Some questions about ssh and Overthewire:wargames
from SusanoStyle@lemmy.ml to linux@lemmy.ml on 25 Sep 22:12
https://lemmy.ml/post/36673972

Hi there, In my search to learn a bit more about Linux, i came across this website called “OverTheWire”, which teaches basic and some advanced concepts over SSH. It seems like a fun and engaging way to learn.

However, as a bit of a paranoid beginner when it comes to Linux and networking, i find myself worrying about the potential dangers of connecting to an untrusted network.

So, my questions are:

  1. Does anyone have any experience with the website?

  2. In the hypothetical case that I open an SSH connection to a compromised network, could that expose me to attacks? (Aside from obvious risks like downloading malicious files myself.)

  3. Should I use a virtual machine (VM) for this?

I sincerely appreciate any responses. Thank you!

#linux

threaded - newest

Marafon@sh.itjust.works on 25 Sep 22:21 next collapse

OverTheWire is fun! If you decide to play and get stuck make sure to check out the discord for help.

SusanoStyle@lemmy.ml on 25 Sep 22:54 collapse

Thanks for the tip!

deadcade@lemmy.deadca.de on 25 Sep 22:55 next collapse

  1. I do not personally have experience with this website
  2. Connecting to an SSH server with an SSH client is much like connecting to a webserver with a webbrowser. It is theoretically possible for bad things to happen, but automatic (“zero click”) attacks of any kind are difficult to pull off when the software is up to date. Most bad things that happen come from the user doing it themselves, like downloading and running untrusted programs, entering your password on a phishing site, etc.
  3. This is not necessary, given your host system is up to date.

Note that my answer to 2 is heavily oversimplified, but applies in this scenario of SSH to “OverTheWire”.

SusanoStyle@lemmy.ml on 25 Sep 23:29 collapse

Thank you, even if its simplified, the browser example was really helpful. So in summary, having software up to date and being aware of what you do, should in most cases be safe. I was asking just in case there was some configuration i should do before connecting. With browsing i know that if i use something like firefox and ublock, i should be safe from most malware unless i screw up pretty bad. I will probably research ssh a bit more, as how it works, but you put some fears away. Thank you again.

deadcade@lemmy.deadca.de on 25 Sep 23:53 collapse

The main oversimplification is where browsers “just visit websites”, SSH can be really powerful. You can send/receive files with scp, or even port forward with the right flags on ssh. If you stick to ssh user@host without extra flags, the only thing you’re telling SSH to do is set up a text connection where your keyboard input gets sent, and some text is received (usually command output, like from a shell).

As long as you understand what you’re asking SSH to do, there’s little risk in connecting to a random server. If you scp a private document from your computer to another server, you’ve willingly sent it. If you ssh -R to port forward, you’ve initiated that. The server cannot simply tell your client to do anything it wants, you have to do this yourself.

SusanoStyle@lemmy.ml on 26 Sep 00:06 collapse

I will keep it in mind, i will be mindful of commands and flags. No typing without being certain of what each command does.

frongt@lemmy.zip on 26 Sep 00:59 next collapse

Yes, it could expose you, if the remote side exploits your client. But that isn’t really any different from connecting to their website with your browser client.

SusanoStyle@lemmy.ml on 26 Sep 15:43 collapse

Thanks for the reply, i will keep it mind.

dipdowel@feddit.nl on 26 Sep 18:34 collapse

Hi. You could run your ssh-client on a virtual machine or find another solution to sandbox your client (e.g. firejail if you are on linux). Just for ssh, a very lightweight vm would cut it.

SusanoStyle@lemmy.ml on 26 Sep 20:22 collapse

Nice suggestion i will look it up, thank you!