Posts tagged as:

SSH

How to Keep Alive SSH Sessions

February 7, 2010

in How to,Linux,Windows

Many NAT firewalls time out idle sessions after a certain period of time to keep their trunks clean. Sometimes the interval between session drops is 24 hours, but on many commodity firewalls, connections are killed after as little as 300 seconds. To avoid having your SSH sessions become unresponsive after e.g. 5 minutes, do the following:

On Windows (PuTTY)

In your session properties, go to Connection and under Sending of null packets to keep session active, set Seconds between keepalives (0 to turn off) to e.g. 300 (5 minutes).

On Linux (ssh)

To enable the keep alive system-wide (root access required), edit /etc/ssh/ssh_config; to set the settings for just your user, edit ~/.ssh/config (create the file if it doesn’t exist). Insert the following:

Host *
    ServerAliveInterval 300
    ServerAliveCountMax 2

You can also make your OpenSSH server keep alive all connections with clients by adding the following to /etc/ssh/sshd_config:

ServerAliveInterval 300
ServerAliveCountMax 2

These settings will make the SSH client or server send a null packet to the other side every 300 seconds (5 minutes), and give up if it doesn’t receive any response after 2 tries, at which point the connection is likely to have been discarded anyway.

From the ssh_config man page:

ServerAliveCountMax
Sets the number of server alive messages (see below) which may be sent without ssh(1) receiving any messages back from the server. If this threshold is reached while server alive messages are being sent, ssh will disconnect from the server, terminating the session. It is important to note that the use of server alive messages is very different from TCPKeepAlive (below). The server alive messages are sent through the encrypted channel and therefore will not be spoofable. The TCP keepalive option enabled by TCPKeepAlive is spoofable. The server alive mechanism is valuable when the client or server depend on knowing when a connection has become inactive.

The default value is 3. If, for example, ServerAliveInterval (see below) is set to 15 and ServerAliveCountMax is left at the default, if the server becomes unresponsive, ssh will disconnect after approximately 45 seconds. This option applies to protocol version 2 only; in protocol version 1 there is no mechanism to request a response from the server to the server alive messages, so disconnection is the responsibility of the TCP stack.

ServerAliveInterval
Sets a timeout interval in seconds after which if no data has been received from the server, ssh(1) will send a message through the encrypted channel to request a response from the server. The default is 0, indicating that these messages will not be sent to the server, or 300 if the BatchMode option is set. This option applies to protocol version 2 only. ProtocolKeepAlives and SetupTimeOut are Debian-specific compatibility aliases for this option.

How To Set Up Simple SSH Tunneling

January 25, 2010

in How to,Linux,Security,Windows

By far the easiest way to set up a simple connection proxy is to use the SSH tunneling feature of either PuTTY on Windows or SSH on Linux. This lets you establish connections to servers and ports that you might not be able to access (e.g. from work), as long as you can connect to your server’s SSH service (e.g. myserver.com port 22). This might be for privacy reasons, to connect to MSN from work, to browse a blocked website, et cetera.

On Windows Machines

  1. Download and open PuTTY
  2. In the fields ‘Address’ and ‘Port’, enter the address and port for your SSH server
  3. Go to ‘Connection’ -> ‘SSH’ -> ‘Tunnels’ on the left-hand side
  4. In ‘Source port’, enter 31337, then click the button ‘Dynamic’ and then ‘Add’
  5. Go back to the main ‘Session’ screen
  6. In the ‘Saved Sessions’ text box, enter e.g. “My Shell” and click ‘Save’
  7. Double-click “My Shell” to establish a connection, then log in to your shell
  8. In any application that supports connecting through a proxy, set the following settings:
    • Proxy type: SOCKS 5
    • Proxy server: 127.0.0.1
    • Proxy port: 31337

You can also set these as your global proxy settings in Windows (via ‘Control Panel’ -> ‘Internet Properties’ -> ‘Connections’ -> ‘LAN settings’ -> “Use a proxy server for your LAN” -> ‘Advanced’ -> ‘Socks’: 127.0.0.1:31337. This will cause most applications to connect through the SSH tunnel to your server.

In the future, just open PuTTY and double-click “My Shell” to open your shell and activate the SSH tunneling.

On Linux Machines

  1. Open a terminal
  2. Enter e.g.: ssh -D31337 myuser@myserver.com -N
  3. Log in to your shell
  4. In any application that supports connecting through a proxy, set the following settings:
    • Proxy type: SOCKS 5
    • Proxy server: 127.0.0.1
    • Proxy port: 31337

Alternatively, enter e.g.: ssh -L 31337:patrickmylund.com:80 myuser@myserver.com -N. Here, you specify the target host and port before-hand; the result is that all connections to 127.0.0.1 port 31337 will be tunneled through your server, myserver.com, using your username, myuser, to the target machine, patrickmylund.com, port 80.

The SSH tunnel will stay active until you close the terminal window or hit CTRL+C (Linux), or close PuTTY (Windows).