p11

SHH Network

Edited Saturday, August 02 2008

This is not an official Ubuntu website, the information on this page is for the assistance of Ubuntu Linux users but is not guaranteed to be complete and free from errors.
This web-page is part of a larger site giving examples of how to install Windows+Ubuntu Linux operating systems 'dual boot' in a computer. Illustrated Dual Boot HomePage.

This is not an official SSH website, here are links to the real SSH sites, OpenSSH Openssh FAQ.
This website is a home made website for helping other home users learning how to use Linux.

Ubuntu Hardy Heron has now been officially released.

This page was up to date for Ubuntu Gutsy Gibbon, but this information has not been tested with Hardy Heron yet, sorry for any inconvenience.
Hardy Heron users should use this web page with caution, there may be differences, but it should be mostly similar.

Page Index

Introduction. - about this web page.

Quick Simple SSH LAN. - Connect two or more computers without internet, LAN or file rescue.

Persistent SSH LAN. - Network as many computers as you like to each other and internet too.

Firewalls and Security.

SSH Networking is good for File Rescues.

Setting up the D-Link AirPlus G Dl-524 Wireless Router under Linux

Setting up a Thompson Speedtouch 530 Broadband Modem under Linux

Set a Static IP address. -If there's no DHCP server in the network.

Dynamic IP address. -Use it if your equipment supporst DHCP.

IP address. -(for the internet connection)

External and Internal IPs. -Your internet IP is different from your LAN IP address.

First Time Connection to an SSH Server.

If SSH refuses to connect. -Trouble Shooting and Problem Solving.

External Links

Links About Other Kinds of Networking in Ubuntu.

Access to a Windows Network. -Windows networks are easy to access with Samba client.

Introduction
This web page is (or was) current for Ubuntu Gutsy Gibbon but may need to be done again to update it for Ubuntu Hardy Heron when it is released qute soon.
This page gives illustrated examples of how to connect Linux computers in a home LAN.

SSH networking is ideal for file rescues, because it's so quick and easy to set up.
SSH is the most secure, so it's the perfect choice for setting up your permanent home LAN.
SSH features 'X11 forwarding', so it can be used in GUI mode as well as in Command Line mode. Some people think SSH only works from the command line, but that's not true.

It's explained here in everyday language with illustrations and screen caps for those of us who find the official style of presenting the information rather dry reading.
This page is designed to help new users get started instanly and then progress at their own speed to a slightly more advanced level. It's not supposed to teach you all about networking, this is only a beginning. Networking and network security are very big subjects.
I'm adding a little extra info that applies to other Australian Bigpond customers too, but most of this will be the same for anyone, no matter where you are in the world.

Further reading is recommended, especially for anyone with advanced needs.
Better and more complete information can be found in the Official Ubuntu Wiki on this subject, SSHHowto.
Please refer to the Ubuntu Wiki, this page can be used in addition to that, but in no instance is it intended to replace or contradict any information to be found in the Official Ubuntu Wiki.
Especially read the Security and the Advanced Configuration link, located near the bottom of the Wiki page.
Here's the Ubuntu Wiki's Community Docs Page on Networking, which I also highly recommend,
Internet & Networking - Connecting to the Internet as well as your home or office network.

Quick Simple SSH LAN

LAN Cable Connections
Here are two of the simplest ways computers can be connected in a LAN using CAT5 ethernet cables.
Either of these simple setups are all you need for a Linux file rescue, or an everyday LAN without an internet connection.

The Ubuntu Live CDs come with 'client' half of SSH already installed.
Linux computers are famous for their ability to perform file rescues.

To perform a Linux file rescue, you just need to

have the two computers connected with a crossover cable as shown below.
Then you boot with a Linux live CD in the computer that you want to rescue the files from.
Mount the file systems in that computer, here's how, File Systems and Mounting Page.
Set up an SSH networking connection with a computer that has SSH 'server' software.
send the rescued files to the other computer.

The simplest arrangement of all is when a 'crossover' cable (red) is used to connect between two computers. It is plugged into the ethernet port (at the back of the ethernet card or motherboard ethernet port), in both computers.

The second simplest cabling arrangement is when we connect two computers by their ethernet ports using two plain CAT5 ethernet cables and an ethernet switch.
A switch is better than just a plain hub, but you could use just a plain hub if that's all you have.
I have a TP-Link TL-SF1008D', '8-port', '10/100M Fast Ethernet Switch'.

A 'client' is a computer that asks another computer if it's okay to connect to it.
Ubuntu comes with the client half of many different kinds of networking software already installed 'out of the box', but not the 'server' half.
That means you can easily log into any other computer that has any kind of 'server' installed, but no other computers can log into yours. Ubuntu is very secure.

A 'server' is a computer that has some kind of software installed in it to enable it to accept incoming connections.

SSH Server is easy to install in Ubuntu as you'll see in a minute.

A laptop would be an ideal candidate for installing the SSH server software in, because you can easily carry it around. If the laptop already has the server software in it, then you don't necessarily need an internet connection at whatever location you need to go to rescue someone's files.
If there's an internet connection, then really it doesn't matter which computer will be the server. The SSHserver software is only a small download and can even be downloaded and installed in the Ubuntu live cd operating system and will last as long as the system is up.

1: In the Server computer:
In this example, the silver laptop will be the server.
You need an internet connection in order to download the SSH server software and install it.
Here is the command I use for doing that,
Code:

herman@silver:~$ sudo apt-get install ssh

After running the above command, the computer you ran them in should now have the SSH server software installed in it.

Set a Static IP address
In this simple system there's no governing hardware with any DHCP server to give either of the machines an IP address, so we will need to set a static IP address in each computer manually.

In the 'Server' computer:
To set a static IP address I went 'System'-->'Administration'-->'Network', and selected the interface I want to work on.
There's a choice of wireless connection, wired connection (ethernet card) or modem (dialup). The wired connection is, of course, what I selected.
Now I have a Window titled 'Settings for interface eth0'.

First I set the spinbox at the top to 'Static IP address'.
Then I typed in the IP number I made up: 192.168.1.100
The subnet mask field auto-completed itself.

NOTE:
At this point it is necessary to do 'sudo ifdown -a' and 'sudo ifup -a', or else just reboot.

Then do 'ifconfig' and check the IP address.

herman@silver:~$ ifconfig
eth0      Link encap:Ethernet HWaddr 00:C0:9F:C9:B1:F6
          inet addr:192.168.1.100 Bcast:192.168.1.255 Mask:255.255.255.0
          inet6 addr: fe80::2c0:9fff:fec9:b1f6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:80 errors:0 dropped:0 overruns:0 frame:0
          TX packets:228 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:9498 (9.2 KiB) TX bytes:38545 (37.6 KiB)
          Interrupt:16 Base address:0x1800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1720 (1.6 KiB) TX bytes:1720 (1.6 KiB)

ifconfig is a useful command for networking.
The easiest way to check what a computer's IP address is to use the ifconfig command.

In the client computer:
A 'client' is a computer that is being used to make a connection to another machine, remember.

The desktop computer will be the SSH client in this example.
The desktop's hostname is: red
All Ubuntu computers have SSH client software installed in them 'out of the box', so you won't need to install anything for that.

I will need to set a static IP address for the Desktop though.
In this simple system there's no governing hardware with any DHCP server to give either of the machines an IP address, so we will need to set a static IP address in each computer manually.

To set a static IP address I went 'System'-->'Administration'-->'Network', and selected the interface I want to work on. There was a choice of two, wired connection (ethernet card) or modem (dialup).
I chose 'wired connection', of course. Then I typed in the IP number I made up: 192.168.1.101
The subnet mask field auto-completed itself. I left the Gateway address field blank.
The operating system disconnected the network and re-started it with the new settings.

NOTE:
At this point it is necessary to do 'sudo ifdown -a' and 'sudo ifup -a', or else just reboot.

Then do 'ifconfig' and check the IP address.

herman@red:~$ ifconfig
eth0      Link encap:Ethernet HWaddr 00:0D:87:C2:32:69
          inet addr:192.168.1.101 Bcast:192.168.1.255 Mask:255.255.255.0
          inet6 addr: fe80::20d:87ff:fec2:3269/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:42 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b) TX bytes:3528 (3.4 KiB)
          Interrupt:16 Base address:0x6000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:18 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1220 (1.1 KiB) TX bytes:1220 (1.1 KiB)

The output from the ifconfig command when I type it in the desktop computer, red, which is the client computer, says red's IP address on the LAN is 192.168.1.101 now.

Okay, now we're going to make a connection,

'Places'-->'Connect to Server',

In the example I'm going to show here, both of the computers I'm going to connect are my own computers. I'm just connecting my own Desktop PC to my own laptop, so I'll simply be logging in as the primary user, (system administrator), which is me. [Note 1]

I set the top spinbox to SSH.
The Server field is for the IP number for the server I want to connect to, in this example my laptop,so I typed in 192.168.1.100 because that's my laptop's IP address right now.
Port number for SSH is: 22
Folder I want to be in when I connect will be: /home
The user is: herman
The hostname is: silver
Then I clicked the 'Connect' button.

A new icon appeared on my desktop named 'silver' for the SSH connection.
If the icon doesn't appear, try rebooting and it should appear then.

I right-clicked on the icon and clicked 'Open', from the right-click menu.

I clicked 'Log in Anyway'.

I waited.

I typed in the password for the account I want to log in to in the server computer.

Well, that's it, a window opens and I can see the /home/herman directory in the laptop. Now I can read and write to my account in the other computer and transfer files between the two computers.

If this was a desktop computer with a disabled operating system in it, and we were running a Ubuntu live CD in the CD-ROM drive for the client, we would now be able to perform a file rescue to the laptop's hard drive before trying to repair the desktop's operating system with the Ubuntu Live CD.

Note 1: Normally, (for everyday use), we would have a separate user account set up in the SSH server. If the other computer belongs to someone else, they probably like a bit of privacy and wouldn't like you logging in to their account as a long term habit.
To set up a new user account in Ubuntu Gutsy Gibbon, you just go 'System' --> 'Administration' --> 'Users and Groups', and you'll see how the other computer administrator can add a new user account for you in their computer that way, it's quite simple.
That's the best way to set SSH up for everyday use in your LAN.

===+===+===+===+===+===+===+===+===+===+===+===+===+===+===+===+

Persistent SSH LAN

Here is something more like the typical arrangement most people would probably have or want.
Both computers can be connected to the internet through some kind of internet connection.
Internet Security will be covered in a little more detail further down this page. Jump to security.
In this case I have an ADSL broadband modem.
At the same time they can be connected to each other using SSH.
Everything is connected through a switch or a router.

With a Switch

For this illustration I have shown the switch being connected to the ADSL modem by a crossover cable, (red). Actually my equipment supports auto MDI/MDIX, that means it doesn't matter if I use plain or crossover CAT5 ethernet cables, it will automatically sense whatever is used and adjust itself accordingly. With some equipment, especially older equipment, you might find that it is important to use the (red) crossover cable, or you won't be able to connect the switch to the broadband modem.

The obvious difference is the broadband router is obviously now part of the network.
To connect to the internet I use a 'Thompson Speedtouch 530' broadband modem-router which I have mounted on the wall above and behind my computers, where I can see it's LED lights glowing brightly. More about the Thompson Speedtouch 530.
The Thompson Speedtouch 530 broadband modem/router has DHCP functionality, which is very handy. That means it gives out IP addresses to each computer or peice of networking equipment that I plug into it.
As long as the Thompson Speedtouch 530 itself remains switched on it remembers the mac addresses of other networking equipment or computers that have been plugged into it.
It remembers which IP addresses it has assigned to each mac address, so it will give out the same IP addresses to each piece of hardware every time the same equipment is plugged in again or re-booted. SSH likes consistency, so that makes the Thompson Speedtouch 530 ideal for use with an SSH LAN.

I don't need to set up the computers with fixed IP addresses now, I can just leave them on DHCP.

THE IP addresses my computers were given time were 10.0.0.1 and 10.0.0.2, and if I connected a third computer it would be allocated the IP number of 10.0.0.3, and so on.

Configuring the connection with SSH networking was almost the same as already explained above in 'Quick Simple SSH LAN', but please refer to the procedure for DHCP explained below for the software side of setting up SSH. If your router or internet modem features DHCP server capabilities you should just leave it set on DHCP to take advantage of that feature.

If you have a different kind of broadband modem, and your modem doesn't assign IP addresses or can't remember which computer had which IP address but gives them new ones after a reboot, then you might need to set static IP addresses. In that case please look at configuring the connection with SSH networking as already explained above in Quick Simple SSH LAN.

Using a Router

ssh003.png
It's a little better if you have a router instead of just a switch.
Most routers come with wireless these days and a lot of people like that. Routers also give you an extra firewall and even more software you can play with. You should read your own router's documentation again if you haven't done so recently.

My first router was a Netcomm 11g Wireless Firewall Router, with 802.11g standard performance, 54Mbps wireless and its own active firewall. It features a 4 port 10/100 ethernet switch.
Setting it up was pretty much just a matter of connecting all the ethernet cables and plugging it in.
My Netcomm router is a very good router, it supports DHCP but it didn't always give the same IP address to each computer if more than one computer was shut down and restarted. Maybe there were some settings I overlooked, but using DHCP settings in the computers would have been impractical.
To use SSH on a daily basis, I need each Ubuntu system to have the same IP address every time.
I had to set Static IP addresses. That's a lot easier than always to having to be careful with the sequence the computers get started each day.
If your router is like that too then please look at configuring the connection with SSH networking as already explained above in Quick Simple SSH LAN.

Now I have a new D-Link AirPlus G Dl-524 Wireless Router. It gives us 54 Mbps, advanced firewall with parental control, and a built-in 4 port 10/100 ethernet switch. Compatible with Windows, Mac or Linux operating systems.
Even though it works great right away as soon as it's all plugged in and turned on, it comes with a CD-ROM for those of us who want to make the best of all its features. I put the CD-ROM in the drive, found the .pdf files and copied them into my computer for studying and for future reference. How to set up the D-Link AirPlus G Dl-524 Wireless Router under Linux.
The new D-Link router is able to give my computers any IP addresses I set, I can choose any numbers between 192.168.0.100 and 192.168..0.254.
It also remembers which computer is which by their mac addresses. They get the same IP addresses each time they are booted, so I can just leave them set on DHCP.
If your router is like my new one, read on...
Setting up SSH networking when we have a router is the same as already explained above in 'Quick Simple SSH LAN', but I'll explain it again below showing you how to leave your computer set to DHCP this time instead of setting a static IP address. (It's easier).
Whether to set static IP addresses of use DHCP will depend on the features and settings of the upstream equipment.

herman@silver:~$ sudo apt-get install ssh

After running the above command, the computer you ran them in should now have the SSH server software installed in it.

DHCP - Dynamic Host Configuration Protocol
The opposite of DHCP is a static or fixed IP address.
One of the important settings we use in our computers to enable our computers to be able to access the router or the ADSL modem, which accesses the internet, is 'DHCP'.
DHCP is enabled in Ubuntu by default and if the next piece of equipment up the line is enabled as a DHCP server, then our computer will automatically accept whatever IP address the upstream equipment such as the router or the ADSL broadband modem-router wants to offer it.
If you make the computer insist it's IP address is one number while the equipment it is trying to connect to is trying to force it to accpet some other number you probably won't be able to make a connection.

If you want to check you can always just go 'System'-->'Administration'->'Network', and after you type your password you'll see this 'Network Settings' box here, and if you click the 'Properties' button you'll get this other box illustrated below.

001ssh

ssh001.png
If I tried to set it to a 'static IP address' now, that means I am trying to get my computer to tell my upstream equipment (router or ADSL modem) what IP address I want.
That wouldn't work unless I go into the settings in the router or ADSL modem and revert those back to static as well, but who would want static IP addressing when you can have DHCP?
DHCP is better. Ubuntu should laready be set to DHCP by default. In that case you don't need to do anything, just leave it like that and go to the next step.

ifconfig is a useful command for networking. The easiest way to check what a computer's IP address is , is to use the ifconfig command. Notice the new IP address for silver, my laptop (server) is now shown in ifconfig as 192.168.1.100 ? That's what I wanted to check and remember so I'll know what to type in the client computer for what IP address to connect to.

In the client computers:
'Client' computers are computers that are being used to make a connection to a 'server', remember.

The desktop computer will be the SSH client in this example.
The desktop's hostname is: red
All Ubuntu computers have SSH client software installed in them 'out of the box', so you won't need to install anything for that.

Okay, now we're going to make a connection,

'Places'-->'Connect to Server',

Normally, (for everyday use), we would have a separate user account set up for each user in the SSH server.
To set up a new user account in Ubuntu Gutsy Gibbon, you just go 'System' --> 'Administration' --> 'Users and Groups', and you'll see how the server's system administrator can add a new user account for you in their computer that way, it's quite simple.

That's the best way to set SSH up for everyday use in your LAN.
In the example I'm going to show here, both of the computers I'm going to connect are my own computers. I'm just connecting my own Desktop PC to my own laptop, so I'll simply be logging in as the primary user, (system administrator), which is me.

I clicked 'Log in Anyway'.

I waited.

I typed in the password for the account I want to log in to in the server computer.

Well, that's it!
A window opens and I can see the /home/herman directory in the laptop. Now I can read and write to my account in the other computer and transfer files between the two computers.

Since this might be a permanent set -up, you might also consider clicking the radio button for 'remember forever' (the password). That will store your password for the account in your keyring, you'll be asked to set a new password for your user keyring if it's the first time you have used it.
After that you'll only need to remember your keyring password. That's easier in case you have a lot of different SSH connections, all with different passwords.

How to set up the D-Link AirPlus G Dl-524 Wireless Router under Linux:
If you happen to have a D-Link router like I do, this information might help you. If you have some other brand of router, this info might not all be so relevant for you, but the tip to look for documentation in the CD-ROM might still help. Everyone will need to read their own router's documentation regardless.

I just put in the CD-ROM in the drive and browsed around for readme files or files titled help or manual or anything like that.

On the CD:
Setup CDs don't auto-run in Linux like they do in Windows. That wouldn't be secure. Most of the time all you need to do is browse the CD and open the files yourself. We don't need things to auto-run, we're smart enough to read the docs and figure things out for ourselves. Often there will be an .html file called: index.html, that one is usually worth opening. Otherwise there might be a text file called: read me, or a .pdf file or several that contain all the information that is needed. Most things you can do yourself in Linux once you have read the documentation.

I found a .pdf file in a directory called 'manual', and it is called: DI-524_manual.pdf
There's another .pdf file in a directory named QIG (short for 'Quick Instant Guide' I presume). Inside it is a file called DI-524_QIG.pdf, which seems to be similar to the manual, but not as verbose. If you lost your CD you could google those file names.
The .pdf files contain all you need to know about the D-Link AirPlus G Wireless Router.

You need to be plugged in by ethernet cable between your computer and the router to set up the router initially, wireless won't do it. Type the router's IP into Firefox: 192.168.0.1 and press Enter to get into the router's web address.
(It is not necessary to be connected to the internet, this web address is inside the router's BIOS or flash memory.
This caused a box asking for my username and password to be presented to me.

This window pictured about kind of threw me for a while, because it isn't what I was expecting from reading the router's documentation. However, you just need to follow the instructions regardless, and the next windows and everything after that will be as illustrated in the manual.
TIP: Add your router's URL to your Firefox bookmarks, mine is: http://192.168.0.1/ so your router settings and logs will always be instantly available for you from now on.
This router, like most other modern routers, has lots of really great settings and interesting features to help improve the usefulness and the security of the LAN. It has a fully configurable firewall and it also has its own log files. If any intruder did manage to get through the ADSL modem's firewall and then also the D-Link router, they will at least be logged. I don't think anyone can get in except probably through the wireless antenna if I leave the wireless settings unconfigured. That would mean they'd need to be within wireless range of my house. They would still need to be able to crack my SSH passwords to get in to any computer, but they could use my internet connection. I have a motel next door where backpackers rest overnight on thier way through on a tour bus. I leave my wireless connection open (at the default settings), so they can email home if they happen to have a laptop and find the connection. Maybe they even use Ubuntu like me.
Other people might not want to allow unauthorized wireless connections, especially if you are running a business and have secrets to keep. I can just imagine the beagle boys inside a van parked in an alley huddled around a laptop scanning for a nearby bank's wireless LAN! :)
The D-Link router is able to be configured to suit anybody. A router is a good thing to have in a LAN.

Thompson Speedtouch 530 Broadband Modem
The Thompson Speedtouch 530 Broadband Modem is very popular here is Australia. If you are a Telstra Bigpond ADSL customer you would have that one or another very similar model.
When we set ours up we were given a free CD-ROM that would run under Windows XP and set up our broadband modem pretty much automatically, provided we followed the simple instructions exactly and had our username and password correct.

Did you know you can also set up the Thompson Speetouch 530 Broadband modem/router under Linux or most other operating systems too? Well you can, the Thompson Speedtouch is actually even based on Linux itself! It has a Linux kernel!
There's also a lot of other interesting things you can learn about the Thompson Speetouch 530 Broadband modem too. All the information is available in the documentation already provided by Bigpond, and by Thompson. I'll show you how to find it.

Try inserting the setup CD-ROM in your CD drive while you have Ubuntu booted up.
Now go for a browse around.

On the CD:
If you open the FAQ folder in the CD, you can open the FAQ.html file with your Linux browser and read all the handy info that's there. Some of it is specific to Windows XP, but some of it is interesting to Linux users as well.

In the Speedtouch folder you'll find a nice .pdf file you can copy to your computer. I contains lots of great information on the 'Speedtouch 510/530 Multi-user ADSL Gateweway', (which I guess is a fancy way of saying 'broadband modem'). Here are some of the good bits,

In the .pdf file:
Contents................................................Page 5
1.1 Getting Aquainted with the Speedtouch.............Page 8
1.3 Speedtouch Configuration Setup...................Page 22
1.3.2 Configuration Setup For Other Operating Systems...Page 26
3 Speedtouch Web Interface........................Page 45
Well actually, I found it all interesting. I recommend reading the whole thing.
Several times maybe, I am.

In cdrom0/legacy/ byom/bin there's a file called byo_0000.html that has some information about settings that might be of interest to some users, you can read it with a Linux browser.

In cdrom0/legacy/docs there are the files: ADSL Filter Installation Guide.pdf which is rather basic. Also there is: Getting started.doc, about Bigpond passwords and usernames and how to change them.

In cdrom0/legacy/alcatel/speetouch 570/bin there's a .pdf user's guide for the Speedtouch 570/570i Wireless ADSL Router in case you have one of those.

By now you should know, (or at least be aware of where to look up), all kinds of really interesting and helpful facts, tips and information about the Thompson Speedtouch ADSL modem from Telstra Bigpond.

...but wait, that's not all...

Now type the URL number 10.0.0.138 into your Linux browser to go to your Speedtouch modem's user interface.
NOTE: It is not necessary to have a working internet connection for this, because this web address is actually located inside the ADSL modem's own BIOS or flash memory. It will work even with the internet (phone cable side) completely unplugged.
TIP: Be sure to add http://10.0.0.138/index.htm to your bookmarks!

In the Web Interface :
Next, click on: help and then click 'open in new Window'. You can minimize the Help page and move it over towards the right of your screen, because the page it has in it is narrow, so you can look at what you are doing in the left hafl of your screen and refer to the help file in the right-hand side of your monitor. Cool!

Now this on-line help site is really great if you're interested in getting the most out of your Thompson Speedtouch 530 ADSL Modem!

I'll bet most Bigpond subscribers never bother to give some of this documentation a second galance, but I find it extremely interesting.
I'll bet most people didn't know thier broadband modem comes with a user configurable firewall!

After reading just a few introductory bits about that I see it even has a CLI interface and I can see terms used like: INPUT, FORWARD, OUTPUT and also ACCEPT, DENY or DROP mentioned there among others. I wonder if the Thompson Speedtouch ADSL modem has a Linux kernal and uses our famous IP Tables firewall?
Hmmm.... : )

that's all on the Speedtouch for now. I hope you found that interesting.

SSH Troubleshooting

ifconfig command
If you don't know the IP address for the computer you want to connect to and it's your own computer you can find out easily by typing the ifconfig command in 'terminal' of your computer.
If it isn't your computer and the connection is welcome, the polite way to find out is to ask whoever is using other computer to type: ifconfig and tell you the output. Perhaps you will need to do that by email if you are a long distance from the other computer.

I highlighted the IP address of the computer in yellow, inet addr:192.168.1.100

Shown in orange, is the hardware address or MAC address from the network card in the machine, HWaddr 00:C0:9F:C9:B1:F6
All networking hardware comes with a MAC address, which is like a serial number hard coded into the BIOS of the hardware. Etherent cards, routers, modems, switches and anything like that always have MAC addresses. Normally they have a sticker on the box it came in when it was new, also it might be printed on the hardware itself, and you can find the MAC addresses of all the hardware in your LAN with Linux networking software.
If you are an aware user, you should copy down the MAC addresses of all your hardware and learn to recognise them.

First Time Connection to an SSH Server
You will see a window like the one shown below the first ime

That's because SSH software in the client computer, (the one you are making the connection from), remembers the details of every server computer it has ever connected to and it doesn't recognize this one.
SSH warns you about the fact that it doesn't recognize the computer you want to connect to so if the other computer is not your own, you can go check with the other computer's operator.
If that's the right IP number and the connection is welcome then it's normally safe to go ahead and make the connection, especially if it's the first time. You can expect to see this sign every time you make a new conection for the first time.

You may need to set static IP addresses in SSH 'server' computers in your LAN because of the security feature explained above. SSH in your client computer records an ID (RSA) number and IP address of every other computer yours has made connections to in the past. (Known hosts).
When you try to connect to them a second time if everything is not identical to the information your computer has stored, SSH 'smells a rat' and refuses to make the connection.
Most routers these days can remember which computer is which and always assign the same IP address to each one. If you have a router with that feature you might not need to set a static IP address in Ubuntu, the router will take care of it for you.

If SSH refuses to connect
If an operating system on the LAN's details have been changed in any way since the first time an SSH connections was made with that host, that it can upset SSH's security sensitivities and SSH can get cranky and refuse to connect.
For example, if the IP number doesn't match the MAC address, or if certian other differences are detected.

This is designed into SSH for security.
Consider what might happen if you were in large LAN like in a school, university or office and someone on the LAN decided to set their computer with someone else's IP address just for fun.
You might connect to it thinking you are exchanging files with your freind, but really you'd be exchanging them with someone else.
The potential is there that you might copy sensitive files to the other computer, not realizing it isn't the computer you thought you were transferring the files to.
Or, if you're copying files from the other machine, you could be fed misleading information.
That's why SSH remembers the details like the MAC addresses and whatever else it can, and records those in a hidden directory in your computer.
SSH can detect an imposter.
It's like Little Red Riding Hood saying "but what a big nose you have, Grandma, and what big ears you have!..."

You are reommended to do some footwork and go and see the person whose computer you are trying to connect to. If you're sure the connection is safe, there's a file in the /home/username/.ssh directory called 'known_hosts' and that's the file where SSH keeps track of special identifying features of every computer you have connected to in the past.
If something has changed, such as the operating system has been re-installed, you will need to delete .ssh/known_hosts to make SSH forget the old details before you can connect.

herman@red:~$ sudo rm -rf .ssh/known_hosts

You can make fresh SSH connections again after that.
The Ubuntu system will give you a brand new .ssh directory automatically, with new connection details in it for the first connection you make. Sometimes a reboot helps.
Any other SSH connections will need to be made all over again too.

Another reason SSH might not be able to connect would be if you have changed IP tables settings in either computer since last time you made a connection. Naturally you have to configure any firewalls to allow the connection.
To find out your IP address on a LAN, use the command: ifconfig

Access to a Windows Network
Ubuntu comes with Samba client pre-installed, but not the server half of Samba.
We found that it's no problem at all for any Ubuntu computer to access shared folders on the Windows network. All we had to do was configure any Firewalls in the Windows computers to allow the connection.
Just go 'Places'-->'Network'-->Windows Network' and click on an icon.
We didn't need to install anything in Ubuntu to enable us to do that. That's good enough for me.
I don't feel the urge to be able to do things the other way around at all.

If you want your Windows box to be able to 'see' and access your Ubuntu operating system you need to install Samba Server.
I have never installed Samba server in any of my computers, so I don't know what it's like, I have only read about it. I would never be willing to compromise my built in Linux security to that extent.
Nevertheless, 'Samba' networking is very popular, lots of other people use it every day. I have read that Samba networking has advantages when it comes to things like printer sharing.
You need to know how to set up the IPtables filter (firewall) if you want to use Samba, or install Firefox IPtables front end to configure IP tables for you.

Here are a couple of good links for Samba networking for those who feel they need it,
The Official Samba-3 HOWTO and Reference Guide , and The Unofficial Samba HOWTO.

Links_About_Other_Kinds_of_Networking_in_Ubuntu
Other kinds of Linux networking include FTP and NFS, and more. Here are a couple of links, FTP...(By Frodon)

NFS

OpenSSH for Windows . - I haven't tried it but I presume it would be possible not only to connect between Windows boxes, but also between Windows machines and Linux machines in an SSH network as well. It would be worth a try if you have Windows computers.

Firewalls and Security

First, read this excellent thread by bodhi.zazen: Ubuntu Security

External (Internet) and Internal (LAN) IP addresses
Our internet connection has an IP address. I'm calling that an 'external' IP address, for the purposes of this page. That's the IP address my modem/router has as far as the outside world is concerned.

Inside my house, on my side of the modem/router, my ADSL modem has a different IP address, that is 10.0.0.138 if you have a Thompson Speedtouch 530 like I do.
My computers have a different IP addresses each too, allocated by the DHCP server in my ADSL modem/router.
If I put another router in between, that will have its own IP address too, and will also assign different IP addresses to each computer.
Normally those are invisible unless you use a Linux command like ifconfig to find out. I'm calling those 'inside' IP addresses for the purposes of this page.

IP address (External)
An 'IP address' is like a phone number but it's for a computer. Well, maybe it would be more accurate in this case to say it's for the connection between your broadband modem and the internet.

If you click on any of the following links you'll be able to see your current IP address and a few other things that a web site with the right software can see about you when you visit that site.

What Is My IP Address? - Dedicated to IP address discussion

What is my IP Address? Show my IP Address and IP Address tracer

IP Chicken - What is my IP? Find Your IP Address!

My IP Information

What can people tell from my IP address? - Ask Leo!

Dynamic IP address
One of the features of our Bigpond service is that we have a dynamic or 'roving' IP address for our internet connection.
Basically that means every time we reboot the ADSL broadband modem and connect back up again we will be given a different IP address.
That's a security feature to help protect us and make us more anonymous on the internet. That way it's more difficult for an internet attacker to single out a specific user.

If we wanted, we can apply for a 'fixed IP address', which means we can keep the same IP address more or less permanently. That would probably be important if we wanted to make one of our computers into a server to be made available from anywhere on the internet.
For example you might want to host and maintain your own website in one of your own computers at home for advertising your hobby or business. You would might want a fixed IP number so people will always be able to find your site.
You can use SSH networking between computers over the internet too. That would also be easier if you have a fixed IP address. You could be traveling somewhere and be able to connect to your home computer by SSH to look something up or do work in your home computer. Static IP For Bigpond Broadband ADSL

Some ISPs give people 'fixed' IP addresses whether they like it or not. If you have a static IP address it still can be perfectly secure, but you may want to be a little extra careful.

MAC Addresses
If you want to see your network card's MAC address, use the ifconfig command.
MAC addresses are like serial numbers that are hard coded into each piece of networking hardware. They are used to identify your computer's network card, your router, ethernet switching hub, broadband modem-router, and any other piece of networking hardware you can think of.
They can be used to identify your equipment on the LAN or internet too. The MAC address might be compared with a license (number) plate on a car.
More: MAC address - Wikipedia, the free encyclopedia

===========================================================

IPtables are our Linux equivalent to what is called a 'firewall' in Windows.
IPtables are built right into the Linux kernel. We don't need to go and download some external software that someone has for sale or for hire.

There is often a firewall debate going on in Ubuntu forums about whether or not an added firewall is needed for Ubuntu. I don't think I need a firewall for my purposes.

Firestarter, is something we can install in Ubuntu.
It might be a good idea to install Firestarter if you install any server software.
Firestarter is not a stand-alone firewall that you need to add, but it is a very good GUI frontend for helping new users to configure their IP tables more easily. It's really IPtables that does the work behind the scenes.
Firestarted can be installed through apt or Synaptic Package Manager or 'Applications, Add/Remove Programs'. There are some other similar programs available too.
Howto: Setup a Software Firewall in Linux using Firestarter - Techthrob.com

In Ubuntu, our IPtables are left unconfigured by default.
When we first install the operating system they aren't needed, because Ubuntu doesn't come with any services installed, no ports are open to the internet. As long as we don't open any services, Ubuntu is as sealed as a nut.

Most people probably don't even realize Ubuntu has a network filter (or 'firewall' if you prefer).
If you want to take a look at yours, just do this,
Code:

herman@red:~$ sudo iptables -L

And here's what our unconfigured IPtables normally look like,

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

man iptables To learn more about iptables open a terminal and type: man iptables
The output from that command is about eight pages long and it's very interesting if you have the time to read and inwardly digest it. There is a lot to learn about IP tables.
I have links to some of the best web pages with how-tos and user guides for IPtabels further down this page.

I haven't configured my IP Tables at all, and I have installed SSH server. I want to check to see how safe I am on the internet. You can do this too. So let's go test our firewall.

'Shields Up!' is a well known internet firewall testing site, your Ubuntu system should pass all tests as 100% stealth with or without any added firewall. I don't use any added software firewall and mine is 100% stealth, and has always been. It will tell you your external IP also.

AuditMyPc.com is another firewall tesing site you can visit.

HackerWatch.org is good too.

Did your Ubuntu operating system pass all those tests? Mine did,
...but I was connecting through my router, and then through my broadband modem.
Both my router and my broadband modem have 'hardware firewalls' built into them.
(I highly recommend the hardware firewalls in most routers), so it could be that these firewall testing sites are only really testing my 'hardware firewall' in my router.

If you are connecting through a router too you can unplug your router and plug Ubuntu into the broadband modem directly if you want and have another try!
(Some of you may need to revert back to DHCP first, to make a direct internet connection).
Stealth?
Try doing the specific port probe at 'Shields Up! on port 22, (the SSH port) now, still 100% Stealth?

CanYouSeeMe.org - Open Port Check Tool - Check just one port at a time - any port.

Given the results from the above tests, it would seem as if at least my computers are already quite secure from the outside world, I'm not sure about everyone else's. That depends on your equipment.

Port Scanning with Ubuntu (your other computers in your LAN)
If we have more than one Ubuntu computer in our network we can use each one to scan the others for open ports. Ubuntu comes with some very good networking software of its own.
I went 'System'-->'Administration'-->'Network Tools', and clicked on the 'Port Scan' tab.
You need to know the IP number for each of your other computers that you want to scan.
The easiest way to get that is just to go to the other computer and run 'ifconfig'.
The scan only takes a few seconds.
It is possible to detect an open port 22 that way when a system has SSH server installed.

If you find any other open ports you can look them up in either of these links to see what service they're probably for:

If you don't remember installing that service or if it's a service you don't use then you should probably uninstall the service and that will probably close the port.

herman@bookpc:~$ less /etc/services

NMap
NMap is a port scanner you can use for checking all the computers in your LAN for open ports.
http://insecure.org/nmap/docs.html
Nmap is installable in Ubuntu through apt-get, Add/Remove Programs or Synaptic Package Manager.
A nice GUI front end is available for NMap too, it's called 'NmapFE', and is available through Add/Remove Applications, and probably apt-get and Synaptic too.

WireShark. - http://www.wireshark.org/
Wireshark is installable in Ubuntu through apt-get, Add/Remove Programs or Synaptic Package Manager. Wireshark is a packet sniffer, you can use that to keep a watchful eye on the comings and goings of all the packets in your LAN.

Connecting from another computer on the internet to a computer inside a home LAN
If your setup is anything like mine, you would need to open a port in the broadband modem's firewall, and also a port in the router's firewall before the incoming connection could be made.
That will expose your LAN to the internet. That's where you might start needing to be more security conscious about computers in the LAN with open ports.

What if a remote attacker can get into my LAN from the internet ever did (theoretically) manage to get inside my LAN through my Broadband Modem-Router's built-in firewall and my LAN router's firewall too? (You're joking right?)
Well, according to this link, Getting Started with SSH, they would still have a hard time cracking my SSH password.
Quote:

Essentially invulnerable means that it's commonly believed that if they were really, really motivated, the National Security Agency could crack a SSH session key within a year, if they didn't do any other cryptographic cracking during that time, devoting all resources to you. This would give them access to up to an hour of one of your sessions, provided all packets were recorded. The exact number of CPUs, hours and dollars required is hard to estimate, but is outrageously in excess of any credible threat to you.

How to tell if someone is trying to crack into your computer
HOWTO: Automatically block SSHD/PROFTPD Attacker. - pinoyskull

Seahorse -Encryption Made Easy - http://www.gnome.org/projects/seahorse/
See this website's Install Seahorse.
Seahorse is a nice GUI application that makes and manages both PGP and RSA keys.
We can install Seahorse in Ubuntu easily through 'Applications'-->'Add/Remove Programs' or Synaptic or apt-get.

herman@silver:~$ sudo apt-get install seahorse

With PGP keys we can securely encrypt our sensitive data and emails, and sign documents.
WIth RSA keys we can log in to our SSH accounts even more securely without even having to bother typing the password each time.

Seahorse generates for us a pair of keys, a private and a public RSA key.
These are saved is in the .ssh directory in a file called rd_rsa and a file called id_rsa.pub.
The file called rd_rsa contains our private key which we need to keep secret.
The file called id_rsa.pub contians our public key which is to be copied to our friend's computer, which we want to connect to.

To set up passwordless logins for SSH, we open Seahorse and right-click on our Private RSA key. Select 'Set up Computer for Secure Shell...'
A window opens titled 'Set up Computer for SSH Connection', and below that, there's a note: 'To use your Secure Shell key with another computer, you must already have a login account in that computer.

There's a field under that called 'Computer Name', (domain name). I just type the IP number: port number (if other than 22), of the friend's computer there, that works for me.
There's also a field for your login name in the other computer, which is autocompleted.
When you are ready, click 'Setup'.

You'll be asked for the password to your account in your friend's computer, type it and click 'Okay'.
That's it! Your public RSA key is copied into your friend's computer, it's appended to a file called .ssh/authorized_keys.

Now when you open an SSH connection to your friend's computer, you may be asked for a keyring password for the first time connection, but after that the login should be automatic.
The way it works is something like this, the computer you are connecting to uses your public key to generate a number and encrypts the number and sets the encrypted number to your computer.
Your computer uses your private RSA key to decrypt the number and sends the unencrypted number back to your freind's computer. When your freind's computer receives the number back decrypted, that proves the identity of the computer you are using is genuine, since only your private key could have decrypted that number. The remote computer allows the connection and opens.

After the first time connection it's automatic, you don't need to type a password anymore.
Then once we have passwordless logins established we can edit /etc/ssh/sshd_config files to disable password based logins, for even more security.

What is a Digital Signature? An introduction to Digital Signatures, by David Youd

How PGP Works | Dr. Small's Blog | Public Key Cryptography - Wikipedia

The International PGP Home Page

Connect to your SSH servers from anywhere
You can travel the globe and still be able to access all the files in your home or office computer or computers if you use SSH Networking.
Before you leave home, you just need to make sure a port is open in your internet modem that leads to your ssh port in your home computer. That's called 'port forwarding', and the way you should be able to do that depends on what kind of hardware you have.
I use Port Forwarding for the Dlink DI-524 and Port Forwarding for the Thomson/Alcatel SpeedTouch 530. You should be able to find out how to set up port forwarding for your equipment somehow too.

CanYouSeeMe.org - Open Port Check Tool, is a useful site to check whether your port forwarding efforts have worked or not, that site also shows you your IP number.

If you leave your home computer set up like that and go anywhere with your Ubuntu laptop or your Ubuntu-in-a-flash-memory-stick and you should be able to make an SSH connection easily in just the same manner as has been illustrated near the top of this page, but using the internet connection's IP number.

Access to any or all of the computers in my LAN is easy to set up.

The file /etc/ssh/sshd_config is the one to edit for changing your settings for SSH.

herman@silver:~$ gksudo gedit /etc/ssh/sshd_config

You can set a different port number than 22 here.

You can use the command 'less /etc/services' to see what port numbers not to use, but pick some random port number for each computer in your LAN instead of the default 22.

herman@silver:~$ less /etc/services

Each computer in your LAN can have a different port number.

After you have your /etc/ssh/sshd_config file, run,

herman@silver:~$ sudo /etc/init.d/ssh restart

or reboot your computer for the changes to take effect and run a port scan from another computer in your LAN to check.

Then forward the port numbers you chose through your router and through your broadband modem.

Here is a link to a website that shows you how to set up port forwarding with all kinds of different equipment. PORT Forward.com

CanYouSeeMe.org - Open Port Check Tool, is a useful site to check whether your port forwarding efforts have worked, that site also shows you your internet IP number too.

It is best to test SSH between computers inside your LAN to make sure it's working before progressing to the internet.
Then go somewhere to a remote location and connect to a PC in your home or office. It should work. You can connect to each computer by your internet IP number and the individual port number you allocated each of your computers earlier.

Now I can travel with my Ubuntu-in-a-flash-memory-stick and access all the files in any of my home computers from anywhere in the world. It's almost as good as if I was carrying all the information in my home computers around in my pocket. I just need to remember what my home IP address is and what port numbers to make the connections to.

Dynamic DNS
If I'm worried about the possibility of my IP address changing somehow while I'm away, I can have my home computer send me emails at regular intervals addressed to myself and then receive them in my memory stick.
All emails have the senders IP address in them and you can see that if you open the email and click 'View'-->'Message Source'.

It's important to set Evolution in the home PC so it will not check for mail automatically, or it might re-download the message it sent itself. Set the home PC's Evolution to not check for new mail automatically, and/or even if it does check for new mail, make sure the home PC's Evolution will leave a copy of it on the server.
These settings are in 'Edit'-->'Preferences', in Evolution. Click on your account, and click 'Edit', and go to the receiving options tab.

There are a few different programs that can be used to send email from the command line, and that means they can be set up in a crontab to cause them to be send out at regular intervals, or any times we decide to set.
The email program I use is 'sendEmail'.

SendEmail can be installed with apt-get or Synaptic in Ubuntu and it is quite simple to use.

herman@silver:~$ sudo apt-get install sendemail

Here's how to send an email to yourself with sendEmail, from the command line,
example,

$ sendEmail -f user@bigpond.net.au -t user@bigpond.net.au -o message-file=hello.txt -v -s mail-hub.bigpond.net.au

Where: -f user@bigpond.net.au is the email address it's being sent from
Where: -t user@bigpond.net.au is the email address it's being sent to
Where: after the -o option, hello.txt is a plain text file containing a message.
Just make your own text file with any message in it. It doesn't matter what the message contains.
Maybe send your self a reminder of what port numbers your home router is using for each PC's SSH port to make it useful.
Where: -s is your mail server, that depends on your ISP.

Now that you know how to send yourself an email from the command line, you can probably figure out how to use crontab to do the same thing. If you don't know how to set up crontab, look here: Configure 'crontab'

How to send an email to yourself with sendEmail, from crontab,
example,

0 6 * * * /usr/bin/sendEmail -f user@bigpond.net.au -t user@bigpond.net.au -o message-file=hello.txt -s mail-hub.bigpond.net.au

Where: you will send your self an email at 06:00 every day. You might want to make more of these. One every four hours or very six hours or eight hours or whatever.

Why do we need to send ourselves an email?
So we can receive our own email from a remote location and discover our home LAN's current IP address when we have a dynamic IP.
How?
Open the email and click 'View'-->'Message Source', and the IP address will be there.

I like the sendEmail method because I enjoy the anonymity of having a dynamic IP address and I don't want to risk comprimizing that. I'm not sure if a fake DNS would really matter, but I'm playing it safe.

Here are more good ways to keep track of a changing IP addresses, DynamicDNS -Ubuntu Community Documentation, and, Dynamic DNS No-IP.

External Links

SSH - Ubuntu Comminity Docs - make a command line SSH connection

Ubuntu Networking for Basic and Advanced Users.- illustrated guide, includes commands

Useful Linux Network Commands. - A nice quick list of commands

Karakas-Online Network Commands. - more good commands

Linux Network Administrators Guide. - Very Comprehensive

Security - Our system Security guide from the Ubuntu Community Docs. Breif.

AdvancedOpenSSH - Ubuntu Community Documentation

VNC over SSH - Ubuntu Community Documentation

HOWTO: iptables (part one of three) Debian User Forums - This one is easy to follow

HOWTO: Set a custom firewall (iptables) and Tips . - By frodon - more comprehensive

IptablesHowTo - Ubuntu Community Docs - An introduction to the powerful Linux IPTables firewall

Iptables Tutorial 1.2.2 by Oskar Andreasson. Comprehensive.

Also, here's the Official Ubuntu Wiki IPTablesHowTo (for Ubuntu Server Edition).

OpenSSH key management, Part 1 -=- IBM

OpenSSH key management, Part 2 -=- IBM

Mount Remote Directories Securely with SSH -=- Access your home files from far away.

HOWTO: VNC over SSH using Public/Private keys From Windows

ADSL is short for 'Asymetrical Digital Subscriber Line'.
'A' stands for 'Asymetrical', because it's set up so that downloading is faster than uploading.
'D' is for 'Digital', (instead of analog or ISDN).
'SL' is short for 'Subscriber Line', which just means a phone wire.
Using Digital means we can have the phone plugged in and use it while the computer is on-line since it's a different frequency. Our phone wires can carry about 200 times the amount of information using digital signals compared to analog too.

The speed of internet connections are stated in KiloBits per second is written like: 256/64 kbps, or 512/128 kbps. One kilobit is roughly about 1/10 of a Kilobyte.
The Data Transfer Rate Conversion Table.

/////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
Website Under Construction
The information above here is often being updated
Thanks for your patience and sorry for any inconvenience
Proceed with caution
/////////////////////////////////\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\

===+===+===+===+===+===+===+===+===+===+===+===+===+===+===+===+