Docs
General
Networking

Commands

# all port usage
netstat -pnltu
 
# specific port usage
lsof -i :9000
netstat -ltnp | grep -w ':80'

Endpoint Info

Useful when trying to verify if headers are acting as they're supposed to when building an API

curl -is http://google.com
HTTP/2 301
location: https://www.google.com/
content-type: text/html; charset=UTF-8
date: Fri, 23 Apr 2021 15:36:48 GMT
expires: Sun, 23 May 2021 15:36:48 GMT
cache-control: public, max-age=2592000
server: gws
content-length: 220
x-xss-protection: 0
x-frame-options: SAMEORIGIN

Find IP Address

Private IP

Find private IP address of device. This address is used to access a self hosted service from within the same wifi or local network. Any application hosted locally on 0.0.0.0 is shared on this address.

# get private ip address
# if this returns two entries, ignore loopback ip (127.0.0.1)
# ignore everything after the slash
nmcli -p device show | grep "IP4.ADDRESS"
 
# or
 
# ip is the inet of the currently active interface
ip addr
# check if firewalls are disabled, they can cause issues here
sudo ufw status

Public IP

Find externally accessible public IP address of device.

curl ifconfig.me # ipv4
curl ipinfo.io/ip # ipv4
curl api.ipify.org # ipv4
curl ident.me # ipv6

SSH

Hardened config

# Include /etc/ssh/sshd_config.d/*.conf
 
# Listen on
Port 7777
 
# Protocol
Protocol 2
 
# HostKeys
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
 
# Algorithms
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
 
# Logging
LogLevel VERBOSE
 
# Sessions
MaxAuthTries 3
MaxSessions 3
ClientAliveInterval 60
ClientAliveCountMax 3
 
# Authentication
LoginGraceTime 2m
AuthenticationMethods publickey
PubkeyAuthentication yes
UsePAM yes
PermitRootLogin no
 
# Disable password login
PermitEmptyPasswords no
PasswordAuthentication no
KbdInteractiveAuthentication no
 
# Disable port forwarding
AllowTcpForwarding no
AllowStreamLocalForwarding no
GatewayPorts no
PermitTunnel no
 
# Disable X11 forwarding as X11 is very insecure
X11Forwarding no
 
# Verify hostname matches IP
UseDNS yes
 
# Ignore .rhosts and .shosts
IgnoreRhosts yes
 
# Don't allow .rhosts or /etc/hosts.equiv
HostbasedAuthentication no
 
# Disable user environment
PermitUserEnvironment no
 
# Other settings
PrintMotd no
Compression no
TCPKeepAlive no
AllowAgentForwarding no
 
# Override default (this location might be different)
Subsystem sftp /usr/lib/openssh/sftp-server -f AUTHPRIV -l INFO

Port Forwarding

ssh -N -L 8888:127.0.0.1:80 user@server.com

The command above attaches the server's port 80 to local port 8888. Meaning if a site is hosted on port 80 on the server. I can view it by going to 127.0.0.1:8888 on my browser.

The command above doesn't give any output. So if there isn't anything, that means its probably working as intended.

Service Ports

If ports aren't defined for inbuilt services at /etc/services, all of the tools that depend on it fail. Use this (opens in a new tab) link if anything happens to it. Simply paste in everything.

NTP

With the following UFW rules should be present for NTP to work correctly.

sudo ufw allow 123/udp
sudo ufw allow out 123/udp
sudo ufw allow out 53

UDP port 123 is allowed for both incoming and outgoing traffic to NTP work. Additionally TCP port 53 (DNS) is opened for outgoing traffic since /etc/ntp.conf contains domain names of NTP servers.

!!! error "" If Servname not supported for ai_socktype and ntp is displayed when starting NTP. The service file is probably fucked. Check out how to replace it here. More info here (opens in a new tab).

BunkerWeb ModSecurity Tuning

If a service is being blocked by modsecurity core rule set, you'll need to add an exception. First check the specific url that's being blocked. You can do this through the network tab in the browser or the BunkerWeb docker logs. It should look like this;

bunkerweb | [warn] ModSecurity: Warning. Matched "Operator `Rx' ... [id "99999"] ... request: "POST /api/graphql"
bunkerweb | [error] ModSecurity: Access denied with code 403 (phase 2). Matched ... [id "949110"]

First a rule by the id 99999 is matched against a request that was made to the website. This is marked as a warning by modsecurity. After that a new rule 949110 is created on the fly by the server against the client IP to block it access to /api/graphql.

So the rule we need to exclude is 99999. Sometimes it might be one rule or it might be a chain with multiple rules that need to be excluded.

Here I'm excluding rules with id 99999 and 88888 for the domain example.com for the path /api/graphql by creating a new rule with id 1000100 and naming it graphql.

environment:
	- example.com_CUSTOM_CONF_MODSEC_CRS_graphql=
	SecRule REQUEST_FILENAME "^/api/graphql" "id:1000100,phase:1,pass,nolog,ctl:ruleRemoveById=99999,ctl:ruleRemoveById=88888"

! To avoid conflicts, use rule ids past 1,000,000. Only 1-99,999 are reserved for CRS but this ensures there won't be any conflicts any time soon.

Ghost

By default the port is set to 2369. If you visit that port, it'd show nothing. The correct port is 2368

Troubleshooting

ssh Received disconnect from port <port>:2: Too many authentication failures

One major cause for this error is having multiple keys in your .ssh directory. When encountering this, either specify the key you want to use or add the key to the ssh config.

ssh -i ~/.ssh/id_rsa user@host
Host example.com
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly=yes

Error connecting to agent: Permission denied when trying to run ssh-add

First check if the key permissions are correct. You want both the key folder and the key itself to only be readable by the user. This is recommended.

chmod 0700 ~/.ssh
chmod 600 ~/.ssh/*

If the file's permissions aren't the issue, there can be several other causes. You could have incorrect permissions set on any of the directories ~/.ssh or ~/.ssh/keyfolder (technically also on ~ but then this wouldn't be the only symptom). Use ls -adl to inspect those directories. They should have rwx for you, but --- for both group and world.

Another issue could be (but this is quite rare) is that the ssh-add binary has the setuid bit set, causing it to run as a different user, and hence have no right to read your private key. Use ls -lh $(which ssh-add) to inspect this. If it returns an agent instance run by a different user. Kill it running ssh-agent -k after logging in as that user.

Source (opens in a new tab)