OSI Reference Model

The Open Systems Interconnection model (OSI model) is a conceptual model that characterizes and standardizes the communication functions of a telecommunication or computing system without regard to their underlying internal structure and technology.

A layer serves the layer above it and is served by the layer below it:


The hostname is the name of the machine. machine-name

sudo nano /private/etc/hosts

sudo nano /etc/hostnames sudo nano /etc/hostname
sudo nano /etc/hosts


Update ssh on server
Restrict ssh access
ClientAliveInterval 60
sudo nano /etc/ssh/sshd_config

Copy to public key remote
ssh-copy-id -i ~/.ssh/id_rsa.pub [-p port] [user@]remote-hostname // copy public key to remote
nano ~/.ssh/authorized_keys // open authorized_keys

Restart SSH
sudo service ssh restart
sudo /etc/init.d/ssh restart //restart ssh
eval "$(ssh-agent)" // get ssh-add agent PID

Create key pair
ssh-keygen -t rsa [-C "email@emil.com"] //create RSA key pair
ssh-keygen -R hostname // delete hosts from known hosts
pbcopy < /path/to/key.pub //OSX copy key to clipboard
ssh-add -l // list added keys
ssh-add -K /path/to/private-key // persist keys in agent after reboot, -K adds passphrase for key pair to keychain
ssh-add -d /path/to/private-key // delete key from identity
ssh-keygen -f ~/.ssh/id_rsa -y > ~/.ssh/id_rsa.pub // recreate public key from private

To run ssh locally on OS X, System Preferences > Sharing, check "Remote Login"

sudo launchctl list // list all self starting programs / daemons
sudo launchctl load  -w /System/Library/LaunchDaemons/ssh.plist // start SSH
sudo launchctl unload /System/Library/LaunchDaemons/ssh.plist // stop SSH
/usr/sbin/sshd -Dd // Debug sshd - must unload first
nano /var/log/system.log // OS X log for ssh

Non-root binding

visudo // run as root, add user to sudoers (username ALL=(ALL:ALL) ALL)
sudo setcap 'cap_net_bind_service=+ep' path/to/process // bind process to privileged port
sudo getcap path/to/process // see privileges for process
sudo setcap cap_net_bind_service=-ep path/to/process // remove access to process to privileged port



tail -500 /var/log/auth.log | grep 'sshd' // -500 number of lines, file path


netstat -in // see interfaces on system, n prints IP addresses not hostnames
netstat -nr // see routing tabels - shows gateway information
netstat -rn | grep 'default' // grep into results
netstat -anl
netstat -atn
netstat -tunlp tcp // see open ports

kill <pid>

List Open Files (lsof)

sudo lsof -n -i4TCP:22 | grep LISTEN  // see process listening on port


whois <domain> // check whois and name servers for domain
dig -t NS <domain> @ns1.digitalocean.com // check digital ocean name servers serving DNS records for domain


sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw status // get status of UFW
sudo ufw allow 3000/tcp // all port 3000 tcp connections
sudo ufw delete <rule> // delete rule

Local Network

If the Linux system is connected directly to the internet, the public and private IP addresses will be one in the same. However, in most cases they differ.

Test public ip address using curl:
curl ipogre.com
curl bot.whatismyipaddress.com
curl ident.me


ifconfig // show all the network interfaces that are currently up, including the loopback interface.
ipconfig getifaddr <en1>/<en0> // get LAN IP address


nslookup <ip> // lookup DNS of IP


ip addr show // show network interfaces
ip -4 addr show scope global // show global network interfaces (no loopback interface)
ip route show <| grep default> // show default route (almost certainly public interface).


hostname -i (--ip-address) // see the network address
hostname -I (--all-ip-addresses) // see  all  network addresses of the host

Port forwarding

Enable for session
echo 1 > /proc/sys/net/ipv4/ip_forward // enable port forwarding for session
sysctl net.ipv4.ip_forward=1 // enable port forwarding for session

Enable permanently
sudo nano /etc/sysctl.conf // edit sysctl.conf to permanently enable port forwarding
Uncomment net.ipv4.ip_forward=1

Enable routing to localhost
sysctl -w net.ipv4.conf.eth0.route_localnet=1


sudo iptables -S // check rules
sudo iptables -L -v // check rules
sudo iptables -L -vt nat // check nat rules

sudo service iptables-persistent save // save rules, will not retain comments
sudo nano /etc/iptables/rules.v4 // edit to save rules

sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 7990

The first operation, called DNAT, will take place in the PREROUTING chain of the nat table. DNAT is an operation which alters a packet's destination address in order to enable it to be correctly routed as it passes between networks.
sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination

To configure proper routing, we also need to modify the packet's source address as it leaves the firewall en route to the web server. We need to modify the source address to our firewall server's private IP address.
sudo iptables -t nat -A POSTROUTING -o eth1 -p tcp --dport 22 -d -j SNAT --to-source

Need to also accept the connection
sudo iptables -A FORWARD -p tcp -d --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


openssl s_client -starttls smtp -crlf -connect almccann.almccann.com:587 // test openssl configuration