Monthly Archives: April 2008

Phoning Home: Dynamic DNS Services

As referenced in the first part of my Secure Connection series, you need to know the IP address of your router. If you are behind the router, this is easy, but what if your router/cable modem/dsl changes its address. This happens from time to time, so it would be easier to just assign it a name. This is where a dynamic dns service comes in.

Without going into too much detail, DNS is how blog.infinitepursuits.org in your browser knows to go to the IP address of the server my site is hosted on. But what about a router where your address can change daily, weekly or monthly?

There are a host of services that will allow you to update this number. I personally use dyndns.org, though Open Directory has a whole list of these services.

Once you have registered an account (for free) you need to have a way of updating this information. Many routers have this built in, however if yours does not, you can run a program on your Server that can update the address for you. Dyndns.com has an updater, and if you google “dynamic dns update client” you will find many apps for whatever OS you run. I have used ddclient under linux for many years now.

That is it, now you can create your own easy to remember name for your computer.

Secure Connection Series: Port Forwarding and SSH

From our general outline, this article will revolve around the first three items:

  1. Open a Port on your home networks router/modem
  2. Install OpenSSH on your home machine
  3. Configuring the SSH server: sshd_config

Port Forwarding
Most networks today are set up with a router or firewall between you and the internet at large. Because of this fact, we need to make you (or your home computer) accessible to the Internet. We do this through “Port Forwarding” where we assign a port on your router (or firewall) to forward any traffic to a specific port on your home machine. [More information on ports]

For our purposes I will start referring to your home computer as the Server (since it is serving your data), and your remote computer as the Client (since you want to connect home to the Server).

So our network looks like this:

Server <–> Router <–> Internet <–> Client

As a best practice, it is recommended that you use a port other than the default port for your application. Its a very basic means of security, but by making it something different than the default makes it harder for someone to find it on a casual scan.

For our example I will choose port 30000 on the router and forward that to port 22 on the Server.

Now the tricky part: How do you configure this on your router? Unfortunately, I can’t tell you because there are too many choices out there. However, here is a whole list of guides for many routers can be found at portforward.com

Personally, I would recommend loading the DD-WRT firmware on your router if your router is on their supported devices list, and follow their instructions for port forwarding.

Once this is done, the Internet can get to port 22 on your Server machine, which is where SSH will reside.

SSH – Secure SHell
You can find all the info you would ever want to know about SSH at OpenSSH.org. However, the basics of it is that it is a server and client application that will allow you to establish a connection between computers securely.

A brief analogy I will use is that of the postal system. When you connect to a website (with http://) this is just like a postcard in the mail. Anyone can read what is going on between you (the client) and the website (the server). With a Secure SHell connection (or when you view a webpage with https://) an encrypted tunnel is created. This is like sending a letter in a priority envelope, however its really more like sending a letter inside a locked safe since letters can be easily opened by a third party, which is illegal.

In order to build this secure connection or tunnel, you will need to have the SSH server program running on your Server machine.

  • Linux: this is typically included by default, but if its not just use whatever Package Manager your system uses and install OpenSSH-server or sometimes packaged SSH.
  • Mac OSX: ssh is built into the latest versions. To enable it, all you need to do is open up System Preferences, go to Sharing, and then enable Remote Login
  • Windows: You will need to download and install the ssh server from SSH for Windows (Note: I have no experience with the ssh server on Windows)

Once the ssh server (known as SSHD) is installed and running, it is ready for connections, and is listening on Port 22 of the Server, and Port 30000 of the router is forwarding to it.

A word of warning: At this point your Server is exposed to the internet, and you can log in using any of the user accounts on the Server computer. If you have accounts with insecure passwords, then someone may easily access your system by hacking those passwords.

It is at this point we look to add some protective measures.

Configuring the SSH Server: sshd_config
The configuration file for SSHD is sshd_config and is located on linux at /etc/ssh/sshd_config and on Mac OSX at /etc/sshd_config
We will look into advanced settings in the future, but for now we want to restrict which user accounts can login using ssh.

Open sshd_config in an editor and add a line to the bottom of the file:

AllowUsers username

Where username is the login name you use for your system. You can add multiple users by simply putting a space between the names on this line.

You may also notice at the top of the file

#Port 22

This allows you to change the port SSHD listens on. If you change this port, you will need to make sure your router is forwarding to whatever port you changed it to, and not the default ssh port 22. The # symbol in this file means the line is commented out. If you want to change this port simply add a line with Port number

After making changes to your sshd_config file you need to restart the server.
This can be done in linux by executing the command

sudo /etc/init.d/ssh restart

in Mac OSX by disabling and re-enabling through System Preferences -> Sharing
and in Windows by restarting the sshd application.

Connecting to your SSH server
Now that your server is running, go to your client machine and attempt to connect.
From Linux or Mac OSX, go to a command line and simply type:

ssh -p 30000 username@routeraddress

Your router address can be found by going to whatismyip.com, or using a dynamic dns address as I will describe in the following post.
If you want to test this from the Server itself, you can use the command:

ssh username@localhost

There are various graphical applications you can use to connect to your Server, I cannot list them all, but common ones are Putty (Windows), WinSCP (Windows), Cyberduck (Mac OSX), Konqueror (Linux), etc.

At this point you have a fully functioning way to create secure connections from a remote computer to your home computer, and be able to transfer files back and forth, and even remote control your desktop.

In the next segment, I will go through creating a security key pair, and how to further secure your computer by using key encryption instead of a password. This can save you time by not requiring you to type in a password, and will be much more secure from attacks on the server.

Secure Connection Series: Aka VPN, SSH, Tunnelling

In this series we will progress through the steps on how to remotely connect to your home computer. In this example I will mostly lean on my expertise in Linux, however many of these techniques will apply to Mac OSX and to a lesser extent Windows. Having looked into solutions for OSX and Windows, I will go into some details on using clients from these operating systems to connect to your home server.

As a preview, and to give you some of the key terms you can search for to find some of these answers out for yourself, here is theĀ  outline of this series of articles I will be presenting:

Steps in this series:

  1. Open a Port on your home networks router/modem
  2. Install SSHD on your home machine
    1. OpenSSH
    2. SSH for Windows
  3. Configure SSHD_CONFIG
    1. Allowed users
    2. Port Configuration
  4. Adding Security Key Pairs
    1. Disabling password access
  5. MacFusion / WinSCP / Fish:// for File Transfers
  6. VNC / Remote Desktop
    1. Tunnelling the port -L 50000:localhost:5900
    2. Starting a VNC server on the Server Machine
    3. Using Remote Desktop
    4. TightVNC client
  7. Beyond the basics


This outline should get you started towards setting up and configuring your own secure connections, however as time permits, i will be releasing articles to fully detail each of these steps.
Use the comments section to left me feedback or as questions for other topics.