Modify Colors

Default Reverse Brown Dark Blue

Navigation

Feed

Subscribe in a reader

Archive

Advertisement

Posts in Remote Access Linux Tutorial

October 10, 2009 | Tutorials
[tagged: ]

Remotely Accessing Your Linux Computer: Part 4

This is the fourth part in a four part series covering remote access to Linux machines using SSH.

Everything in this tutorial should apply to most Linux distributions, however some of the commands may be specific to Ubuntu. You may need to modify some commands to work with your Linux distribution. This is an advanced tutorial, so most instructions will be given as text commands.

A Note About Security

Allowing outside machines to access your computer is inherently risky. Assuming your router and/or firewall is properly configured, you will need to poke some holes in it. This potentially leaves you vulnerable to attack. Proceed at your own risk. Because security is a constantly changing issue, you are responsible for securing your own computer and network. You have been warned. If you are not behind a router or other physical firewall and you can’t explain why this is the case, do not proceed.

Introduction

You’ll be glad to know that this step is the easiest of them all. If you’ve made it this far, you have already done the hard part.

Downloading PuTTY

There are probably thousands of different SSH clients for Windows, but the most popular of these is a program called PuTTY. It’s a free download and requires no installation, which means you should be able to run it off a flash drive. (Naturally, it’s also open-source and released under the MIT license.) Go ahead and download PuTTY. (Look for putty.exe)

Trying it out

Just fill in two fields.

Just fill in two fields.

Just double-click on putty.exe and fill out the Host Name and Port fields. Your host name should be:

username@dyndnsuser.dyndns.com

(Where username is your computer username and dyndnsuser is your DynDNS user account.)

Then just enter the port number you set in part 1 and 2.

Click Open and say yes to the RSA key dialog. You’re in!

Conclusion

Wow! That was a lot easier than the other steps. This concludes the series, so have fun with SSH.

[2 Comments - Add Yours]
October 7, 2009 | Tutorials
[tagged: ]

Remotely Accessing Your Linux Computer: Part 3

This is the second part in a four part series covering remote access to Linux machines using SSH.

Everything in this tutorial should apply to most Linux distributions, however some of the commands may be specific to Ubuntu. You may need to modify some commands to work with your Linux distribution. This is an advanced tutorial, so most instructions will be given as text commands.

A Note About Security

Allowing outside machines to access your computer is inherently risky. Assuming your router and/or firewall is properly configured, you will need to poke some holes in it. This potentially leaves you vulnerable to attack. Proceed at your own risk. Because security is a constantly changing issue, you are responsible for securing your own computer and network. You have been warned. If you are not behind a router or other physical firewall and you can’t explain why this is the case, do not proceed.

Introduction

You’ll be glad to know that the graphical piece is actually a lot easier than the first two parts. It’s really just a few configuration changes and that’s it.

On the server end

Open your /etc/ssh/sshd_config file.

gksudo gedit /etc/ssh/sshd_config

Then make sure that X11Forwarding is set to on and both of the lines below are uncommented (meaning that they do not have a # in front on them:

X11Forwarding yes
X11DisplayOffset 10

That’s it on the server end!

On whatever computer your using….

You may also need to change some settings on the computer from which you are connecting. Open your /etc/ssh/ssh_config file. Notice the subtle difference between sshd_config and ssh_config.

gksudo gedit /etc/ssh/ssh_config

Then you need to make sure that these lines are uncommented:

ForwardAgent yes
ForwardX11 yes
ForwardX11Trusted yes

Trying it out…

Now try connecting again:

ssh -X -p <em>port number</em> <em>username</em>@<em>dyndns username</em>.dyndns.com

Then just type the name of a graphical application:

gnomine

Just take a moment to think about how cool it is that you’re running Gnome Mines graphically across the internet from a different computer.

[0 Comments - Add yours.]
October 5, 2009 | Tutorials
[tagged: ]

Remotely Accessing Your Linux Computer: Part 2

This is the second part in a four part series covering remote access to Linux machines using SSH.

(Sorry this one was a little late. I just forgot to publish it. I’ll post the last two sooner.)

Everything in this tutorial should apply to most Linux distributions, however some of the commands may be specific to Ubuntu. You may need to modify some commands to work with your Linux distribution. This is an advanced tutorial, so most instructions will be given as text commands.

A Note About Security

Allowing outside machines to access your computer is inherently risky. Assuming your router and/or firewall is properly configured, you will need to poke some holes in it. This potentially leaves you vulnerable to attack. Proceed at your own risk. Because security is a constantly changing issue, you are responsible for securing your own computer and network. You have been warned. If you are not behind a router or other physical firewall and you can’t explain why this is the case, do not proceed. I would also advise you to only try this on your home network, because your employer will probably dislike you messing with SSH, unless, of course, that’s your job.

Security First

There are some security tweaks you can make to your /etc/ssh/sshd_config file. There are, of course, tons and tons of tweaks you can make. A complete guide to the OpenSSH configuration file is way, way beyond this guide, but I’ll cover a few things you can do:

Port 4005 # Only listen on port 4005
          # 4005 is just an example, this can be anything roughly between 1500 and 5000

This was discussed in part 1, so I suggest you read that. The basic lesson is that you probably shouldn’t use port 22 (the default).

ListenAddress 192.168.1.175 # Only listen on network interfaces with the IP 192.168.1.175

What this line says is to only listen on network connections where your computer’s IP is, in this case, 192.168.1.175. This is useful for a number of reasons. For example, if you have multiple network connections (such as an ethernet connection and a WiFi connection), you could tell SSH to only work on one of those connections. Also, if you were at a coffee shop or some other public WiFi, you would probably not have the same IP address that you do on your own network (depending on your network’s configuration). Basically, it’s just a generally good idea to specify what IP address SSH should listen on. Getting your IP address was also covered in part 1. The quick version is that executing ifconfig should tell you.

Protocol 2 # Only allow logins using SSH 2

There are two versions of the SSH protocol. SSH 1 is old and potentially insecure. Make sure you are only allowing protocol 2 with the line above. This should really already be in your default configuration, but if it isn’t, add it.

PermitRootLogin no

Once again, this is pretty straight-forward and is probably already in your configuration. You shouldn’t usually login to root locally, so why would you let remote users login to root? You can still sudo or whatever.

AllowUsers thomas # Only allow thomas to login

This option allows you to specify which user(s) should be allowed to login via SSH. You may or may not want to add this, but if your only going to login with one account, it adds a small extra layer of security.

It is worth noting that a lot of these configurations are purely security through obscurity. Contrary to what some people say, I don’t believe there is anything wrong with that, as long as it’s not your only defense.

Getting our of your local network

Time to access your computer across the internet. I’ll warn you about the risks again:

A properly configured home router should usually pretend not to exist by giving no reply to unsolicited communications from the outside. In other words, if I try to talk to your router without your router talking to my server, you router should ignore me as if no one was there. This gives you great security, since if no one knows you are there, it’s hard to attack you. (This does not, of course, have any effect on malware spread by email, the web, chat programs, etc.) Allowing your computer to be remotely accessed over the internet cuts a hole in that anonymity. Your router will have to start replying to requests on a particular port. This is dangerous, but not too dangerous as long as your securing everything correctly. (You can test how your router is configured with GRC’s SheildsUP! tool.)

Getting a consistent IP address

The first step is to make sure that your computer always gets the same IP address. If you are using DHCP, and you probably are, then your computer will get a different IP address ever time you get on your network, usually in the range of 192.168.1.100 to 192.168.1.150 or so. You need to setup something called a static lease in which one computer, identified by a MAC address and a hostname, always gets the same IP address.

This is a completely router specific process, so I can’t help you much. Unfortunately, some routers don’t even support this feature. Usually by installing a custom firmware like DD-WRT, you can get the feature even if your router doesn’t support it. Chadwick Wachs has an excellent tutorial for setting up static leases in DD-WRT, which should help you.

From your router to your computer

Next, we need to redirect traffic from your router, which is the only place an external computer can connect to, to your computer. This feature is support by almost ever router, so don’t work. It’s fairly simple, too.

Again, this is router specific, but you can find specific instructions for many routers on PortForward.com. Remember to replace port 22 with whatever port you choose in part 1.

To your router

Don’t worry, your almost there! The final step is to find a way to track your router’s changing IP address. (Yes, that changes too.)

Without paying your ISP extra, you can’t usually get a static IP for your router. Luckily, services like DynDNS.com (a free account is plenty) will give you a free subdomain that points to your router. For example:

username.dyndns.com would point to your routers IP

In order to get the IP to update, you need to enter your DynDNS account into your router settings. Once again, this is router specific, but look for a DDNS section in your router configuration.

All done

Ok. If you’ve made it this far, congratulations! You should now be able to access your computer from any other computer on the internet (with an SSH client, of course), using this command:

ssh -p <em>port number</em> <em>username</em>@<em>dyndns username</em>.dyndns.com

Good luck!

[2 Comments - Add Yours]
September 28, 2009 | Tutorials
[tagged: ]

Remotely Accessing Your Linux Computer: Part 1

This is the first part in a four part series covering remote access to Linux machines using SSH.

Everything in this tutorial should apply to most Linux distributions, however some of the commands may be specific to Ubuntu. You may need to modify some commands to work with your Linux distribution. This is an advanced tutorial, so most instructions will be given as text commands.

A Note About Security

Allowing outside machines to access your computer is inherently risky. Assuming your router and/or firewall is properly configured, you will need to poke some holes in it. This potentially leaves you vulnerable to attack. Proceed at your own risk. Because security is a constantly changing issue, you are responsible for securing your own computer and network. You have been warned. If you are not behind a router or other physical firewall and you can’t explain why this is the case, do not proceed. I would also advise you to only try this on your home network, because your employer will probably dislike you messing with SSH, unless, of course, that’s your job.

About SSH

SSH stands for secure shell. It is a protocol that allows you to access a computer across a network. We will use OpenSSH, an implementation of SSH, since it is the default on most Linux systems.

Installing SSH

SSH is installed by default on almost every Linux distribution, however there is usually no SSH server, which is required to actually share your machine with SSH. Use your preferred package manager to install openssh-server

.sudo apt-get install openssh-server

To check if OpenSSH is running type this:

ps -e | grep ssh

This command will list all running processes and then filter the list to only display processes that include “ssh”. You should see a line like this:

11032 ?        00:00:00 sshd

This means that OpenSSH is running. If you don’t see a line like that, try running this command:

sudo /etc/init.d/ssh start

(If two sshd instances are running, it may cause problems. You can usually fix this problem by issuing the command sudo killall sshd followed by sudo /etc/init.d/ssh start.)

Basic Configuration

There are two steps to configuring your SSH sever. First you must edit the OpenSSH configuration file, then you have to open a hole in your firewall. To start, open the OpenSSH configuration file, which is usually located in /etc/ssh/sshd_config, with your favorite text editor.

gksudo gedit /etc/ssh/sshd_config

Part 2 of this series will discus more configuration options. For now, most of the default configuration should be fine. The one part that you should change now is the port. Your computer has a bunch of different ports (specifically 65535 of them). Each port is like a door that other computers can knock on. For example, when you visit a website, the request goes out through port 80 and the website comes back in through port 80. The first 1024 ports are reserved for specific protocols. Port 22 happens to be reserved for SSH. It is not advisable, however, to let your SSH server listen on that port, though, because an attacker would most likely be scanning for open port 22’s. It is best to change the port option in your OpenSSH configuration to a port number greater than 1024 (and less than 65535). This makes it harder for an attacker to guess which door to knock on. If none of that makes sense, that’s OK. Just change the number after “Port” to a number between 1500 and 5000. While you might be able to use higher numbers, really high port numbers will get you in trouble. See the IANA website for more information about port numbering.

# What ports, IPs and protocols we listen for
Port 4005

Opening ports in your software firewall

Next you need to open whatever port you choose in your software firewall, if you are using one. Most Linux distributions have one installed by default, so if you don’t know, you probably are using one. Most people should probably install Firestarter, which is a GUI front end to managing IPTables.

 sudo apt-get install firestarter

Open Firestarter and follow the setup wizard. Then click on the Policy tab. Select “Inbound Traffic Policy” and click in the box that has “Allow Service | Port | For” at the top. Then click on the Add Rule button. Enter the port you choose and SSH as the name. Then select “Everyone” and click Add.

Testing it out

You are now ready to test it out. Get your IP address on your local network with this command:

 ifconfig

You will need to dig through the output to find your IP address. Here is the relevant piece of the output I see:

 wlan0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:<strong>192.168.1.175</strong> Bcast:192.168.1.255 Mask:255.255.255.0

Now go to another Linux or Mac OS X computer on the same network. Technically you can use the same computer, but it’s not as good of a demo. Type this:

 ssh -p <em>port number</em> <em>username</em>@<em>ip address</em>

For example, I would type:

 ssh -p 4005 thomas@192.168.1.175

You may get a message about the server’s RSA key. This is normal and typing yes will bypass the message. Then you should get a prompt for your password. Enter your password and you will be inside your other machine.

 Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.1.175' (RSA) to the list of known hosts. thomas@192.168.1.175's password:

Wrapping up

Congratulations! SSH is up and running. Part 2 will teach you how to access your computer from another computer across the internet.

[11 Comments - Add Yours]