Tag Archives: Linux

Secure Connection Series: Port Forwarding and SSH

From our general outline, this article will revolve around the first three items:

  1. Open a Port on your home networks router/modem
  2. Install OpenSSH on your home machine
  3. Configuring the SSH server: sshd_config

Port Forwarding
Most networks today are set up with a router or firewall between you and the internet at large. Because of this fact, we need to make you (or your home computer) accessible to the Internet. We do this through “Port Forwarding” where we assign a port on your router (or firewall) to forward any traffic to a specific port on your home machine. [More information on ports]

For our purposes I will start referring to your home computer as the Server (since it is serving your data), and your remote computer as the Client (since you want to connect home to the Server).

So our network looks like this:

Server <–> Router <–> Internet <–> Client

As a best practice, it is recommended that you use a port other than the default port for your application. Its a very basic means of security, but by making it something different than the default makes it harder for someone to find it on a casual scan.

For our example I will choose port 30000 on the router and forward that to port 22 on the Server.

Now the tricky part: How do you configure this on your router? Unfortunately, I can’t tell you because there are too many choices out there. However, here is a whole list of guides for many routers can be found at portforward.com

Personally, I would recommend loading the DD-WRT firmware on your router if your router is on their supported devices list, and follow their instructions for port forwarding.

Once this is done, the Internet can get to port 22 on your Server machine, which is where SSH will reside.

SSH – Secure SHell
You can find all the info you would ever want to know about SSH at OpenSSH.org. However, the basics of it is that it is a server and client application that will allow you to establish a connection between computers securely.

A brief analogy I will use is that of the postal system. When you connect to a website (with http://) this is just like a postcard in the mail. Anyone can read what is going on between you (the client) and the website (the server). With a Secure SHell connection (or when you view a webpage with https://) an encrypted tunnel is created. This is like sending a letter in a priority envelope, however its really more like sending a letter inside a locked safe since letters can be easily opened by a third party, which is illegal.

In order to build this secure connection or tunnel, you will need to have the SSH server program running on your Server machine.

  • Linux: this is typically included by default, but if its not just use whatever Package Manager your system uses and install OpenSSH-server or sometimes packaged SSH.
  • Mac OSX: ssh is built into the latest versions. To enable it, all you need to do is open up System Preferences, go to Sharing, and then enable Remote Login
  • Windows: You will need to download and install the ssh server from SSH for Windows (Note: I have no experience with the ssh server on Windows)

Once the ssh server (known as SSHD) is installed and running, it is ready for connections, and is listening on Port 22 of the Server, and Port 30000 of the router is forwarding to it.

A word of warning: At this point your Server is exposed to the internet, and you can log in using any of the user accounts on the Server computer. If you have accounts with insecure passwords, then someone may easily access your system by hacking those passwords.

It is at this point we look to add some protective measures.

Configuring the SSH Server: sshd_config
The configuration file for SSHD is sshd_config and is located on linux at /etc/ssh/sshd_config and on Mac OSX at /etc/sshd_config
We will look into advanced settings in the future, but for now we want to restrict which user accounts can login using ssh.

Open sshd_config in an editor and add a line to the bottom of the file:

AllowUsers username

Where username is the login name you use for your system. You can add multiple users by simply putting a space between the names on this line.

You may also notice at the top of the file

#Port 22

This allows you to change the port SSHD listens on. If you change this port, you will need to make sure your router is forwarding to whatever port you changed it to, and not the default ssh port 22. The # symbol in this file means the line is commented out. If you want to change this port simply add a line with Port number

After making changes to your sshd_config file you need to restart the server.
This can be done in linux by executing the command

sudo /etc/init.d/ssh restart

in Mac OSX by disabling and re-enabling through System Preferences -> Sharing
and in Windows by restarting the sshd application.

Connecting to your SSH server
Now that your server is running, go to your client machine and attempt to connect.
From Linux or Mac OSX, go to a command line and simply type:

ssh -p 30000 username@routeraddress

Your router address can be found by going to whatismyip.com, or using a dynamic dns address as I will describe in the following post.
If you want to test this from the Server itself, you can use the command:

ssh username@localhost

There are various graphical applications you can use to connect to your Server, I cannot list them all, but common ones are Putty (Windows), WinSCP (Windows), Cyberduck (Mac OSX), Konqueror (Linux), etc.

At this point you have a fully functioning way to create secure connections from a remote computer to your home computer, and be able to transfer files back and forth, and even remote control your desktop.

In the next segment, I will go through creating a security key pair, and how to further secure your computer by using key encryption instead of a password. This can save you time by not requiring you to type in a password, and will be much more secure from attacks on the server.

Secure Connection Series: Aka VPN, SSH, Tunnelling

In this series we will progress through the steps on how to remotely connect to your home computer. In this example I will mostly lean on my expertise in Linux, however many of these techniques will apply to Mac OSX and to a lesser extent Windows. Having looked into solutions for OSX and Windows, I will go into some details on using clients from these operating systems to connect to your home server.

As a preview, and to give you some of the key terms you can search for to find some of these answers out for yourself, here is theĀ  outline of this series of articles I will be presenting:

Steps in this series:

  1. Open a Port on your home networks router/modem
  2. Install SSHD on your home machine
    1. OpenSSH
    2. SSH for Windows
  3. Configure SSHD_CONFIG
    1. Allowed users
    2. Port Configuration
  4. Adding Security Key Pairs
    1. Disabling password access
  5. MacFusion / WinSCP / Fish:// for File Transfers
  6. VNC / Remote Desktop
    1. Tunnelling the port -L 50000:localhost:5900
    2. Starting a VNC server on the Server Machine
    3. Using Remote Desktop
    4. TightVNC client
  7. Beyond the basics


This outline should get you started towards setting up and configuring your own secure connections, however as time permits, i will be releasing articles to fully detail each of these steps.
Use the comments section to left me feedback or as questions for other topics.

New System for the Parents

Koala MiniAfter hearing complaints from my parents about their ailing computer (which is a kludge of used and random bits of hardware) I decided to get them a new machine. A System76 Koala Mini, pre-installed with Ubuntu. Since they currently use Debian, moving them over to Ubuntu should be seamless.

I have used Debian for some years, I have been promoting Ubuntu (or Kubuntu) as my distro of choice for new users. It wasn’t until last July that I installed k/Ubuntu on my own machine. My desktop is still running Debian, and is the work horse of a server, but for my laptop Ubuntu has been the choice.

On to the system. Why did I choose this one? Simplicity.

I wanted a system that could replace that monstrous tower on the desk, and basically wouldn’t be messed with. This machine is a mere 6.5″x6.5″x1.97″ (LxWxH). You won’t be adding any hardware inside this guy. The options i have chosen are Intel Core 2 Duo T5600 1.83ghz, 1gb ram, 100gb sata harddrive.

Some of the features that make this such a great machine are the CDRW/DVDRW (dual layer) drive, integrated wifi 802.11abg, dvi and s-video outputs, and the undocumented remote control and IR.

I should be receiving the computer in a week, where i intend on setting up the accounts for my parents, installing some applications I know they will need, and making sure its ready to go when they get it. They should not have to worry about configuring anything. Although, from what I read, System76 does a great job at setting up Ubuntu for you, they can’t possibly set up accounts for my parents and import all of their data from the existing system.

I will post pictures and more on the system when I have it in hand.

New Laptop with kUbuntu Action

kubuntuMy new laptop finally arrived. It is a Dell Precision M90. It is an Intel Core Duo 2.16ghz machine with a beautiful 17″ WUXGA screen (1920×1200), DVDRW, bluetooth, and a Dell 1490 Wifi adapter.

Why am I specifying the adapter? Because, before deciding on this laptop, I did a little research into Linux compatability. I found that the Intel Wifi adapter that they try to push on you, is not well supported in Linux, whereas the Dell 1490 is a Broadcom chip, which using the ndiswrapper drivers, is supported.

I gave the laptop a day to “wow” me with Windows XP. I tried out all the features included, poked around at the software and configurations. I tried using Outlook, of which the company had configured for me, and wondered, “Why would anyone put up with this?”

I will admit, Microsoft has done a great job of making the web version of Outlook look exactly like the stand alone client. Though I get the feeling they made the client look/work like the web version. There were some things such as dropping down a menu item, and having it disappear when I moved to select something, that just made it unbearable to use.

But I digress. Since I didn’t have the time the first day to install Linux, I downloaded some Opensource apps that could make using Windows a bit more bearable. Namely: Firefox, OpenOffice, VLC, Gaim, PDFCreator, Spybot.

For the moment, my only “need” in Windows is MS Project, for which I have already described how I got that running under Linux.

Since I have been handing out copies of Kubuntu to friends that are interested in Linux, I must admit, I have not installed it myself. Its based on Debian, and I have loaded the Live CD and it was good enough for me.

My feeling is that the Ubuntu group has done a terrific job of taking some of the great Linux technologies in Debian and Gnome and KDE, and made an easy to use distribution. Why I chose Kubuntu vs Ubuntu as the distribution to hand out and recommend, is that Ubuntu defaults to Gnome, and Kubuntu defaults to KDE for the desktop environment. I have used both Gnome and KDE desktop environments, and I have found that KDE has come a long way as far as usability, and since that is the desktop I use regularly, I recommend it to others. (I also can help them if the need arises since I am so familiar with it)

After getting home I took one of my Kubuntu discs and booted it on the laptop. Although I have had to help some people resolve (or work through) some incompatibility issues, I was lucky to not have any that prevented me from operating.

So far the biggest issues with Linux on laptops is Wifi support. There are so many chip makers out there, and so many just won’t release the code for their drivers, or make Linux drivers, that it is difficult to get every one working. Infact, one of the most common ways to get the wifi drivers working, is to actually use what is called the ndiswrapper, which actually uses the Windows XP drivers (the .inf and .sys files) to work under Linux. That is what I had to do with the Dell M90.

The other issue a friend of mine had was with using a printer…granted he was trying to use a $20k multipurpose 200k page/day Canon network printer, by directly connecting to it with a usb cable. It does work in Windows, and from what I have read should work under Linux…but there is just something we are missing in debugging that problem.

With my boot up, I had network, bluetooth, sound, and full resolution video right from the start. I was content with this, so I started with a resize of my WinXP partition. This is actually in the Installer on the Desktop, but I wanted to make sure the resize wouldn’t trash the Windows partition, so I did it manually before installing.

I resized the 100gb NTFS parition using QTParted (gParted in Ubuntu), to 60gb. Clicked Apply Changes, and away it went. Less than a minute later it was done, so I rebooted to verify Windows was still there. It was, and after it running CHKDSK since the size changed, it rebooted again, and was perfectly fine.

Content with that, I installed Kubuntu, which surprisingly took only about 15 minutes.

Now all that is need is some broadband access, and I can install all the applications that I use on a regular basis. Sadly, by default Firefox is not installed (because it has Konqueror), OpenOffice is there, but many other apps I use aren’t. But then how much can they really put on a CD? Well actually, enough to get you up and running, with web tools, an OfficeSuite, CD/DVD burning, multimedia apps, etc…I guess I am just picky.