Announcement

**toad** · Jan 21, 2010, 03:36 AM

Re: how to connect desktop and netbook through router?

I don't understand how samba can be used with Linux+Windows but not Linux+Linux, as is my case.

It can but is not the tool of choice - NFS is normally used for *nix networks.

On to SSH. I am a little confused that you tried to ssh localhost and yet more confused that port 22 was closed. My initial response would be to ping localhost (as in "ping localhost") to see whether it is running at all!). Secondly there are two config files for ssh, namely /etc/ssh/ssh_config and /etc/ssh/sshd_config - make sure that any changes are reflected in either of these two files. If in doubt you can always go back to the original, 'cos no doubt you made copies of them before you started editing (!?!).

As security - I understand that you want to get it to work, but with ssh with no password and port 22 and no key it is only a matter of time before you get hacked and kiss either (or both) machines good-bye. Using a different port is a very basic yet effective method of locking out large number of bots that scan for an open port 22 on the internet. To do so, simply change the entry for Port22 in both the config files mentioned above and restart the ssh daemon. Obviously you will need to specify the new port in the ~/.unison config file as well. Better still would be an automatic ssh connection using keys, but cross that bridge when you come to it... The port issue, however, I'd do straight away!

**tomcloyd** · Jan 21, 2010, 04:48 PM

Re: how to connect desktop and netbook through router?

Originally posted by toad

...On to SSH. I am a little confused that you tried to ssh localhost

what should I have done?

...and yet more confused that port 22 was closed. My initial response would be to ping localhost (as in "ping localhost") to see whether it is running at all!).

OK - from my client netbook:

Code:

~$ ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.070 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.070 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.084 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.053 ms
^Z
[1]+ Stopped         ping localhost

This means it is running? (I haven't a clue.)

Secondly there are two config files for ssh, namely /etc/ssh/ssh_config and /etc/ssh/sshd_config - make sure that any changes are reflected in either of these two files. If in doubt you can always go back to the original, 'cos no doubt you made copies of them before you started editing (!?!).

Backup copies? Yes. But the instructions at https://help.ubuntu.com/community/SS...SH/Configuring said nothing about modifying ssh.config, so I didn't. I DID just now go there and uncommented and changed some lines so that they appeared congruent with what's in sshd.condig, so that the significant part of the file now reads:

Code:

Host *
#  ForwardAgent no
#  ForwardX11 no
#  ForwardX11Trusted yes
#  RhostsRSAAuthentication no
  RSAAuthentication yes
  PasswordAuthentication no
#  HostbasedAuthentication no
#  GSSAPIAuthentication no
#  GSSAPIDelegateCredentials no
#  GSSAPIKeyExchange no
#  GSSAPITrustDNS no
#  BatchMode no
#  CheckHostIP yes
#  AddressFamily any
#  ConnectTimeout 0
#  StrictHostKeyChecking ask
#  IdentityFile ~/.ssh/identity
#  IdentityFile ~/.ssh/id_rsa
#  IdentityFile ~/.ssh/id_dsa
  Port 22
#  Protocol 2,1
#  Cipher 3des
#  Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#  MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#  EscapeChar ~
#  Tunnel no
#  TunnelDevice any:any
#  PermitLocalCommand no
  SendEnv LANG LC_*
  HashKnownHosts yes
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials no

with this result:

Code:

tomc@tomc-laptop:~$ ssh -v localhost
OpenSSH_5.1p1 Debian-6ubuntu2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [::1] port 22.
debug1: connect to address ::1 port 22: Connection refused
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: connect to address 127.0.0.1 port 22: Connection refused
ssh: connect to host localhost port 22: Connection refused
tomc@tomc-laptop:~$

It appears to have had no effect.

Any ideas as to what I need to do next?

As security - I understand that you want to get it to work, but with ssh with no password and port 22 and no key it is only a matter of time before you get hacked and kiss either (or both) machines good-bye. Using a different port is a very basic yet effective method of locking out large number of bots that scan for an open port 22 on the internet. To do so, simply change the entry for Port22 in both the config files mentioned above and restart the ssh daemon.

1. Thanks for mentioning this. However, if this is so important, then why in blue blazes is it NOT mentioned in the above-referenced SSHconfig instructions. Jeez.
2. "Using a different port..." is a nice concept. Can you tell me how to do that? "Change the entry..." to...what? I really have no idea. How would YOU solve this problem? I've NEVER understood where port numbers come from.

Obviously you will need to specify the new port in the ~/.unison config file as well.

I sure don't see how to do this. I've been all over the command line "info" stuff, and the rather nice Manual, and there's no mention of this. It appears to assume that an SSH connection is already established, which would mean that it doesn't have to worry about port numbers. Do you know any different?

Better still would be an automatic ssh connection using keys...

Well, sure, if I had any idea how to do this. "SSH" was represented to me as simple, but everywhere I turn, I'm investing hours trying to figure out mysteries I don't have much knowledge of. I can't afford to get frustrated, but I'm definitely tempted. Wouldn't solve the problem though.

**tjohnson_nb** · Jan 21, 2010, 05:29 PM

Re: how to connect desktop and netbook through router?

With respect to port 22 and security; isn't this supposed to be on a lan behind the router? In that case there is no security risk in having port 22 open since the computers are not seen on the internet. This would only be a problem if a computer was in a DMZ or port forwarding was implemented in the router, AFAIK

**tomcloyd** · Jan 21, 2010, 07:00 PM

Re: how to connect desktop and netbook through router?

Thanks for clarifying a vague perception I wasn't quite able to articulate, which is that if I can't be gotten to on my desktop (which IS behind a router, but only just in about the past month), why would firing up an SSH server on my desktop, listening at port 22, suddenly make me vulnerable? Maybe this would be the case without a router, though (as you seem to suggest). In any case, both my boxes are behind this router. I'm not running a firewall, and never have with Kubuntu. Should I be?

**tjohnson_nb** · Jan 21, 2010, 07:47 PM

Re: how to connect desktop and netbook through router?

Originally posted by tomcloyd

Thanks for clarifying a vague perception I wasn't quite able to articulate, which is that if I can't be gotten to on my desktop (which IS behind a router, but only just in about the past month), why would firing up an SSH server on my desktop, listening at port 22, suddenly make me vulnerable? Maybe this would be the case without a router, though (as you seem to suggest). In any case, both my boxes are behind this router. I'm not running a firewall, and never have with Kubuntu. Should I be?

I have been using Linux for about 8 years now and I have never used a firewall except on servers exposed to the internet. I have opened port 22 on them but when I do I have a rule that allows only connections from certain ip addresses to prevent brute force attacks etc. I used the fish:// protocol (in Konqueror) to communicate between linux and windows (if you install ssh in windows) boxes on my lan for many years when I was using Debian but I recently switched to Kubuntu because of hardware issues. But Kubuntu 9,10 with Dolphin does a very nice job of finding samba shares on the network and I am able to share files using Shared Docs on WinXP. You can also use ssh in Dolphin when adding network folders by selecting SSH as the protocol.

**Telengard** · Jan 21, 2010, 08:11 PM

Re: how to connect desktop and netbook through router?

@ Tom

The thing about port numbers is that the word port can be a little misleading as to what they do.

You may run any number of servers on your computer of various types. SSH, HTTPd, FTP and what have you. When computers from outside your network want to open a web page hosted on your web server, how do they know their request will be answered by HTTPd and not some other server?

Think of your router like the person who answers the telephone in a large company. All incoming calls come to this person's phone, and it is her job to direct those calls to the correct person's desk in the company. When someone wants connected to the parts department they provide an extension number for that department. The person who answers the telephone then flips a switch to connect the caller to the telephone associated with that extension number.

Think of port numbers as similar to extension numbers, and the servers you are running as the various departments inside the company. When a computer outside your network wants to request a web page they ask for port 80. When they want to connect to SSH services they ask for port 22. These specific port numbers are called the well known ports for those specific services.

There are just over a thousand so well known port numbers which are assigned to specific services. I'm not sure whether this is due to standards or conventions (there is a big difference) but that's how it works.

Now suppose you are running the SSH server and you leave it set to accept connections from the well known port, 22. Anyone who wants to take control of your system remotely, which is exactly what SSH does, simply has to mount an attack on port 22. If you have a simple password, or no password at all, they will be successful in a very short amount of time.

How do you prevent your computer being hijacked?

Don't use the well known port for SSH. You are just making it easy for them.
Use a strong password to authenticate yourself the the SSH server. At least 32 letters and digits, but the longer and more complex the better.
Permanently block both port 22 and your real SSH port number on your router's firewall. Neither you nor anyone else will be able to connect to the SSH server from outside your LAN.

There are other means of protecting your services from attack, but those are the simplest to implement. If you don't do at least some of these things then you are running a huge risk.

**tomcloyd** · Jan 22, 2010, 02:29 AM

Re: how to connect desktop and netbook through router?

That's a very lucid explanation. (Meaning, I think I get it now.)

So, I'm going to my router to see how to block port 22.

THEN...what port do I choose for SSH? How do I know that I'm not choosing a port already used by something else, and thus crashing THAT party?

People keep saying 'choose a different port' as if it's a completely harmless operation. Is it? I've never read ANYTHING about this. But, if you write something, I'll read it, and then I can no longer say that!!!

**toad** · Jan 22, 2010, 02:45 AM

Re: how to connect desktop and netbook through router?

Well, localhost is as good as always the very machine you are actually working on so doing an SSH to localhost is somewhat pointless

However, the fact that you cannot even do that is puzzling. Do you have a firewall going on your machine? iptables or some such?

And to start over 'cos (not least 'cos of my rattling on

) this thread is going in all sorts of directions could you please give us the following info:

IP address of your desktop (should be 192.168.1.xxx or something similar)
IP address of your laptop (ditto)

With both machines switched on, try and ping your laptop from your desktop and vice versa. Does that work?

In the meantime let's have more ideas why he cannot even ssh into localhost - maybe someone's got more of an idea than my idle brainfarts

**Telengard** · Jan 22, 2010, 06:35 AM

Re: how to connect desktop and netbook through router?

Originally posted by tomcloyd

That's a very lucid explanation. (Meaning, I think I get it now.)
. . .
I've never read ANYTHING about this. But, if you write something, I'll read it

No it isn't. Everything I've written in this thread has been written uncountable times, more clearly, more succinctly, and more correctly. If you continue relying upon others to pre-digest and spoon feed you only the choice morsels then you will never, ever, understand the big picture.

**tjohnson_nb** · Jan 22, 2010, 07:28 AM

Re: how to connect desktop and netbook through router?

Originally posted by tomcloyd

That's a very lucid explanation. (Meaning, I think I get it now.)

So, I'm going to my router to see how to block port 22.

THEN...what port do I choose for SSH? How do I know that I'm not choosing a port already used by something else, and thus crashing THAT party?

People keep saying 'choose a different port' as if it's a completely harmless operation. Is it? I've never read ANYTHING about this. But, if you write something, I'll read it, and then I can no longer say that!!!

As we discussed already, you don't need to worry about attacks if you are using ssh on your LAN only.

**toad** · Jan 22, 2010, 07:55 AM

Re: how to connect desktop and netbook through router?

@ tom

Could you also please post your /etc/hosts.allow file - thanks.

**tomcloyd** · Jan 23, 2010, 09:46 PM

Re: how to connect desktop and netbook through router?

I'm not entirely sure which computer's file you're after, but examination of both revealed that they're presently identical:

Code:

# /etc/hosts.allow: list of hosts that are allowed to access the system.
#          See the manual pages hosts_access(5) and hosts_options(5).
#
# Example:  ALL: LOCAL @some_netgroup
#       ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
#
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
#

I've never ever heard of this file or of doing anything with it. It certainly look relevant, but I'm also looking at it for the very first time.

I hope this sheds some light on what's blocking me.

t.

**toad** · Jan 24, 2010, 02:31 AM

Re: how to connect desktop and netbook through router?

Well, for my ssh to work I've got to add the following line:

Code:

sshd: ALL

Best restart both the network and the ssh demon afterwards

**tjohnson_nb** · Jan 24, 2010, 10:48 AM

Re: how to connect desktop and netbook through router?

Hey Tom, just to be clear, you want to be able to have an automated synchronization of a directory in your desktop and netbook? Or would you settle for a manual one?

**tomcloyd** · Jan 24, 2010, 10:35 PM

Re: how to connect desktop and netbook through router?

Toad - thanks for suggestion. Am off to try it.

tjohnson_nb - I want a synchronization of my desktop and laptop. It need not be until I ask for it, as I'm either using one or the other, so I just want to transfer my working environment to the machine I need to be doing work on. I'm wanting basically to synchronize most of my user account. I use the program Unison. It has available a GUI which allows manual execution of any number of "profiles" - a script which coordinates to files or directories on two or more machines. To avoid having to all synchronization using this manual interface, it is possible to use a command line version, and I run a series of these us a Ruby program I wrote. It's very simple, and rather fast, most of the time.

I'm NOT wanting to do the manual things except in special cases. It's just too much work, and with Unison plus my Ruby program it really isn't necessary.

Announcement

how to connect desktop and netbook through router?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment