Configure UFW Firewall on Ubuntu

Show status

sudo ufw status

Disable UFW Service

sudo systemctl stop ufw && sudo systemctl disable ufw

Stop UFW Service

sudo systemctl stop ufw

Start UFW service

sudo systemctl stop ufw

Enable UFW

sudo ufw enable

Allow SSH

sudo ufw allow 22/tcp

Show status

sudo ufw status numbered

Example output

sudo ufw status numbered
Status: active
To            Action   From 
--            ------   ----
[1] 3478/udp  ALLOW IN  Anywhere
[2] 5514/udp  ALLOW IN  Anywhere
[3] 8080/tcp  ALLOW IN  Anywhere
[4] 8443/tcp  ALLOW IN  Anywhere
[5] 8880/tcp  ALLOW IN  Anywhere
[6] 8843/tcp  ALLOW IN  Anywhere
[7] 6789/tcp  ALLOW IN  Anywhere
[8] 27117/tcp ALLOW IN  Anywhere
[9] 22/tcp    ALLOW IN  Anywhere

Delete rule

You need to know the number of the rule you want to delete. Replace number with the number of the rule from the status command

sudo ufw delete number

Reset rules

sudo ufw reset

How To Increase Session Timeout for SSH

From the server side, edit the /etc/ssh/sshd_config

Change, uncomment, or add

ClientAliveInterval 120
ClientAliveCountMax 15

Change the AliveInterval and CountMax as desired.

More info on the AliveIntercal and CountMax.

ClientAliveCountMax Sets the number of client alive messages which may be sent without sshd(8) receiving any messages back from the client. If this threshold is reached while client alive messages are being sent, sshd will disconnect the client, terminating the session. It is important to note that the use of client alive messages is very different from TCPKeepAlive. The client alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The client alive mechanism is valuable when the client or server depend on knowing when a connection has become unresponsive.

The default value is 3. If ClientAliveInterval is set to 15, and ClientAliveCountMax is left at the default, unresponsive SSH clients will be disconnected after approximately 45 seconds. Setting a zero

ClientAliveCountMax disables connection termination.ClientAliveInterval Sets a timeout interval in seconds after which if no data has been received from the client, sshd(8) will send a message through the encrypted channel to request a response from the client. The default is 0, indicating that these messages will not be sent to the client.

More information
https://man.openbsd.org/sshd_config

Hydra – Socket error: Connection reset by peer

[VERBOSE] Disabled child 2 because of too many errors
[VERBOSE] Disabled child 6 because of too many errors
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] could not connect to target port 22: Socket error: Connection reset by peer
[ERROR] ssh protocol error

Looks like the issue can happen if you have too many threads going at once. Lower the amount of threads your using with -t. Recommended amount for ssh is 4.

hydra -L usernames.txt  -P "passwords.txt" 192.168.1.20 ssh -t4

no matching cipher found. Their offer: aes128-cbc,3des-cbc…

When trying to SSH to older devices like a Ubiquiti Bullet2, you may receive an error saying.

no matching cipher found. Their offer: aes128-cbc,3des-cbc,aes256-cbc,twofish256-cbc,twofish-cbc,twofish128-cbc,blowfish-cbc

Work around it to manually specify the cipher with the “-c” option. You will also probably need to specify the KexAlgorithm

ssh -c aes128-cbc -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.20

You can see what ciphers ssh supports by running “ssh -Q cipher”

Example output

ssh -Q cipher
3des-cbc
aes128-cbc
aes192-cbc
aes256-cbc
rijndael-cbc@lysator.liu.se
aes128-ctr
aes192-ctr
aes256-ctr
aes128-gcm@openssh.com
aes256-gcm@openssh.com
chacha20-poly1305@openssh.com

More information
https://www.openssh.com/legacy.html

Change Channel Width on Ubiquiti AC CPE Over SSH

SSH into CPE

ssh ubnt@192.168.1.20

open up the “/tmp/system.cfg” file

vi /tmp/system.cfg

Find the “radio.1.chanbw=” line and change to the following

radio.1.chanbw=10

Note: it may say “radio.1.chanbw=0” that looks to be the default and works for 20mhz

exit file with

esc + :wq + Return or Enter

Save settings with

/usr/etc/rc.d/rc.softrestart save 

Change AP to 10Mhz and the CPE should reconnect.

no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

Work around is to use the -o option and specify KexAlgorithms with the correcct option.

ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.11.1

https://unix.stackexchange.com/questions/340844/how-to-enable-diffie-hellman-group1-sha1-key-exchange-on-debian-8-0#340853

no matching host key type found. Their offer: ssh-dss

Reason for it not working is some of the older weaker SSH encryption algorithms have been disabled. You can allow ssh to use it by specifying the following option.

 -oHostKeyAlgorithms=+ssh-dss 

so whole command would look like

ssh  -o HostKeyAlgorithms=+ssh-dss root@192.168.111.4 

http://www.openssh.com/legacy.html

https://askubuntu.com/questions/836048/ssh-returns-no-matching-host-key-type-found-their-offer-ssh-dss#836064

Mikrotik hAP – Change SSID via command line

Problem – Need 2.4 Ghz network enabled and SSID set to WiFi. Wireless router is behind a NAT, using UNMS to ssh into the radio, and from the radio ssh into hAP. Enter/Return key not working to run commands, so running the commands over ssh from the radio.

WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless print'
admin@192.168.88.2's password: 
Flags: X - disabled, R - running 
 0    name="wlan1" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B3 
      arp=enabled interface-type=Atheros AR9300 mode=station ssid="MikroTik" 
      frequency=2412 band=2ghz-b/g channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=any vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

 1  R name="wlan2" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B2 
      arp=enabled interface-type=Atheros AR9888 mode=ap-bridge ssid="WiFi" 
      frequency=5180 band=5ghz-n/ac channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless set disabled=no ssid=WiFi wlan1'
admin@192.168.88.2's password: 
WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless print'
admin@192.168.88.2's password: 
Flags: X - disabled, R - running 
 0    name="wlan1" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B3 
      arp=enabled interface-type=Atheros AR9300 mode=station ssid="WiFi" 
      frequency=2412 band=2ghz-b/g channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=any vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

 1  R name="wlan2" mtu=1500 l2mtu=1600 mac-address=74:4D:28:0F:69:B2 
      arp=enabled interface-type=Atheros AR9888 mode=ap-bridge ssid="WiFi" 
      frequency=5180 band=5ghz-n/ac channel-width=20mhz secondary-channel="" 
      scan-list=default wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 
      wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no 
      bridge-mode=enabled default-authentication=yes default-forwarding=yes 
      default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no 
      security-profile=default compression=no 

WA.v8.4.2# ssh admin@192.168.88.2  'interface wireless registration-table print'
admin@192.168.88.2's password: 
 # INTERFACE           RADIO-NAME       MAC-ADDRESS       AP  SIGNAL... TX-RATE
 0 wlan2                                A7:32:54:EE:E4:35 no  -77dBm... 18Mbps 
 1 wlan2                                34:7A:F4:43:AD:81 no  -69dBm... 6Mbps  

WA.v8.4.2# exit

Ubiquiti AirMax – Set radio to use DHCP from command line

Gain access to radio via ssh

ssh ubnt@192.168.1.20

open up the /tmp/system.cfg

vi /tmp/system.cfg

Delete the following line. To move the cursor to the following line and type “dd” and vi will delete the whole line.

dhcpc.status=disabled   

Add the following 5 lines. Hit “i” to enter vi insert mode.
br0 should be correct interface in most scenarios.

dhcpc.1.devname=br0          
dhcpc.1.fallback=192.168.1.20
dhcpc.1.fallback_netmask=255.255.255.0
dhcpc.1.status=enabled
dhcpc.status=enabled

Save the file by hitting esc and then “:wq” followed by Return/Enter

Save the config changes and reboot the radio so it pulls an address.

/usr/etc/rc.d/rc.softrestart save && reboot