouterOS IP->services->SSH
ssh_exchange_identification: Connection closed by remote host
Check the hosts.allow and hosts.deny files. If your getting this error connecting to a Mikrotik check the IP services and the “Available From” addresses.
For some reason the hosts.allow and hosts.deny files don’t seem to work on cPanel. One of the alternative methods to limit ssh logins to specific addresses is to use iptables.
Allow access from specific IP addresses.
Replace 192.168.1.0/24 and 192.168.0.0/24 with your addresses. You can add more addresses using the “,”. Also if your ssh port is not the default port, be sure to change it.
iptables -A INPUT -s 192.168.1.0/24,192.168.0.0/24 -p tcp --dport 22 -j ACCEPT
Reject access from everywhere else iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 22 -j REJECT
You can see your rules with
iptables -L --line-numbers
If you need to add another rule after the fact, you’ll need to make sure that it is above the REJECT rule. you can use the “-I” to insert it between rules.
Example: inserts rule as the second rule in the INPUT chain iptables -I INPUT 2 -s 192.168.42.0/24 -p tcp --dport 22 -j ACCEPT
Debian / Ubuntu sudo apt-get install -y openssh-server
RPM based Distros, Fedora / CentOS / RedHat sudo dnf install -y openssh-server
or use yum
sudo yum install -y openssh-server
Start ssh service sudo systemctl start sshd
By default the SSH service should start when the system starts, but if not try the following command to enable the service on boot up.
Debian / Ubuntu
systemctl enable ssh
Fedora, CentOS, RedHat
systemctl enable sshd
Change SSH port
Not necessary, but it is a good idea to change the default ssh port. To change the port edit the sshd file.
If you change the port, you’ll need to allow it in the firewall (
firewalld, iptables) and if SELinux is enabled, semanage.
Posted in CentOS, Command Line, Debian, Fedora, Linux, RedHat, Ubuntu |
Tagged centos, debian, fedora, linux, openssh, redhat, ssh, sshd, ubuntu |