| Page Index Introduction. - about this web page. Simplest SSH LAN. - easy and quick - connecting two computers - eg. for file rescue. Persistent SSH LAN. - home network with internet connection. Firewalls and Security. - SSH Networking is good for File Rescues. How to set up Routers and ADSL broadband modems under Linux Set a Static IP address. -If there's no DHCP server in the network. Dynamic IP address. -Use it if your equipment supporst DHCP. IP address. -(for the internet connection) External and Internal IPs. -Your internet IP is different from your LAN IP address. First Time Connection to an SSH Server. If SSH refuses to connect. -Trouble Shooting and Problem Solving. External Links Links About Other Kinds of Networking in Ubuntu. Access to a Windows Network. -Windows networks are easy to access with Samba client. Connect to your SSH servers from anywhere - from anywhere in the world! |
| Introduction This is not an official SSH website, I highly recommend reading the real OpenSSH sites, OpenSSH - the home page of OpenSSH Openssh FAQ Here are links to official Ubuntu sites dealing with networking and SSH networking Internet & Networking - Ubuntu Wiki's Community Docs SSHHowto - Official Ubuntu Wiki - This aim of this web page is to give illustrated examples for those of us who are new, to help beginners get started.
|
LAN Cable Connections Here are two of the simplest networking setups just to begin with. Two computers can be connected in a LAN using CAT5 ethernet cables. Linux operating systems are famous for their ability to perform file rescues. The Ubuntu Live CDs come with 'client' half of SSH already installed. Either of these two simple setups are all you need for a Linux file rescue. You can use any kind of networking for this job. Using SSH is kind of an overkill, but since SSH is the easiest to use as well as the best, we use it for the simplest of tasks as well as the toughest jobs. To perform a Linux file rescue, you just need to
 Example 1: The simplest arrangement of all is when a 'crossover' cable (red) is used to connect between two computers. It is plugged into the ethernet port (at the back of the ethernet card or motherboard ethernet port), in both computers.  Example 2: The second simplest cabling arrangement is when we connect two computers by their ethernet ports using two plain CAT5 ethernet cables and an ethernet switch. A switch is better than just a plain hub, but you could use just a plain hub if that's all you have. I have a TP-Link TL-SF1008D', '8-port', '10/100M Fast Ethernet Switch'. |
| 1. In the client computer: In simple terms, the 'client' computer is the computer that is asking some other computer for a connection. Ubuntu comes with the client half of all kinds of networking software already installed 'out of the box', but not the 'server' half. Imagine a telephone that has no bell, you can use it to call any other 'phone, but it can't receive any incoming calls. In other words, Ubuntu can make connections to other computers that are open, (like a phone can make outgoing calls), but it can't receive any incoming connections. We need to install the 'server' side of the networking software for that to work, (for Ubuntu to be open to some kind of a connection). We can easily log into any other computer that has any kind of 'server' installed, but no other computers can log into ours. The default instalation of Ubuntu is very secure. Now let's see how this will work in an example. The desktop computer will be the SSH client in this example. The desktop's hostname in the example is: red Because this such a simple system there's no governing hardware (router) with any DHCP server to give either of the machines an IP address (like a phone number), so we will need to set a static IP address in each computer manually. To set a static IP address I went 'System'-->'Administration'-->'Network', and selected the interface I want to work on. There was a choice of two, wired connection (ethernet card) or modem (dialup). I chose 'wired connection', of course. Then I typed in the IP number I made up: 192.168.1.101 The subnet mask field auto-completed itself. I left the Gateway address field blank. The operating system disconnected the network and re-started it with the new settings.  At this point it is necessary to do 'sudo ifdown -a' and 'sudo ifup -a', or else just reboot. Then do 'ifconfig' and check the IP address.
|
| 3. Back in the client computer again: Okay, now we're going to make a connection, 'Places'-->'Connect to Server',  In the example I'm going to show here, both of the computers I'm going to connect are my own computers. I'm just connecting my own Desktop PC to my own laptop, so I'll simply be logging in as the primary user, (system administrator), which is me. [Note 1]  I set the top spinbox to SSH. The Server field is for the IP number for the server I want to connect to, in this example my laptop,so I typed in 192.168.1.100 because that's my laptop's IP address right now. Port number for SSH is: 22 Folder I want to be in when I connect will be: /home The user is: herman The hostname is: silver Then I clicked the 'Connect' button.  If the icon doesn't appear, try rebooting and it should appear then. I right-clicked on the icon and clicked 'Open', from the right-click menu.  I clicked 'Log in Anyway'.  I waited.  I typed in the password for the account I want to log in to in the server computer. Well,
that's it, a window opens and I can see the /home/herman directory in
the laptop. Now I can read and write to my account in the other computer and transfer files between the two computers.If this was a desktop computer with a disabled operating system in it, and we were running a Ubuntu live CD in the CD-ROM drive for the client, we would now be able to perform a file rescue to the laptop's hard drive before trying to repair the desktop's operating system with the Ubuntu Live CD. Note 1: Normally, (for everyday use), we would have a separate user account set up in the SSH server. If the other computer belongs to someone else, they probably like a bit of privacy and wouldn't like you logging in to their account as a long term habit. To set up a new user account in Ubuntu Gutsy Gibbon, you just go 'System' --> 'Administration' --> 'Users and Groups', and you'll see how the other computer administrator can add a new user account for you in their computer that way, it's quite simple. That's the best way to set SSH up for everyday use in your LAN. |
| +===+===+===+===+===+===+===+===+===+===+===+===+===+===+ Here is something more like the typical arrangement most people would probably have or want. Both computers can be connected to the internet through some kind of internet connection. Internet Security will be covered in a little more detail further down this page. Jump to security. In this case I have an ADSL broadband modem. At the same time they can be connected to each other using SSH. Everything is connected through a switch or a router. With a Switch  For this illustration I have shown the switch being connected to the ADSL modem by a crossover cable, (red). Actually my equipment supports auto MDI/MDIX, that means it doesn't matter if I use plain or crossover CAT5 ethernet cables, it will automatically sense whatever is used and adjust itself accordingly. With some equipment, especially older equipment, you might find that it is important to use the (red) crossover cable, or you won't be able to connect the switch to the broadband modem. The obvious difference is the broadband router is obviously now part of the network. To connect to the internet I use a 'Thompson Speedtouch 530' broadband modem-router which I have mounted on the wall above and behind my computers, where I can see it's LED lights glowing brightly. More about the Thompson Speedtouch 530. The Thompson Speedtouch 530 broadband modem/router has DHCP functionality, which is very handy. That means it gives out IP addresses to each computer or peice of networking equipment that I plug into it. As long as the Thompson Speedtouch 530 itself remains switched on it remembers the mac addresses of other networking equipment or computers that have been plugged into it. It remembers which IP addresses it has assigned to each mac address, so it will give out the same IP addresses to each piece of hardware every time the same equipment is plugged in again or re-booted. SSH likes consistency, so that makes the Thompson Speedtouch 530 ideal for use with an SSH LAN. I don't need to set up the computers with fixed IP addresses now, I can just leave them on DHCP. THE IP addresses my computers were given time were 10.0.0.1 and 10.0.0.2, and if I connected a third computer it would be allocated the IP number of 10.0.0.3, and so on. Configuring the connection with SSH networking was almost the same as already explained above in 'Quick Simple SSH LAN', but please refer to the procedure for DHCP explained below for the software side of setting up SSH. If your router or internet modem features DHCP server capabilities you should just leave it set on DHCP to take advantage of that feature. If you have a different kind of broadband modem, and your modem doesn't assign IP addresses or can't remember which computer had which IP address but gives them new ones after a reboot, then you might need to set static IP addresses. In that case please look at configuring the connection with SSH networking as already explained above in Quick Simple SSH LAN. Using a Router  ssh003.png It's a little better if you have a router instead of just a switch. Most routers come with wireless these days and a lot of people like that. Routers also give you an extra firewall and even more software you can play with. You should read your own router's documentation again if you haven't done so recently. My first router was a Netcomm 11g Wireless Firewall Router, with 802.11g standard performance, 54Mbps wireless and its own active firewall. It features a 4 port 10/100 ethernet switch. Setting it up was pretty much just a matter of connecting all the ethernet cables and plugging it in. My Netcomm router is a very good router, it supports DHCP but it didn't always give the same IP address to each computer if more than one computer was shut down and restarted. Maybe there were some settings I overlooked, but using DHCP settings in the computers would have been impractical. To use SSH on a daily basis, I need each Ubuntu system to have the same IP address every time. I had to set Static IP addresses. That's a lot easier than always to having to be careful with the sequence the computers get started each day. If your router is like that too then please look at configuring the connection with SSH networking as already explained above in Quick Simple SSH LAN. Now I have a new D-Link AirPlus G Dl-524 Wireless Router. It gives us 54 Mbps, advanced firewall with parental control, and a built-in 4 port 10/100 ethernet switch. Compatible with Windows, Mac or Linux operating systems. Even though it works great right away as soon as it's all plugged in and turned on, it comes with a CD-ROM for those of us who want to make the best of all its features. I put the CD-ROM in the drive, found the .pdf files and copied them into my computer for studying and for future reference. The new D-Link router is able to give my computers any IP addresses I set, I can choose any numbers between 192.168.0.100 and 192.168..0.254. It also remembers which computer is which by their mac addresses. They get the same IP addresses each time they are booted, so I can just leave them set on DHCP. If your router is like my new one, read on... Setting up SSH networking when we have a router is the same as already explained above in 'Quick Simple SSH LAN', but I'll explain it again below showing you how to leave your computer set to DHCP this time instead of setting a static IP address. (It's easier). Whether to set static IP addresses of use DHCP will depend on the features and settings of the upstream equipment. |
| 1: In the Server computer: In this example, the silver laptop will be the server. You need an internet connection in order to download the SSH server software and install it. Here is the command I use for doing that, Code:
DHCP - Dynamic Host Configuration Protocol The opposite of DHCP is a static or fixed IP address. One of the important settings we use in our computers to enable our computers to be able to access the router or the ADSL modem, which accesses the internet, is 'DHCP'. DHCP is enabled in Ubuntu by default and if the next piece of equipment up the line is enabled as a DHCP server, then our computer will automatically accept whatever IP address the upstream equipment such as the router or the ADSL broadband modem-router wants to offer it. If you make the computer insist it's IP address is one number while the equipment it is trying to connect to is trying to force it to accpet some other number you probably won't be able to make a connection. If you want to check you can always just go 'System'-->'Administration'->'Network', and after you type your password you'll see this 'Network Settings' box here, and if you click the 'Properties' button you'll get this other box illustrated below.  ssh001.png If I tried to set it to a 'static IP address' now, that means I am trying to get my computer to tell my upstream equipment (router or ADSL modem) what IP address I want. That wouldn't work unless I go into the settings in the router or ADSL modem and revert those back to static as well, but who would want static IP addressing when you can have DHCP? DHCP is better. Ubuntu should laready be set to DHCP by default. In that case you don't need to do anything, just leave it like that and go to the next step.
|
| In the client computers: 'Client' computers are computers that are being used to make a connection to a 'server', remember. The desktop computer will be the SSH client in this example. The desktop's hostname is: red All Ubuntu computers have SSH client software installed in them 'out of the box', so you won't need to install anything for that. Okay, now we're going to make a connection, 'Places'-->'Connect to Server', Normally, (for everyday use), we would have a separate user account set up for each user in the SSH server. To set up a new user account in Ubuntu Gutsy Gibbon, you just go 'System' --> 'Administration' --> 'Users and Groups', and you'll see how the server's system administrator can add a new user account for you in their computer that way, it's quite simple. That's the best way to set SSH up for everyday use in your LAN. In the example I'm going to show here, both of the computers I'm going to connect are my own computers. I'm just connecting my own Desktop PC to my own laptop, so I'll simply be logging in as the primary user, (system administrator), which is me. I set the top spinbox to SSH. The Server field is for the IP number for the server I want to connect to, in this example my laptop,so I typed in 192.168.1.100 because that's my laptop's IP address right now. Port number for SSH is: 22 Folder I want to be in when I connect will be: /home The user is: herman The hostname is: silver Then I clicked the 'Connect' button. If the icon doesn't appear, try rebooting and it should appear then. I right-clicked on the icon and clicked 'Open', from the right-click menu. I clicked 'Log in Anyway'. I waited. I typed in the password for the account I want to log in to in the server computer. Well,
that's it!A window opens and I can see the /home/herman directory in the laptop. Now I can read and write to my account in the other computer and transfer files between the two computers. Since this might be a permanent set -up, you might also consider clicking the radio button for 'remember forever' (the password). That will store your password for the account in your keyring, you'll be asked to set a new password for your user keyring if it's the first time you have used it. After that you'll only need to remember your keyring password. That's easier in case you have a lot of different SSH connections, all with different passwords. |
| How to set up Routers and ADSL broadband modems under Linux: Some people have broadband and others have cable internet connections. Some people only have a modem, others have a modem-router, while still others have a separate router and modem, (like I do). Most networking hardware comes with an installation CD that runs in Windows and runs the user through a setup wizard of some kind, often pretending to install some kind of Windows driver and maybe installing some other bonus software. These installation CD-ROMs usually don't auto-start in Linux, so a lot of people might think they can't set their networking hardware up in Linux. That's not true. Most of this set-up wizard hocus-pocus is nothing but 'smoke and mirrors' designed to confuse and impress Windows users, and keep them in their place. The actual settings themselves are usually blindingly simple. Anyone should be able to set up their own modem or router in Linux.
|
SSH Troubleshooting ifconfig command If you don't know the IP address for the computer you want to connect to and it's your own computer you can find out easily by typing the ifconfig command in 'terminal' of your computer. If it isn't your computer and the connection is welcome, the polite way to find out is to ask whoever is using other computer to type: ifconfig and tell you the output. Perhaps you will need to do that by email if you are a long distance from the other computer.
I highlighted the IP address of the computer in yellow, inet addr:192.168.1.100 Shown in orange, is the hardware address or MAC address from the network card in the machine, HWaddr 00:C0:9F:C9:B1:F6 All networking hardware comes with a MAC address, which is like a serial number hard coded into the BIOS of the hardware. Etherent cards, routers, modems, switches and anything like that always have MAC addresses. Normally they have a sticker on the box it came in when it was new, also it might be printed on the hardware itself, and you can find the MAC addresses of all the hardware in your LAN with Linux networking software. If you are an aware user, you should copy down the MAC addresses of all your hardware and learn to recognise them. First Time Connection to an SSH Server You will see a window like the one shown below the first ime That's
because SSH software in the client computer, (the one you are making
the connection from), remembers the details of every server computer it
has ever connected to and it doesn't recognize this one. SSH warns you about the fact that it doesn't recognize the computer you want to connect to so if the other computer is not your own, you can go check with the other computer's operator. If that's the right IP number and the connection is welcome then it's normally safe to go ahead and make the connection, especially if it's the first time. You can expect to see this sign every time you make a new conection for the first time. You may need to set static IP addresses in SSH 'server' computers in your LAN because of the security feature explained above. SSH in your client computer records an ID (RSA) number and IP address of every other computer yours has made connections to in the past. (Known hosts). When you try to connect to them a second time if everything is not identical to the information your computer has stored, SSH 'smells a rat' and refuses to make the connection. Most routers these days can remember which computer is which and always assign the same IP address to each one. If you have a router with that feature you might not need to set a static IP address in Ubuntu, the router will take care of it for you. If SSH refuses to connect If an operating system on the LAN's details have been changed in any way since the first time an SSH connections was made with that host, that it can upset SSH's security sensitivities and SSH can get cranky and refuse to connect. For example, if the IP number doesn't match the MAC address, or if certian other differences are detected. This is designed into SSH for security. Consider what might happen if you were in large LAN like in a school, university or office and someone on the LAN decided to set their computer with someone else's IP address just for fun. You might connect to it thinking you are exchanging files with your freind, but really you'd be exchanging them with someone else. The potential is there that you might copy sensitive files to the other computer, not realizing it isn't the computer you thought you were transferring the files to. Or, if you're copying files from the other machine, you could be fed misleading information. That's why SSH remembers the details like the MAC addresses and whatever else it can, and records those in a hidden directory in your computer. SSH can detect an imposter. It's like Little Red Riding Hood saying "but what a big nose you have, Grandma, and what big ears you have!..." You are reommended to do some footwork and go and see the person whose computer you are trying to connect to. If you're sure the connection is safe, there's a file in the /home/username/.ssh directory called 'known_hosts' and that's the file where SSH keeps track of special identifying features of every computer you have connected to in the past. If something has changed, such as the operating system has been re-installed, you will need to delete .ssh/known_hosts to make SSH forget the old details before you can connect.
The Ubuntu system will give you a brand new .ssh directory automatically, with new connection details in it for the first connection you make. Sometimes a reboot helps. Any other SSH connections will need to be made all over again too. Another reason SSH might not be able to connect would be if you have changed IP tables settings in either computer since last time you made a connection. Naturally you have to configure any firewalls to allow the connection. To find out your IP address on a LAN, use the command: ifconfig |
| Access to a Windows Network Ubuntu comes with Samba client pre-installed, but not the server half of Samba. We found that it's no problem at all for any Ubuntu computer to access shared folders on the Windows network. All we had to do was configure any Firewalls in the Windows computers to allow the connection. Just go 'Places'-->'Network'-->Windows Network' and click on an icon. We didn't need to install anything in Ubuntu to enable us to do that. That's good enough for me. I don't feel the urge to be able to do things the other way around at all. If you want your Windows box to be able to 'see' and access your Ubuntu operating system you need to install Samba Server. I have never installed Samba server in any of my computers, so I don't know what it's like, I have only read about it. I would never be willing to compromise my built in Linux security to that extent. Nevertheless, 'Samba' networking is very popular, lots of other people use it every day. I have read that Samba networking has advantages when it comes to things like printer sharing. You need to know how to set up the IPtables filter (firewall) if you want to use Samba, or install Firefox IPtables front end to configure IP tables for you. Here are a couple of good links for Samba networking for those who feel they need it, The Official Samba-3 HOWTO and Reference Guide , and The Unofficial Samba HOWTO. |
Links_About_Other_Kinds_of_Networking_in_Ubuntu Other kinds of Linux networking include FTP and NFS, and more. Here are a couple of links, FTP...(By Frodon) NFS OpenSSH for Windows . - I haven't tried it but I presume it would be possible not only to connect between Windows boxes, but also between Windows machines and Linux machines in an SSH network as well. It would be worth a try if you have Windows computers. |
Firewalls and Security
External (Internet) and Internal (LAN) IP addresses Our internet connection has an IP address. I'm calling that an 'external' IP address, for the purposes of this page. That's the IP address my modem/router has as far as the outside world is concerned. Inside my house, on my side of the modem/router, my ADSL modem has a different IP address, that is 10.0.0.138 if you have a Thompson Speedtouch 530 like I do. My computers have a different IP addresses each too, allocated by the DHCP server in my ADSL modem/router. If I put another router in between, that will have its own IP address too, and will also assign different IP addresses to each computer. Normally those are invisible unless you use a Linux command like ifconfig to find out. I'm calling those 'inside' IP addresses for the purposes of this page. IP address (External) An 'IP address' is like a phone number but it's for a computer. Well, maybe it would be more accurate in this case to say it's for the connection between your broadband modem and the internet. If you click on any of the following links you'll be able to see your current IP address and a few other things that a web site with the right software can see about you when you visit that site. What Is My IP Address? - Dedicated to IP address discussion What is my IP Address? Show my IP Address and IP Address tracer IP Chicken - What is my IP? Find Your IP Address! My IP Information What can people tell from my IP address? - Ask Leo! Dynamic IP address One of the features of some ADSL broadband services in Australia are that we have a dynamic or 'roving' IP address for our internet connection. Basically that means every time we reboot the ADSL broadband modem and connect back up again we will be given a different IP address. That's a security feature to help protect us and make us more anonymous on the internet. That way it's more difficult for an internet attacker to single out a specific user. If we wanted, we can apply for a 'fixed IP address', which means we can keep the same IP address more or less permanently. That would probably be important if we wanted to make one of our computers into a server to be made available from anywhere on the internet. For example you might want to host and maintain your own website in one of your own computers at home for advertising your hobby or business. You would might want a fixed IP number so people will always be able to find your site. You can use SSH networking between computers over the internet too. That would also be easier if you have a fixed IP address. You could be traveling somewhere and be able to connect to your home computer by SSH to look something up or do work in your home computer. Check with your own ISP about this option. Some ISPs give people 'fixed' IP addresses whether they like it or not. If you have a static IP address it still can be perfectly secure, but you may want to be a little extra careful. MAC Addresses If you want to see your network card's MAC address, use the ifconfig command. MAC addresses are like serial numbers that are hard coded into each piece of networking hardware. They are used to identify your computer's network card, your router, ethernet switching hub, broadband modem-router, and any other piece of networking hardware you can think of. They can be used to identify your equipment on the LAN or internet too. The MAC address might be compared with a license (number) plate on a car. More: MAC address - Wikipedia, the free encyclopedia =========================================================== IPtables are our Linux equivalent to what is called a 'firewall' in Windows. IPtables are built right into the Linux kernel. We don't need to go and download some external software that someone has for sale or for hire. There is often a firewall debate going on in Ubuntu forums about whether or not an added firewall is needed for Ubuntu. I don't think I need a firewall for my purposes. Firestarter, is something we can install in Ubuntu. It might be a good idea to install Firestarter if you install any server software. Firestarter is not a stand-alone firewall that you need to add, but it is a very good GUI frontend for helping new users to configure their IP tables more easily. It's really IPtables that does the work behind the scenes. Firestarted can be installed through apt or Synaptic Package Manager or 'Applications, Add/Remove Programs'. There are some other similar programs available too. Howto: Setup a Software Firewall in Linux using Firestarter - Techthrob.com In Ubuntu, our IPtables are left unconfigured by default. When we first install the operating system they aren't needed, because Ubuntu doesn't come with any services installed, no ports are open to the internet. As long as we don't open any services, Ubuntu is as sealed as a nut. Most people probably don't even realize Ubuntu has a network filter (or 'firewall' if you prefer). If you want to take a look at yours, just do this, Code:
And here's what our unconfigured IPtables normally look like,
man iptables To learn more about iptables open a terminal and type: man iptables The output from that command is about eight pages long and it's very interesting if you have the time to read and inwardly digest it. There is a lot to learn about IP tables. I have links to some of the best web pages with how-tos and user guides for IPtabels further down this page. I haven't configured my IP Tables at all, and I have installed SSH server. I want to check to see how safe I am on the internet. You can do this too. So let's go test our firewall. 'Shields Up!' is a well known internet firewall testing site, your Ubuntu system should pass all tests as 100% stealth with or without any added firewall. I don't use any added software firewall and mine is 100% stealth, and has always been. It will tell you your external IP also. AuditMyPc.com is another firewall tesing site you can visit. HackerWatch.org is good too. Did your Ubuntu operating system pass all those tests? Mine did, ...but I was connecting through my router, and then through my broadband modem. Both my router and my broadband modem have 'hardware firewalls' built into them. (I highly recommend the hardware firewalls in most routers), so it could be that these firewall testing sites are only really testing my 'hardware firewall' in my router. If you are connecting through a router too you can unplug your router and plug Ubuntu into the broadband modem directly if you want and have another try! (Some of you may need to revert back to DHCP first, to make a direct internet connection). Stealth? Try doing the specific port probe at 'Shields Up! on port 22, (the SSH port) now, still 100% Stealth? CanYouSeeMe.org - Open Port Check Tool - Check just one port at a time - any port. Given the results from the above tests, it would seem as if at least my computers are already quite secure from the outside world, I'm not sure about everyone else's. That depends on your equipment. Port Scanning with Ubuntu (your other computers in your LAN) If we have more than one Ubuntu computer in our network we can use each one to scan the others for open ports. Ubuntu comes with some very good networking software of its own. I went 'System'-->'Administration'-->'Network Tools', and clicked on the 'Port Scan' tab. You need to know the IP number for each of your other computers that you want to scan. The easiest way to get that is just to go to the other computer and run 'ifconfig'. The scan only takes a few seconds. It is possible to detect an open port 22 that way when a system has SSH server installed. If you find any other open ports you can look them up in either of these links to see what service they're probably for: If you don't remember installing that service or if it's a service you don't use then you should probably uninstall the service and that will probably close the port.
NMap NMap is a port scanner you can use for checking all the computers in your LAN for open ports. http://insecure.org/nmap/docs.html Nmap is installable in Ubuntu through apt-get, Add/Remove Programs or Synaptic Package Manager. A nice GUI front end is available for NMap too, it's called 'NmapFE', and is available through Add/Remove Applications, and probably apt-get and Synaptic too. WireShark. - http://www.wireshark.org/ Wireshark is installable in Ubuntu through apt-get, Add/Remove Programs or Synaptic Package Manager. Wireshark is a packet sniffer, you can use that to keep a watchful eye on the comings and goings of all the packets in your LAN. Connecting from another computer on the internet to a computer inside a home LAN If your setup is anything like mine, you would need to open a port in the broadband modem's firewall, and also a port in the router's firewall before the incoming connection could be made. That will expose your LAN to the internet. That's where you might start needing to be more security conscious about computers in the LAN with open ports. What if a remote attacker can get into my LAN from the internet ever did (theoretically) manage to get inside my LAN through my Broadband Modem-Router's built-in firewall and my LAN router's firewall too? (You're joking right?) Well, according to this link, Getting Started with SSH, they would still have a hard time cracking my SSH password. Quote:
How to tell if someone is trying to crack into your computer HOWTO: Automatically block SSHD/PROFTPD Attacker. - pinoyskull Seahorse -Encryption Made Easy - http://www.gnome.org/projects/seahorse/ See this website's Install Seahorse. Seahorse is a nice GUI application that makes and manages both PGP and RSA keys. We can install Seahorse in Ubuntu easily through 'Applications'-->'Add/Remove Programs' or Synaptic or apt-get.
WIth RSA keys we can log in to our SSH accounts even more securely without even having to bother typing the password each time. Seahorse generates for us a pair of keys, a private and a public RSA key. These are saved is in the .ssh directory in a file called rd_rsa and a file called id_rsa.pub. The file called rd_rsa contains our private key which we need to keep secret. The file called id_rsa.pub contians our public key which is to be copied to our friend's computer, which we want to connect to. To set up passwordless logins for SSH, we open Seahorse and right-click on our Private RSA key. Select 'Set up Computer for Secure Shell...' A window opens titled 'Set up Computer for SSH Connection', and below that, there's a note: 'To use your Secure Shell key with another computer, you must already have a login account in that computer. There's a field under that called 'Computer Name', (domain name). I just type the IP number: port number (if other than 22), of the friend's computer there, that works for me. There's also a field for your login name in the other computer, which is autocompleted. When you are ready, click 'Setup'. You'll be asked for the password to your account in your friend's computer, type it and click 'Okay'. That's it! Your public RSA key is copied into your friend's computer, it's appended to a file called .ssh/authorized_keys. Now when you open an SSH connection to your friend's computer, you may be asked for a keyring password for the first time connection, but after that the login should be automatic. The way it works is something like this, the computer you are connecting to uses your public key to generate a number and encrypts the number and sets the encrypted number to your computer. Your computer uses your private RSA key to decrypt the number and sends the unencrypted number back to your freind's computer. When your freind's computer receives the number back decrypted, that proves the identity of the computer you are using is genuine, since only your private key could have decrypted that number. The remote computer allows the connection and opens. After the first time connection it's automatic, you don't need to type a password anymore. Then once we have passwordless logins established we can edit /etc/ssh/sshd_config files to disable password based logins, for even more security. What is a Digital Signature? An introduction to Digital Signatures, by David Youd How PGP Works | Dr. Small's Blog | Public Key Cryptography - Wikipedia The International PGP Home Page
ADSL is short for 'Asymetrical Digital Subscriber Line'. 'A' stands for 'Asymetrical', because it's set up so that downloading is faster than uploading. 'D' is for 'Digital', (instead of analog or ISDN). 'SL' is short for 'Subscriber Line', which just means a phone wire. Using Digital means we can have the phone plugged in and use it while the computer is on-line since it's a different frequency. Our phone wires can carry about 200 times the amount of information using digital signals compared to analog too. The speed of internet connections are stated in KiloBits per second is written like: 256/64 kbps, or 512/128 kbps. One kilobit is roughly about 1/10 of a Kilobyte. The Data Transfer Rate Conversion Table. |
