--EOF--
--EOF--
--EOF--
--EOF--
二年多之前刷过一次,再也没有更新,这次是突发奇想,想看看WAN出口的每月总带宽,新版本支持,这样就要刷新一下满足好奇心了。
From http://www.dd-wrt.com/wiki/index.php/%E5%AE%89%E8%A3%85
这个是使用无线进行更新的唯一安全的办法。
通过命令行刷新
此功能对于已安装 DD-WRT 并开启 Telnet/SSH 功能的路由器有效。
这是 *唯一* 建议使用的可以 无线 操作的刷新方法。
1) telnet 或 ssh 登录至路由器
2) 使用 wget 或 scp 将固件文件 dd-wrt.v2*_generic.bin 下载至 /tmp
2a) 作为替代手段,如果您有已 mount 的 share 目录,可以从那里下载固件
3) (可选,但建议执行) 比较原版及下载文件的 MD5 校验码
4)
cd /tmp
write dd-wrt.v2*_generic.bin linux
5) 等待...
6) 重启 -- reboot
7) 通过网页界面,恢复出厂默认设置
8) 对于 V23 SP2: 如果某些功能不正常,请执行一次硬复位。硬复位: 按住复位按钮的同时插上路由器电源,并按住30秒。请不要使用从旧版固件中备份出的配置文件。您必须重新设置路由器。
--EOF--
和FastDomain的多个客服线上确认,即使购买了Dedicated IP,也无法更改SSHD的访问端口,而对于我来说,这个东西实际上还是很重要的。
但经过前几天的一些探索,有了另外一个想法,直接使用ssh提供的Port Forward功能或许可以达到类似的效果,前提当然是能让我绑定很多其它端口了:)
https://www.fastdomain.com/cgi/dedicated_ip
What is a Dedicated IP Address?
An IP address is a number like 234.123.66.7 that identifies the unique server where your website can be found. In shared hosting, you share the same IP address as other web sites on your server. By upgrading to a Dedicated IP address, you can enable your site for e-commerce and other advanced capabilities, and minimize the risk of being impacted by other sites on your shared server.
Top Reasons to get a Dedicated IP:
So you can enable SSL on your web site - SSL Certificates are crucial if you have a business oriented website, especially if you want to accept secure transactions like credit card payments or sending personal information through your site. Secure SSL Certificates require your site to have a Dedicated IP in order to work.
Ability to run more software on your server - Certain programs require a dedicated IP address before they can be setup and used. With a dedicated IP you will have more options on the type of scripts you can run.
Ability to open non-standard ports - Purchasing a dedicated IP will allow us to grant you access to additional ports you may need to run special services on that are blocked for shared IPs.
So you won't be negatively impacted by the actions of others - On a shared IP, if someone else sharing your same IP happens to get blocked by IP or censored, as some countries or ISPs sometimes do. Their IP (and yours) could get banned or blacklisted, causing problems for your web site or search engine rankings.
Your website may perform better in the search engines - Although difficult to prove, many people believe that sites with a dedicated IP address rank better in the search engine results than those utilizing shared IP addresses.
You can view your web site by typing its IP address - This is handy for situations where you want to access your site, but your domain name is inaccessible, such as during domain name propagation periods.
Only $2.50 per month ($30.00 per year)*
--EOF--
http://hi.baidu.com/davyup/blog/item/229e99cb25e8b51abf09e66d.html
向隧道-隧道监听本地port,为普通活动提供安全连接
ssh -qTfnN -L port:host:hostport -l user remote_ip
2.反向隧道----隧道监听远程port,突破防火墙提供服务
ssh -qTfnN -R port:host:hostport -l user remote_ip
3.socks代理
SSH -qTfnN -D port remotehost(用证书验证就直接主机名,没用的还要加上用户名密码)
-q Quiet mode. 安静模式,忽略一切对话和错误提示。
-T Disable pseudo-tty allocation. 不占用 shell 了。
-f Requests ssh to go to background just before command execution. 后台运行,并推荐加上 -n 参数。
-n Redirects stdin from /dev/null (actually, prevents reading from stdin). -f 推荐的,不加这条参数应该也行。
-N Do not execute a remote command. 不执行远程命令,专为端口转发度身打造。
虽然反向隧道在穿透内网放火墙的时候很好用,cron加上ssh-agent能实现无人职守下的主动连接,但是目前面临一个比较严重的问题,那就是隧道的不稳定性,基本上ssh反向隧道只能坚持10分钟左右就莫名奇妙的关闭掉了,是网路太差引起的断线?还是反向隧道本身的不完善性?我试图在网上找一个ssh社区去询问一下高手,但是我发现这样的社区是不存在的....也许有人会说可以每隔十分钟再重新发一次反向连接阿,但是经我尝试,发现即使是每隔10分钟重发一次反向隧道也不能解决问题,因为虽然反向隧道中断但反向隧道的进程还在,即使重发请求也不能将反向隧道重新接通...
http://sdfclub.cn/viewtopic.php?t=118&sid=cb71241647edd5cdc82b454bbdb9aa5c
There are two kinds of port forwarding: local and remote forwarding. They are also called outgoing and incoming tunnels, respectively. Local port forwarding forwards traffic coming to a local port to a specified remote port.
For example, if you issue the command
ssh2 -L 1234:localhost:23 username@host
all traffic coming to port 1234 on the client will be forwarded to port 23 on the server (host). Note that localhost will be resolved by the sshdserver after the connection is established. In this case localhost therefore refers to the server (host) itself.
Remote port forwarding does the opposite: it forwards traffic coming to a remote port to a specified local port.
For example, if you issue the command
ssh2 -R 1234:localhost:23 username@host
all traffic which comes to port 1234 on the server (host) will be forwarded to port 23 on the client (localhost).
It is important to realize that if you have three hosts, client, sshdserver, and appserver, and you forward the traffic coming to the client's port x to the appserver's port y, only the connection between the client and sshdserver will be secured. See Figure Forwarding to a third host. The command you use would be something like the following:
ssh2 -L x:appserver:y username@sshdserver
http://www.dd-wrt.com/wiki/index.php/Telnet/SSH_and_the_Command_Line#Remote_Port_Forwarding
Remote Port Forwarding
This is useful to tunnel things like RDP (Remote Desktop) through an encrypted SSH tunnel over the internet. For example, you want to be able to access your work computer from home.
If you had:
HomePC <-> Router <-> Internet <-> Firewall <-> WorkPC
WorkPC, which is running RDP on port 3389, issues ssh -R 5555:localhost:3389 root@router.home
HomePC can use his RDP client to connect to port 5555 on the router and this would create an SSH tunnel which will connect HomePC to port 3389 on the WorkPC
注解:
在WorkPC 执行 ssh -R 5555:localhost:3389 root@router.home
这样 localhost会解析为WorkPC
HomePC对router.home的5555端口的访问被转发到WorkPC的3389端口
--EOF--
SSH
zz From http://zhigang.org/wiki/SSH
目录
通过ssh建立安全隧道(ssh tunnelling,也称端口映射,Port Forwarding)
本地映射(Local Forward)
远程映射(Remote Forward)
公钥认证
配置ssh使用代理服务器,穿越企业防火墙
加快SSH连接速度方法
使用expect实现ssh自动交互
SSH保持连接(KeepAlive)
参考资料
本章记录了自己在使用SSH的过程中遇到的一些问题,及其解决方法。
通过ssh建立安全隧道(ssh tunnelling,也称端口映射,Port Forwarding)
通过ssh的端口映射功能可以方便地存取一下无法直接访问的资源。又分为本地映射(Local Forward)和远程映射(Remote Forward)。
本地映射(Local Forward)
$ ssh -f -g -A -X -N -T -L 1234:remote-host2:5678 user@remote-host或者通过修改ssh的配置文件:
$ cat ~/.ssh/config
Host remote-host
Hostname x.x.x.x (your remote host IP)
LocalForward 1234:remote-host2:5678
User user
$ ssh user@remote-host所有对本地1234端口的访问都通过remote-host被转发到remote-host2的5678端口。有些DMZ中只开放sshd的22端口,通过本地映射,你可以访问远程计算机上的所有服务。
远程映射(Remote Forward)
$ ssh -f -g -A -X -N -T -R 1234:remote-host2:5678 user@remote-host或者通过修改ssh的配置文件:
$ cat ~/.ssh/config
Host remote-host
Hostname x.x.x.x (your remote host IP)
RemoteForward 1234:remote-host2:5678
User user
$ ssh user@remote-host所有对remote-host的1234端口的访问都通过本机被转发到remote-host2的5678端口。通过远程映射,你可以通过家中的机子(有公网IP,可以ssh登录)来访问公司防火墙内部的计算机。
公钥认证
使用公钥认证经常遇到的问题就是一些文件的权限问题。一些问题可以通过查看/var/log/secure来发现。
要配置两台计算机使用公钥认证,可以通过分别在两台机子host1、host2上运行如下脚本:
$ ssh-keygen -t rsa -b 1024 # don't input any password
$ ssh $host1 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
$ ssh $host2 cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys # important!
配置ssh使用代理服务器,穿越企业防火墙
通过 http://zippo.taiyo.co.jp/~gotoh/ssh/connect.html 下载connect.c,编译,拷贝到系统/usr/bin目录:
$ gcc connect.c -o connect
$ sudo cp connect /usr/bin编辑ssh的配置文件~/.ssh/config,增加:
$ cat ~/.ssh/config
Host remote-host
ProxyCommand connect -H your.proxy.com:port %h %p
$ ssh user@remote-host
加快SSH连接速度方法
SSH登录时会进行DNS反查,如果你的DNS Server速度比较慢,会发生等待。知道了原因解决方法就出来了:就是提高域名解析的速度。可以将主机名写到/etc/hosts中来解决。
使用expect实现ssh自动交互
下面是使用expect实现的自动远端命令执行的脚本remote-exec:
# \
exec expect -- "$0" ${1+"$@"}
# remote-exec - execute command on remote host
# Version 0.1
# Zhigang Wang <zhigang.x.wang@oracle.com>
exp_version -exit 5.0
if {$argc!=2} {
send_user "usage: remote-exec command password\n"
send_user "Eg. remote-exec \"ssh user@host ls\\; echo done\" password\n"
send_user "or: remote-exec \"scp /local-file user@host:/remote-file\" password\n"
send_user "or: remote-exec \"scp user@host:/remote-file local-file\" password\n"
send_user "or: remote-exec \"rsync --rsh=ssh /local-file user@host:/remote-file\" password\n"
send_user "Caution: command should be quoted.\n"
exit
}
set cmd [lindex $argv 0]
set password [lindex $argv 1]
eval spawn $cmd
set timeout 120
while {1} {
expect -re "Are you sure you want to continue connecting (yes/no)?" {
# First connect, no public key in ~/.ssh/known_hosts
send "yes\r"
} -re "assword:" {
# Already has public key in ~/.ssh/known_hosts
send "$password\r"
} -re "Permission denied, please try again." {
# Password not correct
exit
} -re "kB/s|MB/s" {
# User equivalence already established, no password is necessary
set timeout -1
} -re "file list ..." {
# rsync started
set timeout -1
} -re "bind: Address already in use" {
# For local or remote port forwarding
set timeout -1
} -re "Is a directory|No such file or directory" {
exit
} -re "Connection refused" {
exit
} timeout {
exit
} eof {
exit
}
}
SSH保持连接(KeepAlive)
可以使用下面的方法:
增加下面的内容到~/.ssh/config或者/etc/ssh/ssh_config:
Host *
ServerAliveInterval 60 # in second执行下面的脚本:
while date; do sleep 10; done当要输入命令时,只需要按下ctrl-c.
参考资料
OpenSSH official site.
OpenSSH Manual Pages.
The Secure Shell(tm) Frequently Asked Questions.
SSH Tunnelling (Port Forwarding).
SSH Port Forwarding.
SSH Proxy Command -- connect.c.
Corkscrew -- tool for tunneling SSH through HTTP proxies.
SSH Host Key Protection.
SSH and ssh-agent.
The Expect Home Page.
Pexpect - a Pure Python Expect-like module.
--EOF--
1.公司只提供23 443 80 端口访问
2.FastDomain主机只提供22端口ssh访问
1.路由器设置端口转发: 443 -> 192.168.1.1:1080
2.路由器运行:ssh -N -g -L 1080:guduo.net:22 xxx@guduo.net
转发所有访问路由器1080端口的请求到guduo.net的22端口
ssh访问路由器1080端口时,实际就是访问guduo.net的22端口,可以看putty访问示例日志:
login as: xxx
xxx@192.168.1.1's password:
Last login: Fri Dec 25 08:07:06 2009 from fast22.fastdomain.com
[xxx@fast22 /home/xxx]
$
3.本地通过plink连接路由器再连接FastDomain建立代理访问:
d:\green_soft\putty\plink.exe -N xxx@路由器WAN -P 443 -pw "xxx_pw" -D 127.0.0.1:1080
如果我在FastDomain购买了Dedicated IP,是否可以通过
ssh -N -g -L 8000:localhost:22 xxx@localhost 来直接开启一个8000端口的ssh服务呢?
路由器上测试:
~ # ssh -N -g -L 1080:192.168.1.1:80 root@192.168.1.1
root@192.168.1.1's password:
将1080也直接指向httpd的80服务~
ssh -N -g -L 1080:guduo.net:22 xxx@guduo.net
所有对本地的1080端口的访问都通过guduo.net被转发到guduo.net的22端口
ssh -N -g -L 1080:guduo.net:22 root@127.0.0.1
所有对本地的1080端口的访问都通过127.0.0.1被转发到guduo.net的22端口
zz From http://zhigang.org/wiki/SSH
本地映射(Local Forward)
$ ssh -f -g -A -X -N -T -L 1234:remote-host2:5678 user@remote-host或者通过修改ssh的配置文件:
$ cat ~/.ssh/config
Host remote-host
Hostname x.x.x.x (your remote host IP)
LocalForward 1234:remote-host2:5678
User user
$ ssh user@remote-host所有对本地1234端口的访问都通过remote-host被转发到remote-host2的5678端口。有些DMZ中只开放sshd的22端口,通过本地映射,你可以访问远程计算机上的所有服务
--EOF--
dropbear -w -F -E -p 8000 -P /home/xxx/sshd/dropbear_sshd.pid -d /home/xxx/sshd/dropbear_dss_host_key -r /home/xxx/sshd/dropbear_rsa_host_key
dropbearkey -t rsa -f dropbear_rsa_host_key -s 1024
dropbearkey -t dss -f dropbear_dss_host_key -s 1024
ssh xxx@127.0.0.1 -p 8000
chsh --list-shells
chsh -s /bin/sh yimutian
$ chsh -s /bin/sh xxx
Changing shell for xx.
Password:
[25376] Dec 19 05:56:32 Child connection from ::ffff:127.0.0.1:58456
[25376] Dec 19 05:56:38 user 'xxx' has invalid shell, rejected
From FastDomain Support:
1.Can't Change Login Shell
2.Can't Change sshd port
3.What Can I Do ?
--EOF--
