ubuntu dual boot illustrated site ubuntu dual boot windows 7 maverick meerkat
   SHH Network

Edited Friday, August 19 2011  Document made with KompoZer

This web-page is part of a larger site giving examples of how to install Windows+Ubuntu Linux operating systems 'dual boot' in a computer. Illustrated Dual Boot HomePage

Page Index


Introduction. - about this web page.

SSH LAN - Create your SSH LAN in Minutes!

SSH - Simple Hardware - No DHCP - File Rescues

SSH with RSA Authentication - heighten your security

How to set up Routers and ADSL broadband modems under Linux

Connect to your SSH servers from anywhere -  from anywhere in the world!

Controlling  Your SSH  Server Remotely - mainly how to turn it on and off

The three V's - VNC, VLC and VPN - all start with 'V' but they're each completely different

=================================

Network Data Transfer Speeds

If SSH refuses to connect. -Trouble Shooting and Problem Solving.

Access to a Windows Network. -Windows networks are easy to access with Samba client.

Links  About Other Kinds of Networking in Ubuntu

Firewalls and Security. -

Port Scanning -

External Links

=================================

SSH Networking is good for File Rescues.

Set a Static IP address. -If there's no DHCP server in the network.

Dynamic IP address. -Use it if your equipment supports DHCP.

IP address. -(for the internet connection)

External and Internal IPs. -Your internet IP is different from your LAN IP address.

First Time Connection to an SSH Server.



Introduction
This aim of this web page is to give illustrated examples to help most people get started quickly and easily. This is not an official SSH website.
I highly recommend also reading at least the following OpenSSH sites, 
OpenSSH - the home page of OpenSSH
Openssh FAQ
Here are links to official Ubuntu sites dealing with networking and SSH networking
Internet & Networking - Ubuntu Wiki's Community Docs
SSHHowto - Official Ubuntu Wiki

  • SSH is password or key based so you do not need to configure the filter or so-called 'firewall'.
  • Data is encrypted while it is enroute between computers so it is safe to use over the internet.
  • SSH works from the command line, or with 'X11 forwarding', so it can be used in GUI mode too.
  • SSH networking was used for file rescues back in the days when  USB external drives were  expensive. It can still be used for file rescues if circumstances require it.


SSH LAN with DHCP

ssh002.png
ssh003.png

This illustration shows a typical home or small business network. A four port ADSL broadband modem-router is connected to four PCs in a LAN (short for 'Local Area Network'). 
The  modem router is connected to the internet  or 'WAN',  ( 'Wide Area Network').
No open ports are exposed directly to the internet because the firewall in the modem-router protects PCs inside the LAN from internet based intrusions.


How To Set up Your Own SSH LAN

You can have just one 'Server' computer or you can install the ssh server software in all of your computers if you want. It's up to you. In my house we find SSH networking so useful we like all of our computers to be set up as both clients and servers. Unlike other forms of networking, Secure Shell networking doesn't compromise your security and SSH is free so there's no reason why not. 
Traditional Linux style networks tend to have one PC dedicated for use as the central server with a number of client computers in the LAN all with connections to the central server.
For simplicity to start off with, let's pretend just one PC will be the server for our SSH LAN.

1:  In the Server computer:

i) You will automatically have an administrator's account in the server computer, that's the account you made when you installed Ubuntu.

You should use 'System'-->'Administration'-->'Users and Groups' to set up accounts in your server for all of the other users in your LAN. You will see settings for controlling what each person will be allowed to do.

You need good strong passwords for each user to start off with. SSH Networking is the most secure kind of networking you can get, but its security depends on having good strong passwords. Further down this page there's a how-to for setting up RSA keys for heightened security, and you can do that later.

ii) You (as the administrator), should use Linux File Ownership and Permission rules to control which directories and files each user will be allowed various grades of access to.
You will notice that each time you create a new user account  there will be a new /home/username directory made, one for each user.

To set a "private home", as a user,
herman@black-beauty:~$ chmod 700 $HOME

For more on Linux File Ownerships and Permissions rules, see this website's File Ownership and Permissions.

For more on security in Ubuntu, see Ubuntu Security - bodhi.zazen - Ubuntu Web Forums.


iii) You need an internet connection in order to download the SSH server software and install it.
Here is the command I use for doing that,
Code:
herman@black-beauty:~$ sudo apt-get install ssh
After running the above command, the computer you ran it in should now have the SSH server software installed in it.

iv) ifconfig is a useful command for networking. The easiest way to check what a computer's IP address is , is to use the ifconfig command,
herman@black-beauty:~$ ifconfig

The output should look something like this,
eth0      Link encap:Ethernet  HWaddr 00:C0:9F:C9:B1:F6 
          inet addr:192.168.1.5  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::2c0:9fff:fec9:b1f6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:80 errors:0 dropped:0 overruns:0 frame:0
          TX packets:228 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9498 (9.2 KiB)  TX bytes:38545 (37.6 KiB)
          Interrupt:16 Base address:0x1800

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1720 (1.6 KiB)  TX bytes:1720 (1.6 KiB)
Notice the IP address for my ssh server 'black beauty'  is now shown in ifconfig as 192.168.1.5

The IP address is something like the server's phone number inside the LAN. IP addresses are automatically assigned by the router for each computer in the Local Area Network (LAN).

iv) To confirm that SSH networking is set up in the server, I could use a different computer in the same LAN and run a port scan on the IP address 192.168.1.5 and it should show that port 22 is now open.  See Port Scanning. (If you want to close port 22 again, simply uninstall SSH).

The IP address 192.168.1.5 for the server is what I need to remember in the next step when I go to a client computer and I need to type in a number for what server to connect to.

2 . In the client computers:

'Client'  computers are computers whicht may be used to make a connection to a 'server', Client Computer.
 
All Ubuntu computers have SSH client software installed in them 'out of the box', so no need to install it. 

Okay, now we're going to make a connection,

i)
You will need a valid username and password either for the administrator's account or one of the user accounts you just made in the server.


ii) Go 'Places'-->'Connect to Server' and you should see something like the following window,

ssh007.png
a. I set the top spinbox to SSH.
b. The Server field is for the IP number for the server I want to connect to, 192.168.1.5
c. Port number for SSH is: 22 
d. Folder I want to be in when I connect will be: /home
e. The user is me: herman
f. The bookmark name is: black-beauty (the name of the server)
 Then I clicked the 'Connect' button.


ssh008.png
I clicked 'Log in Anyway'.


ssh009.png
I typed in the user password for the account I want to log in to in the server computer.

Since this will be a more or less permanent set -up, you might also consider clicking the radio button for 'remember forever' (the password). That will store your password for the account in your keyring.
You will be asked to set a new password for your user keyring if it's the first time you have used it.
Make sure you save your keyring password somewhere safe.
When not to use the 'Remember forever' setting would be if you were travelling and making a connection to home from a public computer such as one in a library or internet cafe. Connecting from the internet is covered further down this page.
TIP: I use Password Manager for remembering all my accounts and passwords and keeping them securely encrypted. There are a number of other good password programs you can install and try out, they're all good. Choose one you like which will store your account details and passwords in encrypted form and will allow you to restore them easily from a backup.

Well, that's it!  I clicked  'Connect' and a window opened. In it I can see the /home/herman directory in the server. Now I  can read and write to my account in the server and transfer files between the two computers.

A new icon for the SSH connection appeared on my desktop .
If the icon doesn't appear, try rebooting and it should appear then.
I right-clicked on the icon and clicked 'Open', from the right-click menu.
ssh010.png

You have set up an SSH connection between one of your client computers and your server.
Now all you need to do is repeat this (Step 2) for each client computer in your LAN.

SECURITY NOTE:
If you have any extra file systems such as data drives or USB external drives mounted in your server while your ethernet cables are plugged in, be aware that other users with accounts in the server may be able to see inside those too if they look. This doesn't only apply to SSH, it applies to all kinds of networking.

Some people would be especially surprised to learn that even data in encrypted file systems can easily be viewed and browsed by other users of the server after you have happily unlocked the encrypted file system and mounted it.  File system encryption is good protection against unauthorised access to files when some person has physical access to the media. Linux users and groups plus file ownership and permission rules are the best protection for your privacy  over a network.



SSH Connection with Simple Hardware

You don't need an internet connection or a router with DHCP.
It's possible to use much simpler hardware to connect two or more PCs.

p11/sshcrossover.png
If you only have a crossover cable  - between two PCs only

or
p11/sshswitch.png
two ethernet cables and an ethernet hub  - any number of PCs possible

You can connect by ssh but you will need to,
1. Set static IP addresses manually.
Look in 'System'-->'Preferences'-->'Network Connections', and open the tab for Wired and click on Auto Ethernet and click Edit.  The settings are in the IPv4 tab.
2. you will need to set each computer up with a different IP address,
3. then you can connect similar to the method shown above - SSH LAN.
 Don't forget to return your settings to DHCP before you try to connect to a DHCP router.

This kind of setup was used for file rescues back in the 'good old days' when USB external drives were too expensive or not available. The usual technique was to boot a Gnu/Linux Live CD in the PC with the disabled operating system, (most often a Windows computer with a virus), and make an SSH connection between that and another Gnu/Linux PC for transferring the rescued files to.



SSH with RSA Authentication

Up until now we have been relying on the broadband modem's filter to protect our LAN.

SSH is designed to be secure even across untrusted networks like the internet. SSH transmits and receives its passwords and data  in encrypted form, so they cannot be read even if they are intercepted while in transit .

To use SSH over the internet we need to use port forwarding in our modem-router settings.
That will expose the SSH Server to possible internet based attempts to crack into any open ports, so we need more than just password based authentication. Here is how to switch from password based SSH authentication to RSA keys for heightened security and more convenience too.


RSA keys give you far more security than password based logins.

Seahorse -Encryption Made Easy - http://www.gnome.org/projects/seahorse/
Seahorse is a nice GUI application that makes and manages both PGP and RSA keys.
Ubuntu comes with Seahorse installed, but there's a secret.
It's not called 'Seahorse' in Ubuntu. Instead it's disguised under a generic name. You can
find Seahorse in your client computers easily by going 'System'-->'Preferences'--'Passwords and Encryption Keys'.

Decrypt File - plugin for Seahorse - Install it from Ubuntu Software Center - you need it.

We can use RSA keys for logging in to our SSH accounts without having to bother typing the password each time. We can use PGP keys for securely encrypting any data and emails, and to sign documents.

Right now we're only concerned with the RSA keys.

Seahorse generates for us a pair of keys, a private and a public RSA key.
These are saved is in the .ssh directory in a file called rd_rsa and a file called id_rsa.pub.
The file called rd_rsa contains our private key which we need to keep secret.
The file called id_rsa.pub contains our public key which can be copied to any SSH Server we want to connect to.

The way it works is something like this, the SSH Server uses your public key to generate a number and encrypts the number and sets the encrypted number to your computer.
Your computer uses your private RSA key to decrypt the number and sends the unencrypted number back to the server. When your SSH Server receives the number back decrypted, that proves the identity of the computer you are using is genuine, since only your private key could have decrypted that number. The SSH Server allows the connection and opens.

p11/seahorse_000.png

1. Open Seahorse (aka 'Passwords and Encryption Keys'), and go 'File', 'Create New', and choose 'Secure Shell Key'. Hit 'Continue'.

2.  Enter a key description and click on the button for 'Create and Set Up'.

3. Enter a Passphrase for the new Secure Shell Key, (enter the password for your account in the SSH Server)

4. Enter the IP Address of the server, (from the ifconfig command) eg: 192.168.1.4
Enter the name for the user account you'll be logging into.

5.  Click 'Set Up' button

6. Hit Bug #Bug #785632 failed to register key with remote host,  https://bugs.launchpad.net/ubuntu/+source/seahorse/+bug/785632

Well it used to work, honest!

In the meantime, while we're waiting for this bug to be fixed we'll just need to do the rest manually.

7.  In your client computer, click 'View', and 'Show Hidden Files'.

i ) navigate to your .ssh directory and look for your id_rsa.pub you just made with Seahorse.
ii)  copy the file called:  id_rsa.pub

8. In your client computer, plug in a USB flash memory stick or some other portable media, a floppy disk if you still use them.

9. Paste  id_rsa.pub  into your USB flash memory stick (or whatever media you have)

10. Unmount the USB flash memory stick or whatever you're using and remove it from the client computer.

TIP: You can use your Ubuntu One Account to sync public keys between your computers.
Send them by email is possible, but it would be best to encrypt them first - see Seahorse Howto.


11. Plug the USB flash memory into your server computer and copy the id_rsa.pub into the /home/username directory.

12. Run: cat id_rsa.pub >> .ssh/authorized_keys
cat id_rsa.pub >> .ssh/authorized_keys

Congratulations!
You have appended your client's RSA key to the list of authorized keys in your SSH Server.

Repeat this for all the client computers in your LAN.

Once you have passwordless logins established for all your clients you can disable password based logins to boost your SSH Server's security.

Stop SSH
sudo ssh stop

Make a backup of the ssh configuration file in its original password based condition first, for safe keeping..
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.back

edit /etc/ssh/sshd_config file and disable password based logins, for even more security,
gksudo gedit /etc/ssh/sshd_config

Find the lines that look like these,  they are all in different places in the file,
48 ChallengeResponseAuthentication yes
51  #PasswordAuthentication no
87 UsePAM yes

Change to this,
48 ChallengeResponseAuthentication no
51 PasswordAuthentication no
87 UsePAM no

Save and close the file.

Restart SSH
sudo ssh start

When you open an SSH connection to your SSH Server the first time connection you will be asked for a password,
p11/ssh-locked.png

This happens because the server has used your public key to encrypt a number and has sent it back to your client. Your client needs access to its private key to decrypt the number and when it sends that number back to the server the connection will be verified.  The password you need to type in here is your keyring password for your client computer, (the computer you're using now to make the connection from).


Links:

SSH Key Authentication Using seahorse (GUI) - Debian Admin

What is a Digital Signature? An introduction to Digital Signatures, by David Youd

 How PGP Works     |     
Dr. Small's Blog     |    Public Key Cryptography - Wikipedia  

The International PGP Home Page  

SSH OpenSSH Configuring - Ubuntu Community Docs

Generate a ssh key and disable password authentication on Ubuntu server -  Lani's WebLog




Access Your Modem-Router Settings Using Gnu/Linux:

People have various kinds of internet connections and networking equipment.

Most networking hardware comes with an installation CD that runs in Windows and runs the user through a setup wizard of some kind to set up the equipment. These installation CD-ROMs usually don't auto-run in Gnu/Linux but don't worry about it. To gain access to your broadband modem or modem-router from a Gnu/Linux operating system all we need the equipment's IP address.
This command will find that out for you,
netstat -nr

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth0
0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 eth0

Now all you need to do  is copy the modem's IP address and paste it into your web browser's (Firefox) address bar and press enter or click the 'go' button.

This should open the login screen for your broadband modem or modem-router and you can enter your username and password to get access to your equipment's settings.

You may need the manual that came with your hardware, (recommended).
Normally the easiest place too look first would be in the box the equipment came in when was new. There might be a paper printed version or you may find one of those software installation CD's they use for Windows. The CD will usually contain documents (eg: router manual), that you really should open and read if you want to be able to get the most out of your router.  If you still can't find your router's manual, try the internet (google for it), and download it.

Now you should be able to find all the settings in your equipment and adjust everything to your needs.
  1. If you are setting up an internet connection for a new modem, you'll need you username and password for your account with your ISP for your internet connection.
  2. Don't forget to set up a real username and password for the router or modem so no-one else can go in and make unauthorized changes.
  3. Be sure to store your usernames and passwords somewhere safe and secure. I use the 'GPass' - (Gnome Password Manager) program in Ubuntu for mine.
Incidentally, most routers and other networking equipment run on a Linux kernel and IPTables filter ('firewall'), with some kind of lightweight, hardware specific operating system built around it.

TIP: Knowing how to use the settings in your modem-router is key to getting good satisfaction from SSH networking. You really should spend some time reading your modem Router's manual and familiarising yourself with your router's settings. .

TIP: Add your router's and modem's URL to your Firefox bookmarks so your router settings and logs will always be instantly available for you from now on.




Connect to your SSH servers from anywhere

It is best to test SSH between computers inside your LAN for a little while to make sure it's working well before progressing to using SSH over the internet.

You can travel the globe and still be able to access all the files in your home or office computer or computers if you use SSH Networking.

Port Forwarding
Before you leave home, you just need to make sure a port is open in your internet modem that leads to your ssh port in your home computer. That's called 'port forwarding', and the way to do that depends on what kind of hardware you have.  The best way to find out is to read your broadband modem's documentation.
If that's not convenient for you, here is a link to a website that shows you how to set up port forwarding with all kinds of different equipment. PORT Forward.com

TIP: If your hardware allows it, you may want to forward your SSH Server's port 22 to some other more obscure port instead. That won't really hide it from internet crackers, but it's better than just leaving it as port 22. A high numbered port that isn't used for any other service would be best.

TIP: Where your hardware doesn't allow you to change port numbers when you set up port forwarding, you can edit  /etc/ssh/sshd_config and set a different port number for SSH there instead if you like.
You can use the command 'less /etc/services' to see what port numbers not to use,
less /etc/services

TIP: If you have more than one SSH Server in your LAN, then set up port forwarding with a different port number for each server.

CanYouSeeMe.org - Open Port Check Tool, is a useful site to check whether your port forwarding efforts have worked, that site also shows you your internet IP number too.

CAUTION: You need password based SSH logins disabled and RSA key based logins established before you set up port forwarding. Port Forwarding will expose ports in your computers directly to the internet.
See:
SSH with RSA Authentication.



IP address (External)

You'll need to know your external IP address to connect from the internet

An 'IP address' is like a phone number but it's for a computer. Well, maybe it would be more accurate in this case to say it's for the connection between your broadband modem and the internet. Your broadband modem or modem-router, has an internet IP address. This is usually assigned to it on a temporary basis by  your ISP's router.

This command will find that out for you,
wget -O - -q icanhazip.com
NOTE: You need to have an internet connection for the above command to work.

example results,
202.173.161.210

You can also find that in your Broadband Modem's control panel, see  Access Your Modem-Router Settings (above).

If you click on any of the following links you'll be able to see your current IP address and a few other things that a web site with the right software can see about you when you visit that site.

What Is My IP Address? - Dedicated to IP address discussion

What is my IP Address? Show my IP Address and IP Address tracer

IP Chicken - What is my IP? Find Your IP Address!

My IP Information

What can people tell from my IP address? - Ask Leo!




One Problem:   Dynamic IP address

One of the features of some ADSL broadband services in Australia and in many other countries are that we have dynamic or 'roving' IP addresses for our internet connections.
Basically that means every time we reboot the ADSL broadband modem and connect back up again we will be given a different IP address. They change automatically from time to time too.
That's a security feature to help protect us and make us more anonymous on the internet. That way it's more difficult for an internet attacker to single out a specific user.

It makes things harder for accessing our SSH Server though.

If we wanted, we can apply for a 'fixed IP address', which means we can keep the same IP address more or less permanently. The only problems with that is, most  ISPs will add about $10 per month to our internel bill for enabling that option.

A quick and effective solution to this problem is to go get a free domain name, read these two links:
 DynamicDNS -Ubuntu Community Documentation, and, Dynamic DNS No-IP


I found out that my D-Link modem-router has a built in feature for updating the dynamic DNS, so I didn't need to install any software in any of my computers. I just created an account with the D-Link recommended DNS server and followed the manufacturer's instructions for configuring the modem-router. That turned out to be very easy to set up and works great!



p11/connect-via-dns.png
Making A Connection
So now that you have a Dynamic DNS or at least  some way of knowing your home IP address, you can go somewhere to a remote location (not too far away yet), maybe just to a neighbour's or to your work place and try connecting by SSH to your home SSH server via the internet.

Setting it up is the same as shown at the top of this page in SSH LAN except this time in the 'Server' field you need to type in your DNS Host Name. If you don't have one your home router's external (internet) IP address will work instead as long as it hasn't changed since you left home.

If you have more than one SSH Server and you port- forwarded each server to a different port number  you should be able to find the server you want by typing the appropriate port number.

Now you can travel with your laptop, or even only a netbook
and be able to access all the files in your home computers from anywhere in the world. You could even travel with only you Ubuntu-in-a-flash-memory-stick.  It's  as good as  carrying all the information in your home computers around in your pocket.


control_remote-server

Controlling  Your SSH  Server Remotely

You don't really need any GUI to connect with SSH and if you can use the command line you can tell your server to do almost anything for you, especially if you have the admin account.

Remotely controlling your SSH server is useful if it happens to be a 'headless' server, (no monitor and maybe no keyboard or mouse of its own), or if you're away somewhere on the internet and you don't have physical access to your server.


Making the Connection
Here is a great link on this subject: Beginning SSH on Ubuntu - Principia Labs.

I hope you all read that tutorial because it explains most of what I would have said and the author has done a much better job of it than I would.

About the only thing not already covered by that excellent web page was what commands a person might typically want to use. You can use any linux bash commands the same as you would when you're behind any Gnu/Linux PC. Just a few selected commands can be found here, Command Line Page.



Remote Booting
If you're planning on being away from home for a long time and you are interested in saving electricity you might not want to leave your server running idle 24/7, especially if you're the only user that will need access to it.

If you take a good look through your server's BIOS settings you might find it's possible to set your server up for booting automatically from the BIOS's calendar/clock at the same time every day.

Even better than having the server booted from your BIOS's timer,  instead you can boot it by the ethernet card from another PC in your LAN or even from a remote internet location. 
  1. Your server's motherboard needs to have built in support for WOL, (Wake On Lan). It probably will if it's less than ten years old. You need to find that feature in the server's BIOS settings and enable it. See How To Enable the Wake On Lan on the BIOS - gWakeOnLan wiki.
  2. You will need to install ethtool in the server or whatever computer you want to be able to boot remotely, and you will need to follow the instructions at Howto: Wake on LAN with ASUS P5WDG2 WS Pro in Debian/Ubuntu to get that set up properly.
  3. You will need your server's mac address and IP address (from the ifconfig command).
    For internet booting you may need a DynamicDNS too, (see above) or at least a way to know your router's IP address on the internet.
  4. Look in Ubuntu Software Center and install gWakeOnLan, (available from the universe repository) in a client computer or Ubuntu in a USB drive and use that to boot your sleeping server with. Here's the link about how to do that: gWakeOnLan
  5. When booting via the internet, allow at minute for the BIOS screens, ten seconds for your GRUB countdown and a few seconds for Ubuntu to boot before attempting to log in by SSH.
I have read that it's also possible to boot with GRUB 2 from your ethernet card (even if your motherboard doesn't support WOL), but I haven't tried that yet. Here's a link to the Gnu/GRUB Manual, 7 Booting GRUB From the Network.


Remote Shut - Down

After you access your SSH server remotely via the internet you may want to shut it down when you're done,
sudo shutdown -h +3
This command will shut down the system (halt) after three minutes, warning messages are given to any other users to allow them time to save their work and close any running programs.


Taking Webcam Photos Remotely

You will need to install uvccapture in your server first, (of course).

If the SSH server has a webcam plugged into it, you can log in by SSH and use this command line program to get the webcam to take pictures for you,
uvccapture -d/dev/video0 -x640 -y480 -o"photo-001".jpeg
this may be useful if you want to keep an occasional eye on what's going on at home while you're away. If you don't see the photo in the /home/username folder in your server try clicking the reload button on your file browser.

Taking Webcam Video Remotely
Somebody has kindly and generously done a nice job of explaining this idea, Link: DIY: Webcam Surveillance System with Ubuntu - taksuyama.com

A little more advanced but on video surveilance, (but not necessarily involving SSH), see Home video security with Zoneminder and Ubuntu - Linux * Screw and ZoneMinder Demonstration‏ - YouTube.




VVV - the three 'V's
The following three three letter abreviations all begin with V but they don't have all that much in common except they all have something to do with SSH.

VLC - VLC Media Player

VLC Media Player is a program we can install for free in Ubuntu and it's great for everyday general purpose video watching but it can do much more than that too. One thing we can use VLC Media Player for is to watch a movie or monitor a webcam or security camera from a remote location and this can be tunnelled through SSH for privacy. Here's a link about that, 'Streaming Webcam over SSH' - moblog.

VNC - VNC Viewer - Virtual Network Computing - wikipedia
A program called 'vinagre' is the Gnome Desktop VNC client and server package that comes pre-installed in Ubuntu, vinagre. The server side of is not enabled in a new Ubuntu install, but you can go and enable it any time.

It isn't called 'vinagre' in Ubuntu, instead you can find it by going
1. In the Server: System - Preferences - Remote Desktop
2. In the Client: Applications - Internet - Remote Desktop Viewer

VNC known to be notoriously unsafe if used wrongly. It should be okay to enable it for the time you need it and then disable it again as soon as you're finished. VNC should be safe enough between PCs in your private LAN while it's protected by your router's firewall, but over the internet it should be 'tunnelled' through SSH for privacy.  You'll see a field in recent versions of vinagre client for tunneling the connection through SSH.
'VCN Viewer', aka 'vinagre', aka 'Remote Desktop Viewer' is mainly for remotely controlling another computer,.
For example your mother's computer when she phones for help and you're trying to help her do something. When you're having trouble getting her to understand what you're trying to tell her to do you can set up  a VNC connection so you can view her desktop and take over control of her mouse and keyboard from wherever you are. That way you can get the job done a lot quicker.
Links: Vinagre Documentation,   VNC - Ubuntu Community Docs,

VPN - Virtual Private Network
VPN is supposed to be a step up from SSH for use over the internet. It's supposed to offer the same security, by encrypting the connection and data while it's in transit, plus offer more speed for file transfers and so on.
I haven't tried VPN out yet, but it's on my to-do list. If already know enough about networking or at least if you've been dilligently trying out the steps above for setting up SSH then by now you should have picked up enough of the networking lingo and know-how to be able to advance to trying out VPN.
Links:  Open VPN - openvpn.net  |  Open VPN - wikipedia



Network Data Transfer Speeds

The Data-Transfer-Rate Conversion Table - Scott's Newsletter

Here's a link for all the mathematicians out there,
difference bet Kbps and KB/sec - danniweb





SSH Troubleshooting


If SSH refuses to connect

If an operating system on the LAN's details have been changed in any way since the first time an SSH connections was made with that host, that it can upset SSH's security sensitivities and SSH can get paranoid and refuse to connect. 
For example, if the IP number doesn't match the MAC address, or if certain other differences are detected.

This is designed into SSH for security reasons. See 'Man-In-The-Middle-Attack' - wikipedia.
That's why SSH remembers the details like the MAC addresses and whatever else it can, and records those in a hidden directory in your computer, so SSH can detect an imposter.

You are reommended to contact the administrator of the computer you are trying to connect to. If you're sure the connection is safe, there's a file in the /home/username/.ssh directory called 'known_hosts' and that's the file where SSH keeps track of special identifying features of every computer you have connected to in the past.
If something has changed, such as the operating system has been re-installed, you will need to delete .ssh/known_hosts to make SSH forget the old details before you can connect.

sudo rm -rf .ssh/known_hosts


You can make fresh SSH connections again after that.
The Ubuntu system will give you a brand new .ssh directory automatically, with new connection details in it for the first connection you make.
Sometimes a reboot helps.
Any other SSH connections will need to be made all over again too.

Another reason SSH might not be able to connect would be if you have changed IP tables settings in either computer since last time you made a connection. Naturally you have to configure any firewalls to allow the connection.


ifconfig
command
If you don't know the IP address for the computer in a LAN you want to connect to and it's your own computer
you can find out easily by typing the ifconfig command in 'terminal' of your computer.
If it isn't your computer and the connection is welcome, 
the polite way to find out is to ask whoever is using other computer to type: ifconfig and tell you the output. Perhaps you will need to do that by email if you are a long distance from the other computer.

Code,
herman@black-beauty:~$ ifconfig

Output, 
eth0      Link encap:Ethernet  HWaddr 00:C0:9F:C9:B1:F6 
          inet addr:192.168.1.100  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::2c0:9fff:fec9:b1f6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:80 errors:0 dropped:0 overruns:0 frame:0
          TX packets:228 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9498 (9.2 KiB)  TX bytes:38545 (37.6 KiB)
          Interrupt:16 Base address:0x1800

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1720 (1.6 KiB)  TX bytes:1720 (1.6 KiB)

I highlighted the IP address of the computer in yellow, inet addr:192.168.1.100 

Shown in orange, is the hardware address or MAC address from the network card in the machine, HWaddr 00:C0:9F:C9:B1:F6 
All networking hardware comes with a MAC address, which is like a serial number hard coded into the BIOS of the hardware. Ethernet cards, routers, modems, switches and anything like that always have MAC addresses. Normally they have a sticker on the box it came in when it was new, also it might be printed on the hardware itself, and you can find the MAC addresses of all the hardware in your LAN with Linux networking software. It could be a good idea to copy down the MAC addresses of your hardware and pin the note up on a wall for easy reference.

Links: How To Break MAC Filtering - (wifi security) - Maxi - Pedia
Changing Your MAC Address In Window XP/Vista, Linux And Mac OS X (Sometimes known as MAC spoofing) - irongeek


First Time Connection to an SSH Server

You will see a window like the one shown below the first ime

ssh008.png
That's because SSH software in the client computer, (the one you are making the connection from), remembers the details of every server computer it has ever connected to and it doesn't recognize this one.
SSH warns you about the fact that it doesn't recognize the computer you want to connect to so if the other computer is not your own, you can go check with the other computer's operator.
If that's the right IP number and the connection is welcome then it's normally safe to go ahead and make the connection, especially if it's the first time. You can expect to see this sign every time you make a new connection.

You may need to set static IP addresses in SSH 'server' computers in your LAN because of the security feature explained above. SSH in your client computer records an ID (RSA) number and IP address of every other computer yours has made connections to in the past. (Known hosts).
When you try to connect to them a second time if everything is not identical to the information your computer has stored, SSH 'smells a rat' and refuses to make the connection.
Most routers these days can remember which computer is which and always assign the same IP address to each one. If you have a router without that feature you might need to set a static IP address in Ubuntu, the router will not take care of it for you.



Too Many Authentication Failures
(Link only): Too Many Authentication Failures - Ubuntu Web Forums



No Route To Host

p11/no-route-to-host.png
The IP addresses in your LAN may have been changed, possibly due to a router reset.
Run the ifconfig command to check and see if this could be your problem.

There are three or more ways to fix this.
either
a) delete all your ssh bookmarks and make new connections - this may be only a temporary solution
or
b) Take a look through your router's settings and read the manufacturer's documentation. See if there's a way to get your DHCP router to remember your server's mac address and assign the same IP address to your server.
c) Set static IP addresses, (instead of the router telling your PCs which IP address they can have, your computer will tell the router what IP address to give it.) This is more work to set up because you will need to make settings in your router plus every computer, and also any new computers that join your LAN too.

Getting to know your router is important if you want trouble free ssh' ing.







 
Access to a Windows Network
Ubuntu comes with Samba client pre-installed, but not the server half of Samba.
It's no problem at all for any Ubuntu computer to access shared folders on the Windows network. All we need to do is configure any Firewalls in the Windows computers to allow the connection.
Just go 'Places'-->'Network'-->Windows Network' and click on an icon.
We don't need to install anything in Ubuntu to enable us to do that.

If you want your Windows box to be able to 'see' and access your Ubuntu operating system you need to install Samba Server.
You need to set up the IP Tables filter (firewall) in Ubuntu before you install Samba server.
I have never installed Samba server in any of my computers, so I don't know what it's like, I have only read about it. I would never be willing to compromise my built in Linux security to that extent.
Nevertheless, 'Samba' networking is very popular, lots of other people use it every day.

Here are a couple of good links for Samba networking for those who feel they need it, 
The Official Samba-3 HOWTO and Reference Guide , and  The Unofficial Samba HOWTO.



Links_About_Other_Kinds_of_Networking_in_Ubuntu
Other kinds of Linux networking include FTP and NFS, and more. Here are a couple of links, FTP...(By Frodon)

NFS

OpenSSH for Windows . - I haven't tried it but I presume it would be possible not only to connect between Windows boxes, but also between Windows machines and Linux machines in an SSH network as well. It would be worth a try if you have Windows computers.



 
Firewalls and Security
First, read this excellent thread by bodhi.zazen: Ubuntu Security

IPtables are our Linux equivalent to what is called a 'firewall' in Windows.
IPtables are built right into the Linux kernel.  We don't need to go and download some external software that someone has for sale or for hire.

There is often a firewall debate going on in Ubuntu forums about whether or not an added firewall is needed for Ubuntu. I don't think I need a firewall for my purposes.

Firestarter, is something we can install in Ubuntu.
It might be a good idea to install Firestarter if you install any server software. 
Firestarter is not a stand-alone firewall that you need to add, but it is a
very good GUI frontend for helping new users to configure their IP tables more easily. It's really IPtables that does the work behind the scenes.
Firestarted can be installed through apt or  Synaptic Package Manager or 'Applications, Add/Remove Programs'. There are some other similar programs available too.
Howto: Setup a Software Firewall in Linux using Firestarter - Techthrob.com

In Ubuntu, our IPtables are left unconfigured by default.
When we first install the operating system they aren't needed, because Ubuntu doesn't come with any services installed, no ports are open to the internet. As long as we don't open any services, Ubuntu is as sealed as a nut.


Most people probably don't even realize Ubuntu has a network filter (or 'firewall' if you prefer).

If you want to take a look at yours, just do this,
Code:
herman@red:~$ sudo iptables -L

And here's what our unconfigured IPtables normally look like,
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

man iptables To learn more about iptables open a terminal and type: man iptables 
The output from that command is about eight pages long and it's very interesting if you have the time to read and inwardly digest it. There is a lot to learn about IP tables.
I have links to some of the best web pages with how-tos and user guides for IPtabels further down this page.


I haven't configured my IP Tables at all,
and I have installed SSH server. I want to check to see how safe I am on the internet. You can do this too. So let's go test our firewall.





'Shields Up!' is a well known internet firewall testing site, your Ubuntu system should pass all tests as 100% stealth with or without any added firewall. I don't use any added software firewall and mine is 100% stealth, and has always been. It will tell you your external IP also.

AuditMyPc.com is another firewall tesing site you can visit.

HackerWatch.org is good too.

Did your Ubuntu operating system pass all those tests?     Mine did,
 ...but I was connecting through my router, and then through my broadband modem.
Both my router and my broadband modem have 'hardware firewalls' built into them.
(I highly recommend the hardware firewalls in most routers), so it could be that these firewall testing sites are only really testing my 'hardware firewall' in my router.

If you are connecting through a router too you can unplug your router and plug Ubuntu into the broadband modem directly if you want and have another try!

(Some of you may need to revert back to DHCP first, to make a direct internet connection).
 Stealth?
Try doing the specific port probe at 'Shields Up! on port 22, (the SSH port) now, still 100% Stealth?    

CanYouSeeMe.org - Open Port Check Tool - Check just one port at a time - any port.

Given the results from the above tests, it would seem as if at least my computers are already quite secure from the outside world, I'm not sure about everyone else's. That depends on your equipment.





Port Scanning in Ubuntu
(your other computers in your LAN)
You should not install any programs which open ports in Ubuntu other than SSH Server which does open a port but one which is protected by password or RSA key. Open ports for any services other than SSH make your operating systems vulnerable to security threats. Ubuntu comes with no open ports when it is installed.

When
we have more than one Ubuntu computer in our network we can use each one to scan the others for open ports. Port scanning is a useful way to check on the security of all of the computers in your LAN.
Ubuntu comes with some very good networking software of its own.
I went 'System'-->'Administration'-->'Network Tools', and clicked on the 'Port Scan' tab.

You need to know the IP number for each of your other computers that you want to scan.
The easiest way to get that is just to go to the other computer and run 'ifconfig'.
An alternative way would be to take a look at the IP address list in your router's control panel, see this webpage's: 
How to set up Routers and ADSL broadband modems under Linux.

Once you know an IP address to run a scan on, the scan only takes a few seconds.
It is possible to detect an open
port 22 that way when a system has SSH server installed.

If you find any other open ports you can look them up in either of these links to see what service they're probably for:
 If you don't remember installing that service or if it's a service you don't use then you should probably uninstall the service and that will probably close the port.
herman@bookpc:~$ less /etc/services

It is best to keep your Ubuntu pure stealth.
If that's not possible and you really need to open any non-SSH ports then you need to configure a firewall.



NMap
NMap is a port scanner you can use for checking all the computers in your LAN for open ports.
http://insecure.org/nmap/docs.html
Nmap is installable in Ubuntu through apt-get, Add/Remove Programs or Synaptic Package Manager.
A nice GUI front end is available for NMap too, it's called 'NmapFE', and is available through Add/Remove Applications, and probably apt-get and Synaptic too.

WireShark. - http://www.wireshark.org/
Wireshark is installable in Ubuntu through apt-get, Add/Remove Programs or Synaptic Package Manager. Wireshark is a packet sniffer, you can use that to keep a watchful eye on the comings and goings of all the packets in your LAN.

Connecting from another computer on the internet to a computer inside a home LAN
If your setup is anything like mine, you would need to open a port in the broadband modem's firewall, and also a port in the router's firewall before the incoming connection could be made.
That will expose your LAN to the internet.
That's where you might start needing to be more security conscious about computers in the LAN with open ports.  

What if a remote attacker can get into my LAN from the internet ever did (theoretically) manage to get inside my LAN through my Broadband Modem-Router's built-in firewall?
More commonly this could happen via a non-encrypted wireless connection from a local snoop with a laptop.
Well, according to this link, Getting Started with SSH, they would still have a hard time cracking my SSH keys.
Quote:

Essentially invulnerable means that it's commonly believed that if they were really, really motivated, the National Security Agency could crack a SSH session key within a year, if they didn't do any other cryptographic cracking during that time, devoting all resources to you. This would give them access to up to an hour of one of your sessions, provided all packets were recorded. The exact number of CPUs, hours and dollars required is hard to estimate, but is outrageously in excess of any credible threat to you.

How to tell if someone is trying to crack into your computer

HOWTO: Automatically block SSHD/PROFTPD Attacker. - pinoyskull





External Links

SSH - Ubuntu Comminity Docs - make a command line SSH connection

Ubuntu Networking for Basic and Advanced Users.- illustrated guide, includes commands

Useful Linux Network Commands. - A nice quick list of commands

Karakas-Online Network Commands. - more good commands

Linux Network Administrators Guide. - Very Comprehensive

Security - Our system Security guide from the Ubuntu Community Docs. Brief.

AdvancedOpenSSH - Ubuntu Community Documentation

VNC over SSH
- Ubuntu Community Documentation

HOWTO: iptables (part one of three) Debian User Forums - This one is easy to follow

HOWTO: Set a custom firewall (iptables) and Tips . - By frodon - more comprehensive

IptablesHowTo - Ubuntu Community Docs - An introduction to the powerful Linux IPTables firewall

Iptables Tutorial 1.2.2 by Oskar Andreasson. Comprehensive.

Also, here's the Official Ubuntu Wiki IPTablesHowTo (for Ubuntu Server Edition).

OpenSSH key management, Part 1 -=-  IBM

OpenSSH key management, Part 2 -=-  IBM 

Mount Remote Directories Securely with SSH -=- Access your home files from far away.

HOWTO: VNC over SSH using Public/Private keys From Windows




MAC Addresses
If you want to see your network card's MAC address, use the ifconfig command.
MAC addresses are like serial numbers that are hard coded into each piece of networking hardware. They are used to identify your computer's network card, your router, ethernet switching hub, broadband modem-router, and any other piece of networking hardware you can think of.
They can be used to identify your equipment on the LAN or internet too. The MAC address might be compared with a license (number) plate on a car.
More: MAC address - Wikipedia, the free encyclopedia





ADSL
is short for 'Asymetrical Digital Subscriber Line'.
'A' stands for 'Asymetrical', because it's set up so that downloading is faster than uploading.
'D' is for 'Digital', (instead of analog or ISDN).  
'SL' is short for 'Subscriber Line', which just means a phone wire.
Using Digital means we can have the phone plugged in and use it while the computer is on-line since it's a different frequency. Our phone wires can carry about 200 times the amount of information using digital signals compared to analog too.
  
The speed of internet connections are stated in KiloBits per second is written like: 256/64 kbps, or 512/128 kbps. One kilobit is roughly about 1/10 of a Kilobyte.
The Data Transfer Rate Conversion Table.




Client Computer

In simple terms, the 'client' computer is the computer that is asking some other computer for a connection.
Ubuntu comes with the client half of all kinds of networking software already installed 'out of the box', but not the 'server' half.
Imagine a telephone that has no bell. You can use it to call any other 'phone, but it can't receive any incoming calls.
In other words, Ubuntu can make connections to other computers that are open, (like a phone can make outgoing calls), but it can't receive any incoming connections.  We need to install the 'server' side of the networking software for that to work, (for Ubuntu to be open to some kind of a connection).
We can easily log into any other computer that has any kind of 'server' installed, but no other computers can log into ours. The default instalation of Ubuntu is very secure.




Server Computer

In simple terms, the 'server' computer is the one that will be receiving the connection, something like a telephone when you recieve a call.
The server needs to have some kind of software installed in it to enable it to accept incoming connections.
Adding server software will open a 'port' in your computer and allow your computer to accept connections from another computer. Ubuntu doesn't ship with any 'services' enabled by default.  It is possible that this might include potentially unwelcome intruders, especially if you're connected to the internet and you're not protected by a modem-router firewall.
Within a protected LAN, SSH is the safest kind of networking for beginners providing have good strong passwords because it is password based. A firewall is not required with SSH (Secure SHell) networking as long as you have strong passwords or better still, RSA keys.
As soons as you join a larger network or the internet then you at least need to disable password logins and use RSA keys instead and start thinking about other security strategies as well.



Choosing a Server
You may need a powerful computer for a busy corporate network that might be accessed by a large number of clients simultaneously, but for a home or small business your server will be idle most ot the time.
Sometimes an older computer makes a good home server, that way it can still be used for something and that's better than just throwing it away. Just because it has server software in it doesn't mean it can't have a mouse and keyboard and a monitor. You can still keep using it as a regular computer if you want. If it's an older computer and it doesn't have a good graphics card though, it's less likely to be wanted for  everyday computing needs and can still perform a useful role living out the rest of its life as a server.

Servers tend to be left running all the time, you can't access a server that has been shut down, (well not unless you also set up booting by ethernet, that's a subject I'll skip for now). Your spare computer would need to be left running even when it's idle, making noise, heating up the air and adding to the electricity bill.
Another idea would be to use a computer that's on a lot anyway. My wife's computer would be a good choice in my house because she's a heavy computer user and leaves her computer runnning most of the time anyway.  I can count on her leaving it on for me when I need access. Even if she does shut it down I can phone her to have it turned on if necessary. That way I can save some electricity by not having a dedicated server left running idle all the time for no good reason.




DHCP
Most routers now feature DHCP, and it can be turned on or off in the router's settings.
Most people would normally just leave it turned on unless they were doing something special.
The opposite of DHCP is a static or fixed IP address.
DHCP - Dynamic Host Configuration Protocol
One of the important settings we use in our computers to enable our computers to be able to access the router or the ADSL modem, which accesses the internet, is 'DHCP'.
DHCP is enabled in Ubuntu by default and if the next piece of equipment up the line is enabled as a DHCP server, then our computer will automatically accept whatever IP address the upstream equipment such as the router or the ADSL broadband modem-router wants to offer it.
If you make the computer insist it's IP address is one number while the equipment it is trying to connect to is trying to force it to accpet some other number you probably won't be able to make a connection.

If you want to check you can always just go 'System'-->'Administration'->'Network', and after you type your password you'll see this 'Network Settings' box here, and if you click the 'Properties' button you'll get this other box illustrated below.

001ssh
ssh001.png




MDI/MDIX
If your equipment supports 'auto MDI/MDIX', that means it doesn't matter if I use plain or crossover CAT5 ethernet cables, it will automatically sense whatever is used and adjust itself accordingly. With some equipment, especially older equipment, you might find that it is important to use the (red) crossover cable, or you won't be able to connect the switch to the broadband modem.




Crossover Cable

A 'crossover cable is the same as a plain ordinary cat5 ethernet cable but when the cable is made some of the wires are crossed over (joined to opposite terminals in the plugs).
See Ethernet Crossover Cables - Wikipedia

p11/sshcombination003.png
Old equipment - a single port ADSL Broadband modem required the use of a separate ethernet hub in order to serve more than one computer. 

The red cable is a 'crossover cable', and was required between the ethernet switch and the old broadband modem. Modern equipment features auto MDI/MDIX , so crossover cables are no longer needed except for connecting two computers directly, see SSH with Simple Hardware.


dns_alternative
DNS Alternative Workaround:
This is possibly a little bit silly but before I went and got my own DNS account I thought of alternative way to solve the dynamic IP address problem.

I can have my home computer send me emails at regular intervals addressed to myself.
When I'm away I then receive the email in my laptop, netbook or USB flash memory stick.
All emails have the senders IP address in them and you can see that if you open the email and click 'View'-->'Message Source'.

Set the home PC's Evolution email application to not check for new mail automatically.
Otherwise even if you do let it check for new mail, make sure the home PC's Evolution will at least leave a copy of it on the server.
These settings are in 'Edit'-->'Preferences', in Evolution. Click on your account, and click 'Edit', and go to the receiving options tab.

There are a few different programs that can be used to send email from the command line, and that means they can be set up in a crontab to cause them to be send out at regular intervals, or any times we decide to set.
The email program I use is 'sendEmail'.

SendEmail can be installed with apt-get or Synaptic in Ubuntu and it is quite simple to use.

herman@silver:~$ sudo apt-get install sendemail
Here's how to send an email to yourself with sendEmail, from the command line,
example,
$ sendEmail -f user@bigpond.net.au -t user@bigpond.net.au -o message-file=hello.txt -v -s mail-hub.bigpond.net.au
Where: -f user@bigpond.net.au is the email address it's being sent from
Where: -t user@bigpond.net.au is the email address it's being sent to
Where: after the -o option, hello.txt is a plain text file containing a message.
Just make your own text file with any message in it. It doesn't matter what the message contains.
Maybe send your self a reminder of what port numbers your home router is using for each PC's SSH port to make it useful.
Where: -s is your mail server, that depends on your ISP.
For more info: Send an email at start up that contains my IP - Ubuntu Web Forums.

Now that you know how to send yourself an email from the command line, you can probably figure out how to use crontab to do the same thing. If you don't know how to set up crontab, look here: Configure 'crontab'

How to send an email to yourself with sendEmail, from crontab,
example,
0 6 * * *  /usr/bin/sendEmail -f user@bigpond.net.au -t user@bigpond.net.au -o message-file=hello.txt -s mail-hub.bigpond.net.au
Where: you will send your self an email at 06:00 every day. You might want to make more of these. One every four hours or very six hours or eight hours or whatever.

Why do we need to send ourselves an email?
So we can receive our own email from a remote location and discover our home LAN's current IP address when we have a dynamic IP.
How?
Open the email and click 'View'-->'Message Source', and the IP address will be there.











===+===+===+===+===+===+===+===+===+===+===+===+===+===+===+===+
PARKING AREA FOR TEMPORARILY UNWANTED SENTENCES AND PARAGRAPHS

It's important to set Evolution in the home PC so it will not check for mail automatically. If it does it might grab the message it sent itself and wipe it off the server.