Tag Archives: OSX

Secure Connection Series: Port Forwarding and SSH

From our general outline, this article will revolve around the first three items:

  1. Open a Port on your home networks router/modem
  2. Install OpenSSH on your home machine
  3. Configuring the SSH server: sshd_config

Port Forwarding
Most networks today are set up with a router or firewall between you and the internet at large. Because of this fact, we need to make you (or your home computer) accessible to the Internet. We do this through “Port Forwarding” where we assign a port on your router (or firewall) to forward any traffic to a specific port on your home machine. [More information on ports]

For our purposes I will start referring to your home computer as the Server (since it is serving your data), and your remote computer as the Client (since you want to connect home to the Server).

So our network looks like this:

Server <–> Router <–> Internet <–> Client

As a best practice, it is recommended that you use a port other than the default port for your application. Its a very basic means of security, but by making it something different than the default makes it harder for someone to find it on a casual scan.

For our example I will choose port 30000 on the router and forward that to port 22 on the Server.

Now the tricky part: How do you configure this on your router? Unfortunately, I can’t tell you because there are too many choices out there. However, here is a whole list of guides for many routers can be found at portforward.com

Personally, I would recommend loading the DD-WRT firmware on your router if your router is on their supported devices list, and follow their instructions for port forwarding.

Once this is done, the Internet can get to port 22 on your Server machine, which is where SSH will reside.

SSH – Secure SHell
You can find all the info you would ever want to know about SSH at OpenSSH.org. However, the basics of it is that it is a server and client application that will allow you to establish a connection between computers securely.

A brief analogy I will use is that of the postal system. When you connect to a website (with http://) this is just like a postcard in the mail. Anyone can read what is going on between you (the client) and the website (the server). With a Secure SHell connection (or when you view a webpage with https://) an encrypted tunnel is created. This is like sending a letter in a priority envelope, however its really more like sending a letter inside a locked safe since letters can be easily opened by a third party, which is illegal.

In order to build this secure connection or tunnel, you will need to have the SSH server program running on your Server machine.

  • Linux: this is typically included by default, but if its not just use whatever Package Manager your system uses and install OpenSSH-server or sometimes packaged SSH.
  • Mac OSX: ssh is built into the latest versions. To enable it, all you need to do is open up System Preferences, go to Sharing, and then enable Remote Login
  • Windows: You will need to download and install the ssh server from SSH for Windows (Note: I have no experience with the ssh server on Windows)

Once the ssh server (known as SSHD) is installed and running, it is ready for connections, and is listening on Port 22 of the Server, and Port 30000 of the router is forwarding to it.

A word of warning: At this point your Server is exposed to the internet, and you can log in using any of the user accounts on the Server computer. If you have accounts with insecure passwords, then someone may easily access your system by hacking those passwords.

It is at this point we look to add some protective measures.

Configuring the SSH Server: sshd_config
The configuration file for SSHD is sshd_config and is located on linux at /etc/ssh/sshd_config and on Mac OSX at /etc/sshd_config
We will look into advanced settings in the future, but for now we want to restrict which user accounts can login using ssh.

Open sshd_config in an editor and add a line to the bottom of the file:

AllowUsers username

Where username is the login name you use for your system. You can add multiple users by simply putting a space between the names on this line.

You may also notice at the top of the file

#Port 22

This allows you to change the port SSHD listens on. If you change this port, you will need to make sure your router is forwarding to whatever port you changed it to, and not the default ssh port 22. The # symbol in this file means the line is commented out. If you want to change this port simply add a line with Port number

After making changes to your sshd_config file you need to restart the server.
This can be done in linux by executing the command

sudo /etc/init.d/ssh restart

in Mac OSX by disabling and re-enabling through System Preferences -> Sharing
and in Windows by restarting the sshd application.

Connecting to your SSH server
Now that your server is running, go to your client machine and attempt to connect.
From Linux or Mac OSX, go to a command line and simply type:

ssh -p 30000 username@routeraddress

Your router address can be found by going to whatismyip.com, or using a dynamic dns address as I will describe in the following post.
If you want to test this from the Server itself, you can use the command:

ssh username@localhost

There are various graphical applications you can use to connect to your Server, I cannot list them all, but common ones are Putty (Windows), WinSCP (Windows), Cyberduck (Mac OSX), Konqueror (Linux), etc.

At this point you have a fully functioning way to create secure connections from a remote computer to your home computer, and be able to transfer files back and forth, and even remote control your desktop.

In the next segment, I will go through creating a security key pair, and how to further secure your computer by using key encryption instead of a password. This can save you time by not requiring you to type in a password, and will be much more secure from attacks on the server.

Secure Connection Series: Aka VPN, SSH, Tunnelling

In this series we will progress through the steps on how to remotely connect to your home computer. In this example I will mostly lean on my expertise in Linux, however many of these techniques will apply to Mac OSX and to a lesser extent Windows. Having looked into solutions for OSX and Windows, I will go into some details on using clients from these operating systems to connect to your home server.

As a preview, and to give you some of the key terms you can search for to find some of these answers out for yourself, here is the  outline of this series of articles I will be presenting:

Steps in this series:

  1. Open a Port on your home networks router/modem
  2. Install SSHD on your home machine
    1. OpenSSH
    2. SSH for Windows
  3. Configure SSHD_CONFIG
    1. Allowed users
    2. Port Configuration
  4. Adding Security Key Pairs
    1. Disabling password access
  5. MacFusion / WinSCP / Fish:// for File Transfers
  6. VNC / Remote Desktop
    1. Tunnelling the port -L 50000:localhost:5900
    2. Starting a VNC server on the Server Machine
    3. Using Remote Desktop
    4. TightVNC client
  7. Beyond the basics


This outline should get you started towards setting up and configuring your own secure connections, however as time permits, i will be releasing articles to fully detail each of these steps.
Use the comments section to left me feedback or as questions for other topics.

Back to the Text (and perhaps some Video)

It has been some times since I have posted to this blog. Mostly because my efforts have been focused over at TLPShow.com. There the TLP Network is growing, and I am in the process of restructuring out websites, and looking at new ways of presenting community. These changes will be evidenced in the launch of TLP v3.0.

I have been itching to write more lately, and the influx of technical questions have spurred me to write some How-To articles on some topics I have covered previously, but with some refreshments towards other operating systems.

I realize that perhaps some of my previous articles and papers were a bit of a high level view and took certain assumptions on the reader. Well with the assistance of my friend Alejandro, I will try and break things down into easy to consume components, and run series on how to do things one step at a time.

Much of this will find its way onto the TLP, and some of it will remain here on this blog. The TLP has been geared mostly towards Music, even with my Geek Out segments (which are technical in nature, but tend to relate to music production, or organization).

That is going to change in the near future with the introduction of a new show, and perhaps some veering off of the path for the TLP Show. What I mean by that is, I intend to keep our main theme of “Scenes behind scenes” but I am going to try and include many more scenes in the interviews, outside the realm of music.

Along with more technical articles, I am going to be writing more about applications and how to do certain things on Mac OSX. WHAT!??!

Yes, that is right, I am join the cult, or as I like to put it, exploring BSD.
But my reasons are simple ones: I am recording video in HD, and my camera records using the h.264 codec.
This results in smaller video files, while maintaining good quality. The problem is that my current computers cannot handle decoding the video, let alone allowing me to edit the video.

So my new Macbook Pro is to me a video editing tool, that will be able to handle my various other computing requirements. It certainly has a premium, and the Final Cut Pro Studio software package also has a hefty premium, but for my purposes, this is justifiable.

More to come, and look for a revamp in serial form of my how-to document on using SSH to create a VPN tunnel to your home computer.

If you have any suggestions, or requests for how-to documents or articles, leave a comment or email me.