Code By
Lucas Mouilleron

Nice minimal setup for hostile environments :)

Install - Ubuntu

• From root or sudo user:usermod -aG sudo username
• From user username: sudo ls
• From user username: export SSH_PASSPHRASE="12345" if SSH passphrase desired (more than 5 characters)
• From user username: cd $HOME;sh <(wget -o /dev/null -qO- https://raw.githubusercontent.com/lucasmouilleron/Survival/master/ubuntu.sh)

Install - Others

TODO :)

A simple watchtower service.
Heartbeat monitoring + event agregator.

Hearbeat definitions

• The server is in charge of monitoring services
• When a service is considered dead, the server then alerts its owner
• A service is a pulsing agent
• A pulse is a sign of aliveness
• When a service pulse the server, it tells him when he will pulse again in the worst case
• If the service has not pulsed again in time, the server considers the service dead and alerts its owner
• When a service is no longer required, it must inform the server to avoid a false dead alerts
• An alert can be a mail, a pushover message, etc.

Event definitions

• The server is in charge or recieving events
• When a service sends an event, the server stores it
• On demand, events can be retrieved for consultation
• An event is: service + message + level + date of registration

Implementation

• HTTP client / server architecture
• All queries protected by password set in HTTP headers under "password"
• Heartbeat protocol:
  • Pulse:
    • POST /
    • {"service":"SERVICE_NAME","alertType":"ALERT_TYPE","alertTarget":"TARGET_NAME","nextIn":EXPECTED_NEXT_HEARTBEAT_IN_SECS}
  • Cancel:
    • DELETE /
    • {"service":"SERVICE_NAME"}
  • List:
    • GET /
• Event protocol:
  • Add:
    • POST /add-event
    • {"service":"SERVICE_NAME", "level":"level", "message":"the message"}
  • List:
    • GET /list-events
    • optional params: service (is), from (above), to (below), level (above), message (contains)

Server

• ./server
• python3
• Dependencies: pip install -r requirements.txt
• Config:
  • config/config.json: main config (cp config/sample.json config/config.json)
  • config/server.crt, config/server.key: SSL certificate, used only if SSL activated
• Datas: data
• Deploy:
  • Install dependencies
  • Setup config
  • Generate ssl certificates (optional)
  • Hook in with upstart (optional, ./server/config/sample.upstart.conf, http://upstart.ubuntu.com/getting-started.html)
• Run: python server.py
• Docker:
  • ./docker
  • Config: place server config files in ./docker/config
  • Interactive: cd docker && tools/dockerBuild && tools/dockerRun
  • Detached: cd docker && tools/dockerBuild && tools/dockerRunDetached

Server GUI

• https://hostname.com:443/gui

Java Client

• ./clientJava
• Java 7+
• No dependencies
• Run test:

Python Client

• ./clientPython
• python3
• Dependencies: requests (pip install requests)
• Run test: python test.py

Javascript client

• ./clientJavascript
• client.js is a node module
• Dependencies: packages.json -> devDependencies (npm install)
• Run test: node test.js
• Run test in browser: browserify test.js -o bundle.js and open test.html in browser

Certificates

• Self signed: openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout server.key -out server.crt
• Letsencrypt: TODO

TODO

• Put data writing in a queue
• Put alert sending in a queue
• (Way) better events persister

Temporally give ssh access to your friends.

sshForFriends uses friends public keys to give them access to the computer.
When sshForFriends has finished running, public keys are cleaned and friends can't access the computer anymore.
Public keys are fetched from known identity providers.

Tested on macOS and Ubuntu.

No password, no hastle, 100% SSH.

Usage

• sshForFriends [OPTIONS] friendUsername
• friendUsername is the friend username which will be granted access (identity provider username)
• sshForFriends -h for more usage help

Identity providers

• id_rsa: key from cat $HOME/.ssh/id_rsa.pub on your friend's machine (-r RSA_PUB_KEY)
• Github : keys from https://github.com/$USER_NAME.keys (-g, -i github)
• Keybase : keys from https://$USER_NAME.keybase.pub/id_rsa.pub (-k, -i keybase)

Behind a firewall

• If the computer being accessed is behind a firewall, sshForFriends can use a public server for ssh forwading.
• See params -x, -l, -m and -n
• On the public server, make sure GatewayPorts yes is set in the /etc/ssh/sshd_config file
• See examples below

Miscs

• macOS, enable ssh server : sudo systemsetup -setremotelogin on

Examples

• Give access from a machine to lucasmouilleron in one line : curl -sL https://raw.githubusercontent.com/lucasmouilleron/sshForFriends/master/sshForFriends -o $HOME/sshForFriends ; chmod a+x $HOME/sshForFriends ; $HOME/sshForFriends -g lucasmouilleron
• Give access from a machine to lucasmouilleron in one line : curl -sL https://raw.githubusercontent.com/lucasmouilleron/sshForFriends/master/sshForFriends -o $HOME/sshForFriends ; chmod a+x $HOME/sshForFriends ; $HOME/sshForFriends -k lucasmouilleron
• Give access from a machine behind a firewall to lucasmouilleron in one line : curl -sL https://raw.githubusercontent.com/lucasmouilleron/sshForFriends/master/sshForFriends -o $HOME/sshForFriends ; chmod a+x $HOME/sshForFriends ; $HOME/sshForFriends -g -x lucasmouilleron.com -l sshtunnel -m 10022 lucasmouilleron
• Give access from a machine behind a firewall to a friend with pub key in one line : curl -sL https://raw.githubusercontent.com/lucasmouilleron/sshForFriends/master/sshForFriends -o $HOME/sshForFriends ; chmod a+x $HOME/sshForFriends ; $HOME/sshForFriends -r "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDqN4/IlNfY8I5AUYYnj9mieJ9Uyx4rMbZjxyukmwM1nqSpTmFBs5xdqtE1Qi1DDb6V0Nphua80GUxXfIiKmbJVuOnrBjX2qInwMPtFxJ0gr8adXYIamcCVylcCPm2qO418KQpuHNM1es5s0a2hzuuRCtw6trysq/SCSIp6o05OEdHP8CbfCdFA+P7sy99XHG3yGzqHdU0D04ScDePzm1buSOXqQRCrSkuLmRMBhtRQSj7UAI3IlRcF3tEFPqAywjwnZVIvv6fUoXnpJuoCzBPuJv5D5lo06xixwIvHc39t1r4Tv/OrD+EyWfPsmCpLGfEkMRBqmj/ds5c4y6NjO9cl" -x lucasmouilleron.com -l sshtunnel -m 10022 yourfriendname

Credits

• Inspired by https://github.com/flplv/ssh-allow-friend