What's the risk of upgrading over SSH?


@Marco-Ceppi 's solution is already integrated into do-release-upgrade.

When you run do-release-upgrade it starts a screen session automatically. If your ssh session gets disconnected, you can resume the installation. All you have to do is open a new ssh session, and run do-release-upgrade again. It will reconnect to your previous installation.

A second risk, pointed out by @sepp2k is that your sshd server might need to be upgraded, and it could perhaps not restart correctly. Therefore the upgrade program runs a second deamon, at the port specified. You should check your network configuration to make sure you have access through this port, before resuming.

Good luck.

Moreover, the screen-session do-release-upgrade starts by itself is run under the root account, so if your own screen-session crashes, you will be able to recover by running sudo screen -x, if (for some reason) the command do-release-upgrade doesn't recover it by itself, which seems to be...

0 0

Here's how I'm doing it.




Be aware that

You are about to Start a Very Dangerous Process

. If you have only SSH access, without ability to remote reboot and select the bootloader entry, any loss of connection to remote machine into process will be equivalent with a nice remote brick.

First of all, I suggest you to use a local backup to populate a virtual machine and to test, test and test again the process, before to do it on-line. Being beyond of two versions, I suggest you to do a "clean install".

In theory, create a little partition, about 10G, if you do not already have, eventually temporary sacrifice the SWAP partition (you have one, right?) and format it with ext4, and install there the 14.1 version. Configure it with great attention, to be ensure that it will go on-line. then, install the new&fresh system into bootloader, as some secondary...

0 0

I am not a “real” system administrator but I manager sever VPS servers for my own web sites. This is what I did to update from Ubunutu LTS 10.04 to Ubunutu VPS 12.04.

I already have all the code and databases backed up, off the server, regularly. I backed up various things to another machine: sites-available files, cron directories, .bashrc, .profile, keys. I tried running the preferred upgrade command

But got the message

-bash: do-release-upgrade: command not found

Then I ran

Then I was able to run

Which resulted in this somewhat scary message

This session appears to be running under ssh. It is not recommended to perform a upgrade over ssh currently because in case of failure it is harder to recover.

If you continue, an additional ssh daemon will be started at port ‘9004’.
Do you want to continue?

I look around on the web for advice. What’s the risk of upgrading over SSH? seems a good recap. I then continued. I then got...

0 0

My opinion on security and obscurity is that obscurity can in fact help improve an already sound security posture. That’s keeping in mind that it should never become security by obscurity — which is definitely bad.

Anyway, I’ve debated this issue for years with many people, and I remain convinced that my position on the matter is correct. But tonight I decided to do some very coarse testing of the idea using the SSH daemon.

I decided to configure my SSH daemon to listen on port 24 in addition to its regular port of 22 so I could see the difference in attempts to guess credentials on each. My expected result is far fewer attempts to access SSH on port 24 than port 22, which I equate to less risk to my, or any, SSH daemon.

It’s quite simple to set this up; you just put two port lines in your config instead of one, and then restart your daemon:

Port 22 Port 24

Then I added logging to a couple of my firewall rules:

-j LOG --log-level 7...
0 0

I am trying to kill a process, remotely, through the java interface to the shell, using ProcessBuilder. My code looks like this:

ProcessBuilder builder = new ProcessBuilder( "ssh", "[email protected]", "pkill -f \"'instanceId XXXXXX'\""); Process process = builder.start();

Where instanceId XXXXX matches some command line args from the launching of the process.

When I get the final command string, using


it returns

ssh [email protected] pkill -f "'instanceId XXXXX'"

which, when run manually on the command line works. Unfortunately, when run by the ProcessBuilder, it is incapable of identifying the target process.

After spending far too many hours fighting with arguments over ssh/ProcessBuilder in the last weeks, could someone shed some light on why it's doing this, and maybe point me at some relevant documentation that isn't completely cryptic?

The issue is with the double quotes.

When you run the command on the...

0 0

Background: I am forced to remotely upgrade a server from Ubuntu 8.04 LTS to 10.04 LTS due to an incompability issue with the raid controller.

The internet connection to the server is somewhat stable and seldom drops. Despite that I am concerned about losing the connection over SSH while doing the upgrade, leaving the server in an unreachable state. I am also worried about the server not being able to boot after the upgrade, in case I will be unable to know what is the problem.

Action plan: What I am looking for is advice to minimize the risk of losing the server, I am aware that what I am doing is very risky. This is my current action plan:

1) Backup everything that matters, locally and externally.

2) Temporarily disable boot-time disk checks with fsck. (I will have no clue what is going on if the disk check would take a long time to finish). This would be done through fstab by changing the very last paramter from 1 to 0:

0 0

When I run

sudo do-release-upgrade

over ssh, I get the following message.

This session appears to be running under ssh. It is not recommended to perform a upgrade over ssh currently because in case of failure it is harder to recover. If you continue, an additional ssh daemon will be started at port '9004'. Do you want to continue?

What is the real risk of upgrading over ssh? How does the additional ssh daemon help mitigate this?

What I would recommend doing is launching a screen session on the server and running the upgrade in screen - that way if your SSH session drops (for whatever reason) the upgrade process will not halt.

Screen is a program that allows for persistent terminal(s) on a machine. So you can start a screen session and so long as the machine is on that screen session (and it's history, running programs, etc) will continue to operate though no one user is on the machine. It was designed in the early days to provide a multi-windowed text...

0 0

ssh not connecting
[celebithil@celebithil ~]$ ssh -i ~/.ssh/id_rsa xxxxxxxx -Tvvv
OpenSSH_6.2p2, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /home/celebithil/.ssh/config
debug1: /home/celebithil/.ssh/config line 1: Applying options for xxx
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to xxx [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load /home/celebithil/.ssh/id_rsa as a RSA1 public key
debug1: identity file /home/celebithil/.ssh/id_rsa type 1
debug1: identity file /home/celebithil/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load /home/celebithil/.ssh/id_rsa as a RSA1 public key
debug1: identity file /home/celebithil/.ssh/id_rsa type 1
debug1: identity file /home/celebithil/.ssh/id_rsa-cert type -1
debug1: Remote...

0 0
0 0
On 2014-12-09 11:16, Thailandian wrote:
> I wonder if this problem is common to KDE apps, as I notice that Dolphin
> can be a bit sluggish too.

Video related.


An application runs in machine A, but displays in machine B.

There are two basic ways: a) machine A tells to B to display a square
box with letters. b) machine A sends to B a photo of what to display.
The second form is slower to transmit.

Traditional X applications did this correctly, but new designers want
shiny effects, and these are heavy to transmit over the wire, unless
they upgrade the X server in a way so that effects can be transmitted as
"generate this effect", instead of sending the bitmap.

Either that, or revert to a simpler mode, without effects, when running

Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 "Bottle" at Telcontar)

0 0

In the preceding graph, the U.S. and China are still a significant chunk of the volume of login attempts, but note how much larger the bars for Columbia (CO) and Poland (PL) have become. In Figure 2, the U.S. accounted for ten of the top 50 attackers, and China had 16 of the top 50. In that figure, Columbia and Poland had only three of the top 50 and two of the top 50 attackers, respectively.

Does this mean that administrators should block network access from certain countries? Not necessarily, at least not because of the results shown in Figures 2 and 3. We will get back to this point later.

All that these graphs depict is where the login attempts originated. They do not depict the location of the actual miscreant who is attempting to break into the honeypot. The miscreant could be thousands of miles away or as close as next door. We can never know, because those who wish to do harm on the Internet often use compromised machines from all over the planet to accomplish...

0 0

In my last blog, I talked a bit about where SSH is used and provided an overview of the basic components of SSH and how they operate. As I discussed before, SSH is a powerful security tool, protecting privileged access to mission critical systems. However, when it is not properly managed, it can become a security liability instead of asset. My goal is to help you understand the underlying challenges of securing SSH. In this blog, I’ll summarize some of the risks related to SSH, so when we move on to talking about best practices in my next blog entry, you’ll know why they’re needed. While this blog provides a summary, I’ve included a link at the bottom of the post if you’re interested in downloading a detailed list of SSH vulnerabilities.

The diagram below provides a summary of SSH risks. As you can see, the risks span the SSH server and client, with most arising on the server side.

Unapproved SSH Servers
If you have users and administrators enabling SSH...
0 0

That locale stuff looks fine to me. It differs from my own in that LC_ALL looks like it's explicitly set, but that should be fine.

I'm unable to reproduce so far, via logging in to Debian 7 and Ubuntu 14.04 boxes from my OS X 10.9.5 laptop. The arrow prompt looks normal under both regular zsh and zsh under screen. The Ubuntu is a fresh install with all upgrades applied as of today, and I'm using the latest oh-my-zsh, also a fresh install.

Can you give us some more info to help reproduce?

What plugins do you have enabled for oh-my-zsh? Even better, could you post your entire ~/.zshrc file (from the Linux side), preferably as a gist?

What OS X version and terminal program (e.g. Terminal.app, iTerm2) are you using on the local Mac laptop side? What's the value of $TERM locally and in your ssh session? And what font are you using in your local...

0 0

Is there any way to make jconsole only connect through 9999 or use a proxy? Is this article still the best solution? Or, am I missing something?

Yes, that article is about right.

When you specify the JMX port on your server (-Dcom.sun.management.jmxremote.port=####), you are actually specifying just the registry-port for the application. When you connect it provides an additional server-port that the jconsole actually does all of its work with. To get forwarded to work, you need to know both the registry and server ports.

Something like the following should work to run your application with both the registry and server ports set to 8000. See here for more details.

-Dcom.sun.management.jmxremote.port=8000 -Dcom.sun.management.jmxremote.rmi.port=8000

As an aside, my SimpleJMX library allows you to set both ports easily and you can set them both to be the same port.

So, once you know both the port(s) you need to forward, you can set up your ssh...

0 0

There is a reason why by default your router's ports are closed and your firewall is strict on traffic is that these are your lines of defence against hackers. Every port you open, it is creating a small hole in your security for data to get into/out your computer. Eventhough it sounds scary, so long you don't go crazy and only open ports when you need them, you will have minimal risk. That said, to best protect yourself, if you are using a port you manually opened, close the port and reopen it later on a needed basis! This can be done from within the router or by disabling the rule from within the firewall.

Your ISP Could be Blocking your Portforwarding Attempts

Sometimes depending on your contract you setup with your ISP, they could be controlling what ports are forwarded or not and not allow you to make any personal changes. In most situations, unless you live in a rural area or you have a very basic/limited internet, you would not have to worry about this....

0 0


Ubuntu has two types of releases, standard and Long Term Support (or "LTS"). Standard updates are released every six months and receive security updates from Ubuntu for at least nine months, while LTS updates are released every two years and are supported for at least five years.

If you are currently using Ubuntu 12.04, you will have security updates until at least October 2017. If you want to extend that support time, and get access to new features and updates, you can upgrade your server to the newest LTS release. In this guide, we will go over how to safely upgrade an Ubuntu 12.04 server to 14.04, taking care to preserve our existing configurations.

Warning: As with almost any upgrade between major releases of an operating system, this process carries an inherent risk of failure, data loss, or broken software configuration. Comprehensive backups and extensive testing are strongly advised.

To avoid these problems, when possible, we...

0 0

Home > Online Help

Upgrading cluster firmware

You can upgrade the FortiOS firmware running on an HA cluster in the same manner as upgrading the firmware running on a standalone FortiGate. During a normal firmware upgrade, the cluster upgrades the primary unit and all subordinate units to run the new firmware image. The firmware upgrade takes place without interrupting communication through the cluster.

To upgrade the firmware without interrupting communication through the cluster, the cluster goes through a series of steps that involve first upgrading the firmware running on the subordinate units, then making one of the subordinate units the primary unit, and finally upgrading the firmware on the former primary unit. These steps are transparent to the user and the network, but depending upon your HA configuration may result...

0 0
1.1. What is it?1.2. What versions of Windows are supported?1.3. Where can I get it?1.4. Is it free software?1.5. What version of Cygwin is this, anyway?1.6. Who's behind the project?


What is it?

Cygwin is a distribution of popular GNU and other Open Source tools running on Microsoft Windows. The core part is the Cygwin library which provides the POSIX system calls and environment these programs expect.

The Cygwin distribution contains thousands of packages from the Open Source world including most GNU tools, many BSD tools, an X server and a full set of X applications. If you're a developer you will find tools, headers and libraries allowing to write Windows console or GUI applications that make use of significant parts of the POSIX API. Cygwin allows easy porting of many Unix programs without the need for extensive changes to the source code. This includes configuring and building most of the available GNU or BSD software, including the packages included...

0 0

Home > Online Help

Configuring endpoint registration over a VPN

FortiGate units can register FortiClient-equipped endpoints over either an interface-based IPsec VPN or a tunnel-mode SSL VPN. After the user authenticates, the FortiGate unit sends the FortiClient application the IP address and port to be used for registration. If the user accepts the FortiGate invitation to register, registration proceeds and the FortiClient profile is downloaded to the client.

Users without FortiClient Endpoint Security connecting to the SSL VPN through a browser are redirected to a captive portal to download and install the FortiClient software.

Endpoint registration on an IPsec VPN

You can enable endpoint registration when you configure the FortiClient VPN or you can enable it on an existing FortiClient VPN.

To enable...
0 0

Table of Contents

Release Notes for Catalyst 3560-CX and 2960-CX Series Switches, Cisco IOS Release 15.2(4)E and Later



Supported Hardware

Switch Models

Optics Modules

Device Manager System Requirements

Hardware Requirements

Software Requirements

CNA Compatibility

Upgrading the Switch Software

Finding the Software Version and Feature Set

Software Image

Features of the Switch

New Software Features

Features Introduced in Cisco IOS Release 15.2(4)E5

Features Introduced in Cisco IOS Release 15.2(4)E4

Features Introduced in Cisco IOS Release 15.2(4)E3

Features Introduced in Cisco IOS Release 15.2(4)E2

Features Introduced in Cisco IOS Release 15.2(4)E1

Features Introduced in Cisco IOS Release 15.2(4)E

Service and Support

Information About Caveats


Limitations and...

0 0