Here’s My SSH Port Forward Command

ssh -2TND 1080 user@ip-or-hostname

A special note about option -C. Unless you are on a dial-up modem connection, the -C option only hurts you on virtually all modern network connections. I would not use the -C unless your speed is slower than about 1Mbps. It really is designed for 56K dial-up modems and other similar slow connections like ISDN. Here is the man page entry for -C;

-C Requests compression of all data (including stdin, stdout,
stderr, and data for forwarded X11 and TCP connections). The
compression algorithm is the same used by gzip(1), and the
“level” can be controlled by the CompressionLevel option for pro‐
tocol version 1. Compression is desirable on modem lines and
other slow connections, but will only slow down things on fast
networks. The default value can be set on a host-by-host basis
in the configuration files; see the Compression option.

Most SSH advice concerning -C is incorrect. Unfortunately too many people blindly use the -C option without understanding the option. Most people just copy and paste the command from some web site and don’t bother to read the man page. As you can see it’s a pet peeve of mine.

ssh -2TND 1080

I’ll break it down for you.

-2 Forces ssh to try protocol version 2 only.

T Disable pseudo-tty allocation.

N Do not execute a remote command. This is useful for just for forwarding ports (protocol version 2 only).

D [bind_address:]port
Specifies a local “dynamic” application-level port forwarding.
This works by allocating a socket to listen to port on the local
side, optionally bound to the specified bind_address. Whenever a
connection is made to this port, the connection is forwarded over
the secure channel, and the application protocol is then used to
determine where to connect to from the remote machine. Currently
the SOCKS4 and SOCKS5 protocols are supported, and ssh will act
as a SOCKS server. Only root can forward privileged ports.
Dynamic port forwardings can also be specified in the configura‐
tion file.

1080 I’d use this port as it’s the socks port. Use of another port is fine, but will not give you any security advantage. So I use this port. The only reason not to use this port is if you already have another application using 1080.

I’m interested in hearing from anybody about their commands. Just so you know I use keys without a password. My keys have a bit strength of 8192 bits and I maintain strict control over the devices that have keys, so devices are all encrypted with very strong passwords.

Get an Email Every time Sudo is Used

Every time I use sudo on the command line I get an email.  This way I can always know if someone has attempted to run sudo on my computer.  Plus; combined with Gmail, it makes for an excellent audit trail.

I set it up following the guide here; Sudo email setup, original post

Or you can do the below.

I wanted to get an email from the computer every time sudo was used successfully or not. You need an MTA or mail transport agent. I have Postfix on my computer. There may be other ways to send an email; but that is beyond the scope of this post. I will show you what I did and I will assume you have an MTA already setup.

The first command tells visudo where to create the file. All edits should go to /etc/sudoers.d because this will make software updates more sane.

sudo visudo -f /etc/sudoers.d/mail_sudoers

File should look exactly like below. Be sure to include double quotes.

Defaults    mail_always
Defaults    mailto="youremail@gmail.com"

Visudo will set the proper permissions for you. No need for chmod if you are using Ubuntu 16.10 or later.

man sudo, visudo, sudoers will help greatly.
I’ve included a screenshot of what the email looks like. Naturally the important bits after the @ have been removed.

sudo