tag:blogger.com,1999:blog-70044265183518535932024-02-20T03:03:57.261-08:00VisideasDavid Morlitzhttp://www.blogger.com/profile/13845327186006952308noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-7004426518351853593.post-70868617767320320772020-03-03T12:35:00.000-08:002020-03-03T12:35:17.401-08:00*Security: Linux application level firewall<br />
There are some iptables rules that are required. They look like:<br />
<blockquote class="tr_bq">
<span style="color: blue;">iptables -A OUTPUT -o eth0 -m owner --gid-owner other -j ACCEPT</span><br />
<div style="background-color: white; border: medium none; color: black; overflow: hidden; text-align: left; text-decoration: none;">
<br />
Read more: <a href="http://linuxpoison.blogspot.com/2010/11/how-to-limit-network-access-by-user.html#ixzz46wlh4Oc1" style="color: #003399;">http://linuxpoison.blogspot.com/2010/11/how-to-limit-network-access-by-user.html#ixzz46wlh4Oc1</a></div>
</blockquote>
<br />
Now the Linux iptables firewall is configured to only allow network access from applications that you have specifically started using the <b>allownet</b> group id. Since this is not your <i>primary</i> group, you will need to manually start programs and switch the group ID if you want to allow network access. This process basically means that only applications that you trust and have started correctly will have network access.<br />
<br />
The easiest way to start a process as a different group id is to use the <b>sg</b> command. The syntax is:<br />
<blockquote class="tr_bq">
sg <group> "<command>"</blockquote>
Please be aware that the quotes are important, otherwise the sg command will only receive <command> up to the first space character.<br />
<br />
If you wish to make this a bit easier to remember, you may want to create a script which you can more easily call to use to start a trusted application with network access. Personally, I call my script <b>allownet</b> and it looks like this:<br />
<blockquote class="tr_bq">
#!/bin/bash<br />
bash -c "sg allownet $(printf " %q" "$*")"</blockquote>
This is a very simple script that I have placed in /usr/local/bin - so my default path statement finds it. Basically it takes any parameters that it receives and wraps it to look like:<br />
<blockquote class="tr_bq">
sg allownet "<parameters passed to allownet>"</blockquote>
Now, if I want to execute an ssh command, I can simply enter:<br />
<blockquote class="tr_bq">
allownet ssh user@host.visideas.com</blockquote>
and everything should work perfectly.<br />
<br />
We are now more protected from applications on our Linux system accessing the network without our knowledge. <br />
<blockquote class="tr_bq">
</blockquote>
Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-75173535041711774152019-10-02T12:15:00.000-07:002020-03-03T10:54:48.427-08:00*Limiting access to your site to Cloudflare IP addresses only<table bordercolor="#23c100" width="2px"><tr></td>
<br /><b>NOTE: This page has moved to </b>
<a href="https://datamakes.com/2019/10/02/limiting-access-to-your-web-site-to-cloudflare-ip-addresses-only/">https://datamakes.com/2019/10/02/limiting-access-to-your-web-site-to-cloudflare-ip-addresses-only/</a>
<script>
var loc=self.location.pathname;
if (loc != "/") {self.location='https://datamakes.com/2019/10/02/limiting-access-to-your-web-site-to-cloudflare-ip-addresses-only/'; }
</script>
</td></tr></table>
<br />
For those of you that now me, you know that I am very paranoid about security. I feel that while I know how to make a secure system, it very easy to get it wrong and very hard to get it right. One of the things that always concerns me is having a lot of people randomly "poking" at my servers and possibly finding errors in my system.<br />
<br />
<a href="https://www.cloudflare.com/img/logo-cloudflare-dark.svg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img alt="Cloudflare" border="0" height="119" src="https://www.cloudflare.com/img/logo-cloudflare-dark.svg" width="320" /></a>I have turned to <a href="https://www.cloudflare.com/">Cloudflare</a> to help reduce my exposed attack surface. They have some great services, many of which are available for free. This particular post will simply be talking about using their Web Application Firewall (WAF).<br />
<br />
Cloudflare acts as a Content Distribution Network (CDN) that actually helps to speed up your web-site. The short version of this is that a visitor connects to an IP address on the Cloudflare network which acts as a caching proxy to connect back to your actual server. This is how Cloudflare can provide both security and caching.<br />
<br />
What happens if someone has your servers <b>actual</b> IP address instead of the one hosted by Cloudflare? This allows them to circumvent all of the Cloudflare provided security and attack your server directly.<br />
<br />
If you are running a Linux server, it is actually easy to restrict incoming connections to your server to <b>only</b> be from trusted Cloudflare addresses. By closing this bypass you are guaranteeing that you always have the protection of Cloudflare in front of your server. This also means that you can use additional Cloudflare capabilities to minimize the number of unauthorized requests that come to your server, which also reduces server load.<br />
<br />
<b>NOTE:</b> This script <u>should</u> work with any CDN that provides similar capabilities as Cloudflare does - but I have not tested anybody else.<br />
<br />
Here is the script that I use to close this Cloudflare bypass. Please look for <b>colored</b> keywords to identify areas that you need to customize<br />
<blockquote class="tr_bq">
<pre>#!/bin/sh
# Script taken and modified from https://github.com/Paul-Reed/cloudflare-ufw/blob/master/cloudflare-ufw.sh
# Safety - make sure you are authorized before we do anything
if [ "$(whoami)" != "root" ]; then
echo ABORT: You must be root to run this script
exit 1
fi
# Clear out all firewall rues
echo y | ufw reset
# Flush and remove all UFW rules in both the filter and nat tables
/sbin/iptables -F
/sbin/iptables -X
/sbin/iptables -F -t nat
/sbin/iptables -X -t nat
# Safety to make sure that everything is really removed
echo y | /usr/sbin/ufw reset
# Remove backup copies that the reset command generates
rm /etc/ufw/*201?????_*
# Disable the firewall until rules are set and assign default policies
/usr/sbin/ufw disable
/usr/sbin/ufw default deny incoming
/usr/sbin/ufw default allow outgoing
# Check to see if OpenVPN rules have been added to UFW already
# If the rules are not already there, add rules above to the before.rules file
# NOTE: If you are not using OpenVPN, this block is not needed
if [ $(cat /etc/ufw/before.rules | grep "OpenVPN routing" | wc -l) -eq 0 ];
then
cat <<eof> /etc/ufw/before.rules.nat
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s ww.xx.yy.zz/8 -o <outbound interface="" name=""> -m comment --comment "OpenVPN routing" -j MASQUERADE
COMMIT
EOF
fi
# Merge the new before.rules into the existing before.rules
cat /etc/ufw/before.rules > /etc/ufw/before.rules.orig
cat /etc/ufw/before.rules.nat /etc/ufw/before.rules.orig > /etc/ufw/before.rules
# NOTE: If you are not using OpenVPN, this block is not needed
# Disable the firewall again to make sure all rules are really purged
/usr/sbin/ufw disable
# Enable the new firewall
echo y | /usr/sbin/ufw enable
# Put in some safety rules so you do not get locked out accidentally
/usr/sbin/ufw allow from www.xxx.yyy.zzz/32 to any port 22,80,443 proto tcp comment "Safety - home computers"
/usr/sbin/ufw allow from 127.0.0.1/32 comment "Safety - localhost"
/usr/sbin/ufw allow from www.xxx.yyy.zzz/32 to any port 22,80,443 proto tcp comment "Safety - home router"
/usr/sbin/ufw allow from www.xxx.yyy.zzz/32 to any port 22,80,443 proto tcp comment "Allow VPN users"
/usr/sbin/ufw allow from any to any port 1194 proto udp comment "OpenVPN via UDP"
/usr/sbin/ufw deny from www.xxx.yyy.zzz to 224.0.0.1 comment "Block multi-cast"
echo Deny applied
# Determine working directory
DIR="$(dirname $(readlink -f $0))"
cd $DIR
# Get the authoritative lists of Cloudflare IP addresses
wget https://www.cloudflare.com/ips-v4 -O ips-v4.tmp
wget https://www.cloudflare.com/ips-v6 -O ips-v6.tmp
mv ips-v4.tmp ips-v4
mv ips-v6.tmp ips-v6
# Loop through all of the Cloudflare IP addresses and authorize them
for cfip in `cat ips-v4`; do /usr/sbin/ufw allow from $cfip to any port 443 proto tcp comment "Allow Cloudflare via TCP"; done
for cfip in `cat ips-v6`; do /usr/sbin/ufw allow from $cfip to any port 443 proto tcp comment "Allow Cloudflare via TCP"; done
#NOTE: You can repeat the above lines to add other rules or change the allowed ports
# Enable the firewall rules
echo y | ufw enable
# Display the nat table to ensure rules are properly added
/sbin/iptables -t nat -L -n</outbound></eof></pre>
</blockquote>
After that, I simply added this script to my system's crontab for the <b>root</b> user - since this script requires permission to run. I do not know how often Cloudflare IP addresses update so I set this to run once per day and on a system reboot.
<br />
<blockquote class="tr_bq">
<pre>@reboot <span style="color: red;">/path/to/script.sh</span> | mail -s "resetUFW results - reboot" <span style="color: red;">me@some_domain.com</span>
0 4 * * * <span style="color: red;">/path/to/script.sh</span> | mail -s "resetUFW results" <span style="color: red;">me@some_domain.com</span>
</pre>
</blockquote>
Everything has been working great ever since.
Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-38888157795441008592018-02-27T11:14:00.002-08:002020-03-03T10:45:52.778-08:00*High intensity port multiplexing using haproxy<table bordercolor="#23c100" width="2px"><tr></td>
<br /><b>NOTE: This page has moved to </b>
<a href="https://datamakes.com/2018/02/17/high-intensity-port-sharing-with-haproxy/">https://datamakes.com/2018/02/17/high-intensity-port-sharing-with-haproxy/</a>
<script>
var loc=self.location.pathname;
if (loc != "/") {self.location='https://datamakes.com/2018/02/17/high-intensity-port-sharing-with-haproxy/'; }
</script>
</td></tr></table>
<br />
As I am sure you already know, IPv4 addresses are in limited supply right now. The solution to this is IPv6 which greatly enlarges the available address space. The problem is that IPv6 is not yet deployed everywhere, so there is still a need to figure out how to maximize the usage of your existing IPv4 addresses.<br />
<br />
I have a VPS on the Internet which only provides 1 IPv4 address. Of course, I want to run multiple services on this VPS. I also want to use well-known ports to decrease the chance of being blocked from accessing my VPS.<br />
<br />
There are several tools that can handle port multi-plexing. Probably among the most widely used are <a href="http://www.haproxy.org/">haproxy</a> and <a href="https://github.com/yrutschle/sslh">sslh</a>. Both of these tools are probably available in your Linux package manager.<br />
<br />
SSLH is very easy to use but it only multiplexes SSL and SSH sessions. If you want more than 2 services on the same port then this tool is not for you.<br />
<br />
HAPROXY is a bit more complicated to set up but it is also a lot more configurable. This post will describe the way that I have haproxy configured to host multiple services. I will post the full configuration file at the bottom of this post for easy copying and pasting.<br />
<br />
<b>NOTE: </b>When you are reading the code below, any text that is <u>underlined</u> needs to be replaced with values that are appropriate to your installation.<br />
<br />
The first step in configuring haproxy is to set up the "frontend" This is the portion of haproxy that listens for incoming connections. Your "frontend" might look like this:<br />
<blockquote class="tr_bq">
frontend ssl<br />
mode tcp<br />
bind <u><ipaddress>:<port></u><br />
tcp-request inspect-delay 3s<br />
tcp-request content accept if { req.ssl_hello_type 1 }</blockquote>
This basically tells haproxy which IP address and port to listen on for incoming connections. You can also use the IP address 0.0.0.0 for every available IP address, if you have multiple.<br />
<br />
The "inspect-delay" tells haproxy how long it should wait to receive data from the client before making a decision about what to do with the incoming connection. This is required due to the difference in the way that HTTPS and SSH sessions are negotiated. This is also the way that we distinguish the traffic type.<br />
<br />
Once you have this front-end configured, you next need to configure your access control lists which connect your front-end to your backend(s).<br />
<br />
The ACL for an SSH session looks like this:<br />
<blockquote class="tr_bq">
acl <u><ssh label></u> payload(0,7) -m bin 5353482d322e30</blockquote>
This will detect SSH sessions and mark them with <ssh_label> This is an arbitrary label and you can pick any name you want. The only requirement is that it matches the rules that connect to the SSH backend.<br />
<br />
Your "use_backend" statement for SSH would then look like:<br />
<blockquote class="tr_bq">
use_backend <ssh backend name> if <u><ssh label></u></blockquote>
As before, the <ssh backend name> is an arbitrary label you can pick. The only requirement again is that the backend name must match the backend definition.<br />
<br />
Since we are now talking about the backend, here is what an SSH backend would look like:<br />
<br />
<blockquote>
backend openssh<br />
mode tcp<br />
timeout server 3h<br />
server openssh <u><ip address>:<port></u></blockquote>
Typically you would use an IP address of 127.0.0.1 to mean localhost or the local machine. The default port for SSH is 22. It is possible to use any IP address and port you want in this definition. That would be useful if the SSH server is on a different machine on a network behind your haproxy system.<br />
<br />
Now we can add additional services. It is common for a single web-server to host multiple web-sites. These web-sites are identified by their DNS name. On the server side this is called SNI or Server Name Indication.<br />
<br />
Let's start by setting up an ACL for server1.visideas.com<br />
<blockquote class="tr_bq">
acl <u><server one></u> req.ssl_sni -i <u>server1.visideas.com</u></blockquote>
Then the matching use_backend rule would look like:<br />
<blockquote class="tr_bq">
use_backend <u><server 1 backend></u> if <u><server one acl> </u>{ req.ssl_hello_type 1 }</blockquote>
Finally, your matching backend might look like:<br />
<blockquote class="tr_bq">
backend <u><server 1 backend></u><br />
mode tcp<br />
server webserver <u><server 1 IP></u>:<u><server 1 port></u></blockquote>
There are also some powerful matching criteria that you can use in your ACL's. For example, both of these are valid:<br />
<blockquote class="tr_bq">
acl <u><some acl></u> req.ssl_sni -m end <u>.visideas.com</u><br />
acl <u><different acl></u> req.ssl_sni -m found</blockquote>
The first line matches any domain name that ends in .visideas.com and marks it with <some acl>. The second line matches any name and tags it with <different acl>. These lines will <b>not</b> mark any requests received that were directed directly to an IP address.<br />
<br />
Another use_backend that is useful is:<br />
<blockquote class="tr_bq">
use_backend <u><another backend></u> if { req.ssl_hello_type 1 }</blockquote>
The ssl_hello_type of 1 indicates the presence of an HTTPS request. Since there is no tag name after the "if" this ACL would catch requests which were sent to this haproxy server by IP address. This means that you can route traffic which came in by specifying IP address to an alternate service.<br />
<br />
The final ACL that I will discuss is:<br />
<blockquote class="tr_bq">
use_backend <u><shadowsocks></u> if !{ req.ssl_hello_type 1 } !{ req.len 0 }</blockquote>
This ACL can detect traffic that is meant to be sent to a Shadowsocks server. This traffic is identified because it does not contain an ssl_hello_type of 1 and it sends traffic immediately without waiting - i.e. the request length is not 0.<br />
<br />
There are probably other protocols that this statement would match as well but I am using it for Shadowsocks.<br />
<br />
Now, as promised, here is my complete haproxy.conf. Again, please remember to change everything that is underlined to match your specific settings.<br />
<br />
This configuration allows me to access the following services on port 443:<br />
<ol>
<li>An nginx server when accessed as https://s.visideas.com/</li>
<li>An Apache2 server when access as https://k.visideas.com/ or https://*.visideas.com/ or https://<any DNS name></li>
<li>A <a href="https://mmonit.com/monit/">Monit</a> server when accessed as https://monit.visideas.com/</li>
<li>An <a href="http://www.infradead.org/openconnect/">OpenConnect</a> SSL VPN server when accessed as https://<ip address>/</li>
<li>A <a href="https://shadowsocks.org/en/index.html">Shadowsocks</a> server when accessed using a Shadowsocks client</li>
<li>An SSH server</li>
</ol>
<blockquote class="tr_bq">
<span style="font-family: "courier new" , "courier" , monospace;">global<br /> log /dev/log local0<br /> log /dev/log local1 notice<br /> chroot /var/lib/haproxy<br /> user haproxy<br /> group haproxy<br /> daemon<br /><br />defaults<br /> log global<br /> mode tcp<br /> option tcplog <br /> option dontlognull<br /> maxconn 2000<br /> timeout connect 5000<br /> timeout client 500000<br /> timeout server 500000<br /><br />frontend ssl<br /> mode tcp<br /> bind <u><host IP></u>:443<br /> tcp-request inspect-delay 3s<br /> tcp-request content accept if { req.ssl_hello_type 1 }<br /><br /> acl ssh_payload payload(0,7) -m bin 5353482d322e30<br /><br /> acl <u>www-monit</u> req.ssl_sni -i <u>monit.visideas.com</u><br /> acl <u>www-s</u> req.ssl_sni -i <u>s.visideas.com</u><br /> acl <u>www-r</u> req.ssl_sni -i <u>r.visideas.com</u><br /> acl <u>www-k</u> req.ssl_sni -m end <u>.visideas.com</u><br /> acl <u>www-k</u> req.ssl_sni -m found<br /><br /> use_backend www-monit if www-monit { req.ssl_hello_type 1 }<br /> use_backend <u>nginx-s</u> if <u>www-s</u> { req.ssl_hello_type 1 }<br /> use_backend <u>apache2-k</u> if <u>www-k</u> { req.ssl_hello_type 1 }<br /> use_backend <u>ocserv</u> if { req.ssl_hello_type 1 } <br /> use_backend <u>openssh</u> if ssh_payload<br /> use_backend <u>openssh</u> if !{ req.ssl_hello_type 1 } { req.len 0 }<br /> use_backend <u>shadowsocks</u> if !{ req.ssl_hello_type 1 } !{ req.len 0 }<br /><br />backend <u>openssh</u><br /> mode tcp<br /> timeout server 3h<br /> server openssh <u>127.0.0.1:22</u><br /><br />backend <u>ocserv</u><br /> mode tcp<br /> timeout server 24h<br /> server sslvpn <u>127.0.0.1:4443</u><br /><br />backend <u>nginx-s</u><br /> mode tcp<br /> server webserver <u>127.0.0.1:8443</u><br /><br />backend <u>apache2-k</u><br /> mode tcp<br /> server webserver <u>127.0.0.1:10443</u><br /><br />backend <u>www-monit</u><br /> mode tcp<br /> server webserver <u>127.0.0.1:2812</u><br /><br />backend shadowsocks<br /> mode tcp<br /> server socks <u>127.0.0.1:8530</u></span></blockquote>
I hope this helps you with maximizing the value of your shared IPv4 addresses with haproxy.<br />
<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-1953100120174756792017-03-17T16:54:00.000-07:002020-03-03T10:40:40.687-08:00*Monitoring Google Contacts for changes - are you losing contacts?<table bordercolor="#23c100" width="2px"><tr></td>
<br /><b>NOTE: This page has moved to </b>
<a href="https://datamakes.com/2017/03/17/monitoring-google-contacts-for-changes-are-you-losing-contacts/">https://datamakes.com/2017/03/17/monitoring-google-contacts-for-changes-are-you-losing-contacts/</a>
<script>
var loc=self.location.pathname;
if (loc != "/") {self.location='https://datamakes.com/2017/03/17/monitoring-google-contacts-for-changes-are-you-losing-contacts/'; }
</script>
</td></tr></table>
<br />
Have you ever thought you are losing contacts stored in Google? That wonderful moment when you are trying to dial your phone - and the person you want is not in your address book. Then you think about it and realize that you definitely have had them in there before..........how frustrating.<br />
<br />
I believe that your contact list is probably one of the most important personal information you keep in your phone. Contacts last over time and you don't always notice when they disappear until it is too late.<br />
<br />
To help combat this problem, I have written a set of bash scripts which run on Linux to help you recognize a problem <b>and</b> provide you a way to correct it.<br />
<br />
This solution is specifically for backing up Google Contacts - but the concepts would work for any contact storage engine where you can get <a href="https://en.wikipedia.org/wiki/VCard">vcards</a>.<br />
<br />
To make this work, you will need to get <a href="https://vdirsyncer.pimutils.org/en/stable/">vdirsyncer</a> installed properly. There are very complete instructions at the vdirsyncer web-site at <a href="https://vdirsyncer.pimutils.org/en/stable/installation.html">https://vdirsyncer.pimutils.org/en/stable/installation.html</a> <b> </b><br />
<br />
<b>Please pay specific attention to the "Google" section in <a href="https://vdirsyncer.pimutils.org/en/stable/config.html">https://vdirsyncer.pimutils.org/en/stable/config.html</a> </b>Specifically you will need to create an API key (client_id and client_secret) and install an additional python module to access Google. All of this is fully documented so you should be able to follow those instructions.<br />
<br />
Once you have vdirsyncer installed, let's speed things up and jump right to the configuration. Here is a my vdirsyncer config file:<br />
<blockquote class="tr_bq">
[general]<br />
status_path = "<span style="color: red;"><path></span>/status"<br />
<br />
[storage googlecontacts]<br />
type = "google_contacts"<br />
token_file = "<span style="color: red;"><path></span>/google.token"<br />
client_id = "<span style="color: red;"><client_id from the Google API console></span>"<br />
client_secret = "<span style="color: red;"><client_secret from the Google API console></span>"<br />
read_only = "true"<br />
<br />
[storage vcf]<br />
type = "filesystem"<br />
path = "<span style="color: red;"><path></span>/contacts"<br />
fileext = ".vcf"<br />
<br />
[pair google]<br />
a = "googlecontacts"<br />
b = "vcf"<br />
collections = ["from a"]<br />
conflict_resolution = "a wins"</blockquote>
Now for a discussion of the important points in this config file:<br />
<ul>
<li>You <b>must</b> substitute everything in < > with proper values</li>
<li>vdirsyncer seems to really require all of the quotation marks (") above - leave them in</li>
<li>The file <span style="color: red;"><path></span>/google.token provides access to your Google account via an OAuth token - <b>protect this file</b></li>
<li>The read_only parameter in the googlecontacts storage configuration means that no changes from your local PC will ever appear on Google. NOTE: There should never be changes on your local system, unless something goes horribly wrong.....this is just a safety measure</li>
<li>The "a wins" also specifies that Google Contacts is the authoritative source of information</li>
</ul>
Once you create this configuration file, you will need to perform a one-time only step of running<br />
<blockquote class="tr_bq">
vdirsyncer -c <span style="color: red;"><config file></span> discover</blockquote>
This step will either automatically start a browser for you to authenticate with Google - or if a browser can not be started - a URL will be provided that you must browse to. Once you authenticate, you will be given a long complex string which you will paste into your vdirsyncer window. This is used to generate your OAuth token, which is stored in the token file specified above.<br />
<br />
At this point in time, you probably want to run<br />
<blockquote class="tr_bq">
vdirsyncer -c <span style="color: red;"><config file></span> sync</blockquote>
just to make sure everything is working. If everything goes well, you will end up with a bunch of vcard (.vcf) files in your <span style="color: red;"><path></span>/contacts directory.<br />
<br />
Now that everything is working, let's automate this. The script below will notify you when:<br />
<ul>
<li>A contact is deleted - the deleted contact is stored for your review</li>
<li>A contact is added</li>
<li>A contact is changed - both then old and new version are stored and dated for your review</li>
</ul>
<blockquote class="tr_bq">
#!/bin/bash<br />
<br />
BASEDIR=<span style="color: red;"><path></span><br />
TODAYDIR=$BASEDIR/contacts/default<br />
YESTERDAYDIR=$BASEDIR/yesterday<br />
CONFIG=$BASEDIR/<span style="color: red;"><config file></span>.conf<br />
CHANGEDIR=$BASEDIR/changes<br />
YESTERDAY=`date +%Y-%m-%d -d "yesterday"`<br />
TODAY=`date +%Y-%m-%d`<br />
CHANGED=0<br />
<br />
/usr/local/bin/vdirsyncer -c $CONFIG sync | egrep -v "Syncing "<br />
<br />
#Search for deletions<br />
for vcf in `ls $YESTERDAYDIR/*.vcf`<br />
do<br />
card=`echo $vcf | xargs -n 1 basename`<br />
NAME=`cat $YESTERDAYDIR/$card | egrep ^FN: | cut -f2 -d: | sed -e 's/ /_/g'`<br />
if [ ! -f "$TODAYDIR/$card" ]; then<br />
echo DELETED: $NAME \($card\)<br />
mv $YESTERDAYDIR/$card $CHANGEDIR/$NAME.$card.DELETED.$TODAY<br />
CHANGED=1<br />
fi<br />
done<br />
<br />
#Search for additions<br />
for vcf in `ls $TODAYDIR/*.vcf`<br />
do<br />
card=`echo $vcf | xargs -n 1 basename`<br />
if [ ! -f "$YESTERDAYDIR/$card" ]; then<br />
NAME=`cat $TODAYDIR/$card | egrep ^FN: | cut -f2 -d: | sed -e 's/ /_/g'`<br />
echo ADDED: $NAME \($card\)<br />
CHANGED=1<br />
fi<br />
done<br />
<br />
#Search for changes<br />
for vcf in `ls $TODAYDIR/*.vcf`<br />
do<br />
card=`echo $vcf | xargs -n 1 basename`<br />
if [ -f $YESTERDAYDIR/$card ]; then<br />
if [ `stat --printf="%s" $TODAYDIR/$card` -ne `stat --printf="%s" $YESTERDAYDIR/$card` ]; then<br />
NAME=`cat $YESTERDAYDIR/$card | egrep ^FN: | cut -f2 -d: | sed -e 's/ /_/g'`<br />
echo CHANGED: $NAME \($card\)<br />
cp $TODAYDIR/$card $CHANGEDIR/$NAME.$card.CHANGE.$TODAY<br />
cp $YESTERDAYDIR/$card $CHANGEDIR/$NAME.$card.CHANGE.$YESTERDAY<br />
CHANGED=1<br />
fi<br />
fi<br />
done<br />
<br />
# Copy all of todays entries into yesterdays directory - for comparison tomorrow<br />
cp $TODAYDIR/*.vcf $YESTERDAYDIR<br />
<br />
if [ "$CHANGED" == "1" ]; then<br />
<span style="color: red;"><any code you want to specifically execute to notify you of a change - remember cron will automatically E-Mail you a log of this session, if any changes were found. This is for any additional notification options. For example, I use an API to send myself a text message></span><br />
fi</blockquote>
You should only have to change the items in <span style="color: red;">red</span>, make sure all of the directories exist, and add this script to your crontab.<br />
<br />
Now you will automatically be notified when your contacts change. If you see any unexpected changes, you will have all of the necessary information to restore the missing data.<br />
<br />
Rest easy knowing that your contacts are safe.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-4758693891038435182016-10-02T08:27:00.000-07:002020-03-03T12:03:51.292-08:00*Securing CloudFlare's FlexibleSSL even further using UFW<table bordercolor="#23c100" width="2px"><tr></td>
<br /><b>NOTE: This page has moved to </b>
<a href="https://datamakes.com/2016/10/02/securing-cloudflares-flexiblessl-even-farther-with-ufw/">https://datamakes.com/2016/10/02/securing-cloudflares-flexiblessl-even-farther-with-ufw/</a>
<script>
var loc=self.location.pathname;
if (loc != "/") {self.location='https://datamakes.com/2016/10/02/securing-cloudflares-flexiblessl-even-farther-with-ufw/'; }
</script>
</td></tr></table>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-cQEVNMBa86c/V_Eh6Vii_bI/AAAAAAAAriE/PwIChpha-hMmoqbfmPZjBHAX7DYbcDwuwCLcB/s1600/CloudFlare.jpg" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-cQEVNMBa86c/V_Eh6Vii_bI/AAAAAAAAriE/PwIChpha-hMmoqbfmPZjBHAX7DYbcDwuwCLcB/s1600/CloudFlare.jpg" /></a></div>
In previous posts, I have mentioned how I am using <a href="https://www.cloudflare.com/">CloudFlare's</a> <a href="https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-">Flexible SSL</a> to help secure this site. From those posts you will remember that <a href="https://support.cloudflare.com/hc/en-us/articles/200170416-What-do-the-SSL-options-mean-">Flexible SSL</a> means that your browsing session is encrypted between your browser and <a href="https://www.cloudflare.com/">CloudFlare</a> but possibly not encrypted between <a href="https://www.cloudflare.com/">CloudFlare</a> and the actual server which holds the data. This causes the data flow to look like:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-almO2vs5BiI/V_EkWl-AWfI/AAAAAAAAriQ/ji1a58MHm7M_jM6qWqNkNzuixh509hhVQCLcB/s1600/CloudFlareFlexibleSSL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="160" src="https://3.bp.blogspot.com/-almO2vs5BiI/V_EkWl-AWfI/AAAAAAAAriQ/ji1a58MHm7M_jM6qWqNkNzuixh509hhVQCLcB/s640/CloudFlareFlexibleSSL.png" width="640" /></a></div>
<br />
<br />
In the case of this web-site, for example, Blogger does not support HTTPS on custom domains, so the HTTP connection shown above exists here as well.<br />
<blockquote class="tr_bq">
NOTE: As mentioned earlier, this site does not contain any personal information or allow anyone to login. Therefore the underlying HTTP connection is of no security consequence. If you can hack into this site, I encourage you to submit a report to the Google Bug Bounty program and get paid for your discovery.</blockquote>
Those of us that understand networking can see from above that it should be possible to bypass <a href="https://www.cloudflare.com/">CloudFlare</a> and get directly to the unencrypted HTTP port on the Apache server. This is indeed true if you can determine the actual IP address of the Apache server.<br />
<br />
This could <b>potentially</b> be a security hole that needs to be patched. Fortunately, through the magic of scripting and the <a href="https://wiki.ubuntu.com/UncomplicatedFirewall">Uncomplicated Firewall (UFW)</a> or any other firewall, we can shutdown this hole.<br />
<br />
If you are running on a Linux server, take a look at this little script I have put together. The basic flow of this script is to:<br />
1) Download a list of known CloudFlare IP addresses - provided by CloudFlare<br />
2) Parse each entry into a UFW command to permit access from CloudFlare to a specific port<br />
<br />
The results of this script are that the Apache server will only accept connections coming from the CloudFlare network. This does not encrypt the connection between CloudFlare and your Apache server, but it does prevent anyone from bypassing CloudFlare.<br />
<br />
Here is the script:<br />
<blockquote class="tr_bq">
#!/bin/bash<br />
<br />
function to_int {<br />
local -i num="10#${1}"<br />
echo "${num}"<br />
}<br />
<br />
function port_is_ok {<br />
local port="$1"<br />
local -i port_num=$(to_int "${port}" 2>/dev/null)<br />
<br />
if (( $port_num < 1 || $port_num > 65535 )) ; then<br />
echo "*** ${port} is not a valid port" 1>&2<br />
port_is_ok=0<br />
return 0<br />
fi<br />
<br />
#echo 'ok'<br />
port_is_ok=1<br />
return 1<br />
}<br />
<br />
function addRules {<br />
for a in `curl -s https://www.cloudflare.com/ips-v4`<br />
do<br />
#echo ufw allow to any port $PORT proto tcp from $a<br />
ufw allow to any port $PORT proto tcp from $a<br />
done<br />
}<br />
<br />
function removeRules {<br />
for a in `ufw status numbered | grep $PORT/tcp | cut -c45-`<br />
do<br />
#echo ufw --force delete allow to any port $PORT proto tcp from $a<br />
ufw --force delete allow to any port $PORT proto tcp from $a<br />
done<br />
}<br />
<br />
if [ "`whoami`" != "root" ]; then<br />
echo ABORT: This script must be run as root<br />
exit 1<br />
fi<br />
<br />
port_is_ok $2<br />
#echo $port_is_ok<br />
if [ $port_is_ok -eq 0 ]; then<br />
echo "Usage: $0 <add|remove|refresh> <port number>"<br />
exit 0<br />
fi<br />
<br />
PORT=$2<br />
case "$1" in<br />
"add")<br />
addRules<br />
;;<br />
"remove")<br />
removeRules<br />
;;<br />
"refresh")<br />
removeRules<br />
addRules<br />
;;<br />
*)<br />
echo "ABORT: Usage $0 <add|remove|refresh> <port>"<br />
exit 1<br />
;;<br />
esac</blockquote>
You can see from the "usage" line, that the command format for this script is:<br />
<blockquote class="tr_bq">
Usage: <script> <add|remove|refresh> <port number> </blockquote>
Here is what each of the command means:<br />
1) <b>add</b> is to allow access from CloudFlare to a port<br />
2) <b>remove</b> is to remove access from CloudFlare to a port<br />
3) <b>refresh</b> is a combination of <b>remove</b> then <b>add</b> - to make sure that you have all of the current CloudFlare IP addresses<br />
<br />
A few warnings about this script:<br />
1) It must be run as root - but could be modified to allow anyone who can issue ufw or iptables commands via sudo<br />
2) It only processes CloudFlare IPv4 addresses - but can be modified to allow IPv6 as well (the URL for CloudFlare's IPv6 addresses is <a href="https://www.cloudflare.com/ips-v6">https://www.cloudflare.com/ips-v6</a>)<br />
3) It currently issues ufw commands but could be easily modified to support iptables (or any other firewall) commands<br />
<br />
Good luck - and enjoy your more secure CloudFlare network.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-81809896124578156462016-04-26T06:57:00.003-07:002020-03-03T12:32:46.183-08:00*Preventing file changes on Linux<table bordercolor="#23c100" width="2px"><tr></td>
<br /><b>NOTE: This page has moved to </b>
<a href="https://datamakes.com/2016/04/26/preventing-file-changes-on-linux/">https://datamakes.com/2016/04/26/preventing-file-changes-on-linux/</a>
<script>
var loc=self.location.pathname;
if (loc != "/") {self.location='https://datamakes.com/2016/04/26/preventing-file-changes-on-linux/'; }
</script>
</td></tr></table>
<br />
Today's tip will be short - but it can be very useful. Simply put, if you want to prevent a file from being changed on a Linux file system I have just learned that there is an immutable options. All you have to do is type (as root)<br />
<blockquote class="tr_bq">
chattr +i <filename></blockquote>
Now, of course, you can undo this by using<br />
<blockquote class="tr_bq">
chattr -i <filename></blockquote>
So, you may be asking, why would I want to make a file unchangeable?<br />
<br />
I will answer that by describing the specific case that caused me to look for this. I was in the process of trying to enable <a href="https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions">DNSSEC</a> on my Linux computer. To address this concern, I installed the <a href="https://www.unbound.net/">unbound</a> DNS resolver (a topic for a different post)<br />
<br />
I tried to make some configuration changes to both dhclient and resolvconf to ensure I was always using unbound. Neither of these changes seemed to force the VPN client I was using from <a href="http://www.privateinternetaccess.com/">Private Internet Access</a> to use 127.0.0.1 as the DNS server. This leads me to believe that the Private Internet Access client directly writes /etc/resolv.conf - completely bypassing unbound.<br />
<br />
The solution - <b>immutable files</b>. Basically, I locked /etc/resolv.conf so that it can't be changed! Now, I just have to remember to unlock it if I ever run a VPN application where I really do want to honor the DNS servers of the VPN provider - such as for a corporate network. <br />
<br />
<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-57066826953237897792016-04-02T11:36:00.000-07:002020-03-03T05:54:51.738-08:00*Web Knocking - an HTTP(S) based equivalent of Port Knocking<table bordercolor="#23c100" width="2px"><tr></td>
<br /><b>NOTE: This page has moved to </b>
<a href="https://datamakes.com/2016/03/03/web-knocking-an-https-based-equivalent-of-port-knocking/">https://datamakes.com/2016/03/03/web-knocking-an-https-based-equivalent-of-port-knocking/</a>
<script>
var loc=self.location.pathname;
if (loc != "/") {self.location='https://datamakes.com/2016/03/03/web-knocking-an-https-based-equivalent-of-port-knocking/'; }
</script>
</td></tr></table>
<br />
A few weeks ago, I was trying to figure out a way that I could <u><b>remotely</b></u> trigger a computer in my home to perform an automated task. For those that know me, you already know that I am extremely paranoid about providing remote access to anything, since it is very easy to misconfigure remote access and create large security holes.<br />
<br />
I thought about trying to use <a href="https://en.wikipedia.org/wiki/Port_knocking">port knocking</a> as the trigger. For those not familiar with port knocking, the basic idea is that you can detect incoming packets (either TCP or UDP) to specific ports. If you receive the correct sequence of port connection requests, even if the packets do not ever get received by a server, then you can trigger automated tasks.<br />
<br />
Port triggering might be used to open a port on a firewall, for example. The idea being that if you are away from your network and want to access a server, you send packets to ports 1234/udp, 5678/tcp, 8442/udp (or whatever sequence you like) and then a scripts allows access to port 443/tcp for your remote IP address. The theory is that since only you know the correct sequence of ports, you should be the only one to be able to gain access to your server.<br />
<br />
But I ran into a problem with port knocking. I quickly found out that depending on the network I was on, I could not always send packets destined for the ports in my port knocking sequence. This could be due to the airport proxy system, a corporate network restriction, or a host of other network limiting techniques.<br />
<br />
So I found a work-around to my problem which I am calling "web knocking" The basic idea is the same, except I am using <a href="https://www.modsecurity.org/">mod_security</a> within an Apache server to be the receiver of my incoming requests. In mod_security, I wrote a rule that looked like:<br />
<blockquote class="tr_bq">
SecRule REQUEST_FILENAME "^/trigger.php" "phase:1,ID:'32100',drop,msg:'Automation triggered',exec:/home/my/automatic/script.sh"</blockquote>
Let's take a quick look at this rule to see exactly what it does.<br />
<ol>
<li>The REQUEST_FILENAME clause tells us to match on just the filename portion of the URL requested</li>
<li>The "^trigger.php" is a <a href="https://en.wikipedia.org/wiki/Regular_expression">regex</a> which is matched against the filename requested. For those not familiar with regex's, the ^ means "beginning of the string" - so this would match /trigger.php but not /my_trigger.php</li>
<li>The "phase:1" portion tells mod_security that we want this rule executed in the early stages of the HTTP connection</li>
<li>The ID number is whatever you choose to appear in the logs</li>
<li>The "drop" tells mod_security to immediately drop the connection with no further reason provided to the client. <u><b>This is key.</b></u> Nobody will receive confirmation that the file does or does not exist or that any action was taken based on their connection attempt.</li>
<li>The "exec" section tells mod_security to execute a specific script to take whatever action you desired.</li>
</ol>
Now, an interesting trick with this rule is that /trigger.php <u>does not have to exist</u> on your server to make this work. In fact, it is probably better if the file does not exist, so you don't accidentally run anything you weren't expecting.<br />
<br />
It is also important to recognize that the script will be run under the ID used to run the web server. This could be www, nobody, or something else depending on your configuration. You need to make sure that the web server has proper permissions to run the script and whatever is inside the script.<br />
<br />
You will also have access to portions of the HTTP request data as environment variables. To determine exactly what your web server provides to the script, I would suggest adding "env > /dev/shm/vars" (or something similar) so you can see all of the environment variables that exist for your use.<br />
<br />
You can make the scripts as complex as you want, including chaining them together. For example, you could have /trigger1 run a script that creates a temp file. The script that triggers when you request /trigger2 could check for the existence of that temporary file and not run if the temp file does not exist.<br />
<br />
Just remember that even a successful request from you will result in mod_security dropping the connection. Therefore, you won't get confirmation that your request was received.......but you could have your script send your cell phone an SMS or any other action so you know that your automation triggered properly.<br />
<br />
Happy web knocking!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-83490104227067094592016-01-25T10:29:00.000-08:002020-03-03T13:10:43.243-08:00*VirtualBox host and virtual machine time getting out of sync<table bordercolor="#23c100" width="2px"><tr></td>
<br /><b>NOTE: This page has moved to </b>
<a href="https://datamakes.com/2016/01/25/virtualbox-host-and-virtual-machine-clock-gets-out-of-sync/">https://datamakes.com/2016/01/25/virtualbox-host-and-virtual-machine-clock-gets-out-of-sync/</a>
<script>
var loc=self.location.pathname;
if (loc != "/") {self.location='https://datamakes.com/2016/01/25/virtualbox-host-and-virtual-machine-clock-gets-out-of-sync/'; }
</script>
</td></tr></table>
<br />
I ran into a very interesting problem recently, which had me stumped for a while. I had a VirtualBox (version 5.0.10) host with 2 virtual machines running on it. For some reason the guests clocks would get out of sync with the host. While this might not seem like an annoying problem, some of the programs that I was running were time-sensitive. This was an issue that I wanted to fix.<br />
<br />
Both my host and virtual machines were running Ubuntu 14.04 LTS with the latest patches.<br />
<br />
Now, I have solved this problem and the clocks appear to stay in sync now. Here is what I did to make it work.<br />
<br />
First, I will say that I already did have the VirtualBox Guest Additions compiled and I verified that their kernel modules were loaded.<br />
<br />
To solve this clock problem, I ended up adding additional configuration parameters, using the following syntax:<br />
<blockquote class="tr_bq">
VBoxManage setextradata "VM Name" "parameter" "value"</blockquote>
The parameters and values that I found when searching on Google were a bit difficult to find. It turns out that the documentation was right in the <a href="https://www.virtualbox.org/manual/ch09.html#idp46730494534128">VirtualBox manual Chapter 9</a> but I originally didn't understand what that meant.<br />
<br />
Here are the values that I added to my virtual machine that made the time synchronization work:<br />
<br />
<blockquote class="tr_bq">
Key: /VirtualBox/GuestAdd/VBoxService/timesync-set-start, Value: 1<br />
Key: /VirtualBox/GuestAdd/VBoxService/timesync-set-threshold, Value: 60000<br />
Key: VBoxInternal/GuestAdd/VBoxService/timesync-interval, Value: 10000<br />
Key: VirtualBox/GuestAdd/VBoxService/timesync-set-start, Value: 1<br />
Key: VirtualBox/GuestAdd/VBoxService/timesync-set-threshold, Value: 60000</blockquote>
<br />
I am almost convinced that some of those key value names are incorrect - but I couldn't figure out which ones caused the clocks to say in sync and which were extra.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-53007662418240918202015-04-01T13:00:00.002-07:002020-03-03T13:18:41.182-08:00*Job scheduling on Linux with time randomization<table bordercolor="#23c100" width="2px"><tr></td>
<br /><b>NOTE: This page has moved to </b>
<a href="https://datamakes.com/2015/04/01/job-scheduling-on-linux-with-randomization/">https://datamakes.com/2015/04/01/job-scheduling-on-linux-with-randomization/</a>
<script>
var loc=self.location.pathname;
if (loc != "/") {self.location='https://datamakes.com/2015/04/01/job-scheduling-on-linux-with-randomization/'; }
</script>
</td></tr></table>
<br />
<h2>
<b><span style="font-weight: normal;">Job scheduling on Linux with time randomization.....and efficiency</span></b></h2>
<br />
<div style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;">
<br /></div>
You might immediately wonder why I would write baout job scheduling and randomization. I understand that this does appear to be two entirely opposite ideas - and in a lot of cases you would be completely correct.<br />
<br />
However, there are also some very valid use cases for having a scheduled job that happens at a random time. Most of these use cases revolve around resource scheduling and potential performance hits. There are also situations where timing is not particularly important.<br />
<br />
On Linux, there is the cron daemon which is very good at scheduling jobs. Unfortunately, however, there is no way to say to cron "please run this job at 8am plus or minus 2 hours"<br />
<br />
There is another job scheduling daemon on Linux called at which is useful here. The at daemon is used to schedule a job to run once in the future.<br />
<br />
By combining cron and at we can create a job scheduling technique that allows for randomization (or other programmatic time selection each day)<br />
<br />
To make this happen, you will: <br />
<ol>
<li>Schedule a job with cron that runs at a fixed time each day</li>
<li>Have this job randomly select a time in the future</li>
<li>Submit this new job once daily to the at scheduler</li>
</ol>
Don't worry, it isn't as complicated as it sounds. Here is how you can easily do this.<br />
<br />
Step 1: Create a shell script to randomly select the time to run a job. The script might look something like this:<br />
<blockquote class="tr_bq">
#!/bin/bash<br />
script="<u><b>/data/runJob.sh</b></u>" #insert the path to your script here<br />
min=$(( <u><b>8 * 60</b></u> ))<br />
rmin=$(( $RANDOM % $min ))<br />
at -f "$script" now+${rmin}min </blockquote>
The 2 important lines in this file are the boldfaced line above. The first line selects the script you want to run at the random time in the future.<br />
<br />
The second line sets the limit for how far in the future your randomized job time will be. In this example, I have set the limit to 8 hours. The line underneath the boldfaced line picks a random minute number between 0 and 8 hours. The final line submits the job to the at scheduler<br />
<br />
Step 2: Edit your crontab file by using the crontab command and add your new fixed time job.<br />
<blockquote class="tr_bq">
0 8 * * * /data/delayJob.sh </blockquote>
This example schedules cron to trigger delayJob.sh at 8am every day<br />
<br />
You are finished - you now have a job that will run each day at a random time between 8am and 4pm (since I set an 8 hour window)<br />
<br />
You can change the time calculation function to be whatever you want.<br />
<br />
The best part....this method does not create inefficient timers, sleep functions and will survive a system reboot no matter when it happens.<br />
<br />
Enjoy your planned chaos!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-48719078448136207702015-03-23T08:01:00.002-07:002015-03-23T08:01:50.107-07:00Security: Getting Rational Host on Demand on Linux to trust a self-signed certificateAs everyone knows, it is considered to be a best practice to connect to terminal systems over an encrypted connection. This is even more true the more sensitive the system is you are connecting to.<br />
<br />
You would be amazed just how many systems are on the Internet and unprotected. Using a non-encrypted connection is almost like asking someone to use a packet sniffer and steal your password.<br />
<br />
For a good overview of just how many zSystems are on the Internet, I do recommend watching a video by Philip Young on <a href="https://www.youtube.com/watch?v=3HFiv7NvWrM">YouTube</a>. Philip has given several very interesting talks about exposed zSystems.<br />
<br />Now, since you want to encrypt your session, here are instructions for enabling access to servers that use self-signed certificates in Rational Host on Demand. (NOTE: these instructions were taken from <a href="http://www-01.ibm.com/support/docview.wss?uid=swg21395269">http://www-01.ibm.com/support/docview.wss?uid=swg21395269</a>)<br />
<br />
<b>NOTE</b>: pictures and additional details will be coming soon<br />
<blockquote class="tr_bq">
cd /opt/IBM/HostOnDemand/bin<br />sudo ./CertificateManagement</blockquote>
Switch the section to Signer certificates<br />
Import the certificate you want. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-63982209942698798822015-02-17T12:48:00.001-08:002015-02-17T13:04:45.643-08:00zSystems: z/OS 101 - a vocabulary lesson<span style="color: #3d85c6;"><b>Learn to speak like a zSystems expert!</b></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.ibmsystemsmag.com/getattachment/67f85599-3604-49b6-9d07-64558f796caf" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.ibmsystemsmag.com/getattachment/67f85599-3604-49b6-9d07-64558f796caf" height="187" width="400" /></a></div>
<br />
In
a continuation of my writing for the IBM Systems Magazine online
edition, my second article was published in February 2015. The topic of
this is really to introduce people to the vocabulary that is used on
zSystems to enable effective communication.<br />
<br />
The article
really is composed like flash cards with vocabulary terms. Each card
contains a zSystems specific word, a definition, and an analogy to the
closest Linux or Windows term available. I hope that this format is the
easiest to use for everyone.<br />
<br />
The terms are actually
broken down into 8 groups - the first 4 groups will be posted in
February and the second 4 groups will be posted in March.<br />
<br />
The
story behind this idea is a long one. This list of terms actually
started in 2002 when Sarah McAndrew (a colleague of mine) and I put
together this presentation to introduce some z terminology to a customer
of ours in Boston. The list has grown and evolved slightly since that
time - but the majority of the terms are still the same.<br />
<br />
I hope you enjoy this introduction to zSystems vocabulary and that you find it helpful. You can read this article online at <a href="http://www.ibmsystemsmag.com/mainframe/tipstechniques/miscellaneous/vocabulary-101/">http://www.ibmsystemsmag.com/mainframe/tipstechniques/miscellaneous/vocabulary-101/</a> or view a cached copy at <a href="https://drive.google.com/drive/u/1/#folders/0B8bmmfO_CSUodkRnWHE3bDBHWk0/0B8bmmfO_CSUoVGs4MklBLU96Tzg">by clicking here</a>.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-86627049860433957372015-01-22T07:54:00.001-08:002020-03-03T10:30:27.677-08:00*Utility: Using autofs on Linux to automatically mount remote filesystems<table bordercolor="#23c100" width="2px"><tr></td>
<br /><b>NOTE: This page has moved to </b>
<a href="https://datamakes.com/2015/01/22/using-autofs-to-automatically-mount-linux-filesystems/">https://datamakes.com/2015/01/22/using-autofs-to-automatically-mount-linux-filesystems/</a>
<script>
var loc=self.location.pathname;
if (loc != "/") {self.location='https://datamakes.com/2015/01/22/using-autofs-to-automatically-mount-linux-filesystems/'; }
</script>
</td></tr></table>
<br />
<u><b>Mounting a remote file system automatically</b></u><br />
In today's connected world, it is hard to imagine a computer that does not connect to another one remotely. Just consider the simple example of having a file server in your home. This is a pretty common situation where you want to have 1 copy of your files but access them from multiple computers without having to make copies.<br />
<u><b> </b></u><br />
It would become rather annoying to have to manually reconnect to your file server everytime you need a file. There are also times where you connection times out - even though you haven't rebooted - and you have to re-establish your network connections.<br />
<br />
Never fear - autofs is here! This will make your life easier.<br />
<br />
Let's start by making sure that you have the autofs package installed. <b>NOTE:</b> This is the package name on Ubuntu - and it may vary by distribution<br />
<blockquote class="tr_bq">
sudo apt-get install autofs</blockquote>
That was easy, now let's configure autofs to automatically mount filesystems for us. In this example, I will be connecting to a Windows server using the cifs protocol. The same example can be modified to other networked file systems as well.<br />
<br />
First, autofs does not ship a script to automatically mount cifs file systems. So, let's create /etc/auto.cifs and add the following contents. <b>NOTE:</b> There are 2 places highlighted in red that you need to change to be your username - and remove the < and > signs.<br />
<blockquote class="tr_bq">
#!/bin/bash<br />
# $Id$<br />
# This file must be executable to work! chmod 755!<br />
key="$1"<br />
# Note: create a cred file for each windows/Samba-Server in your network<br />
# which requires password authentification. The file should contain<br />
# exactly two lines:<br />
# username=user<br />
# password=*****<br />
# Please don't use blank spaces to separate the equal sign from the<br />
# user account name or password.<br />
credfile="/etc/auto.cifs.$key"<br />
# Note: Use cifs instead of smbfs:<br />
mountopts="-fstype=cifs,file_mode=0644,dir_mode=0755,uid=<span style="color: red;"><your username></span>,gid=<span style="color: red;"><your username></span>"<br />
smbclientopts=""<br />
for P in /bin /sbin /usr/bin /usr/sbin<br />
do<br />
if [ -x $P/smbclient ]<br />
then<br />
SMBCLIENT=$P/smbclient<br />
break<br />
fi<br />
done<br />
[ -x $SMBCLIENT ] || exit 1<br />
if [ -e "$credfile" ]<br />
then<br />
mountopts=$mountopts",credentials=$credfile"<br />
smbclientopts="-A "$credfile<br />
else<br />
smbclientopts="-N"<br />
fi<br />
$SMBCLIENT $smbclientopts -gL $key 2>/dev/null \<br />
| awk -v key="$key" -v opts="$mountopts" -F'|' -- '<br />
BEGIN { ORS=""; first=1 }<br />
/Disk/ { if (first) { print opts; first=0 };<br />
gsub(/ /, "\\ ", $2);<br />
sub(/\$/, "\\$", $2);<br />
print " \\\n\t /" $2, "://" key "/" $2 }<br />
END { if (!first) print "\n"; else exit 1 }<br />
'</blockquote>
Make sure that you make this script executable by typing<br />
<blockquote class="tr_bq">
sudo chmod 755 /etc/auto.cifs</blockquote>
Now, you need to store credentials for each host you wish to connect to. These credentials are stored in /etc/auto.cifs.<ip address> - for example, /etc/auto.cifs.192.168.1.1 The format of the file is 1 line for username and 1 line for password, such as<br />
<blockquote class="tr_bq">
username=<my username><br />
password=<my password></blockquote>
Next, we need to tell autofs about our new script - and how to execute it. This is done by simply adding 1 line to the bottom of /etc/auto.master which reads<br />
<blockquote class="tr_bq">
/cifs /etc/auto.cifs --timeout 60</blockquote>
<br />
This tells autofs that when you access /cifs/<ip address> that it should mount the remote filesystem for you automatically. The timeout option says that if I have not accessed the filesystem in 60 seconds, then it should be automatically dismounted.<br />
<br />
Since we are connecting to a remote Windows server, you need to append the share name to the end of the directory. For example, if you<br />
<blockquote class="tr_bq">
cd /cifs/192.168.1.1/c$</blockquote>
autofs will automatically log into 192.168.1.1 with the credential stored in /etc/auto.cifs.192.168.1.1 and attempt to mount the share named c$. This assumes that you have the appropriate permissions on the Windows server to access this share.<br />
<br />
Finally, we need to make sure that the base directory (/cifs in my example) exists. You don't have to worry about any directory underneath the base, autofs takes care of that automatically. Let's type<br />
<blockquote class="tr_bq">
sudo mkdir /cifs<br />
sudo chown <username>.<username> /cifs</blockquote>
<br />
Now that everything is properly connected, you need to restart autofs to recognize the changes. You can do this by either rebooting or entering<br />
<blockquote class="tr_bq">
sudo /etc/init.d/autofs restart</blockquote>
<br />
Happy file sharing - and no more remembering to mount remote file systems manually. <br />
<br />
<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-18858861255968990182015-01-06T10:11:00.003-08:002015-01-06T10:12:24.195-08:00Security: OpenSSH on Windows using CygwinIn this entry, I will be discussing how to configure the OpenSSH server on Windows using the Cygwin provided binaries. This information was originally in my <a href="http://blog.visideas.com/2014/12/security-road-warrier-remote-access.html">Road Warrior</a> article, until I found a simpler way to configure OpenSSH. This is really here simply for historical purposes - or if you have a really strong reason for preferring the Cygwin packaged version of OpenSSH<br />
<h2>
<span style="color: #38761d;"><u><b>Setting up the OpenSSH server using public key authentication:</b></u></span></h2>
OpenSSH is normally a Linux program that provides an encrypted connection between two machines. OpenSSH also has the attributes of being open source, well studied, generally considered to be secure, provides public/private key authentication and port tunneling.<br />
<br />
Those last 2 attributes are very important to increasing the security of this solution. By using public/private key authentication, it is significantly more difficult for someone to access our system or capture and decrypt our traffic at a later time. The port tunneling feature will allow us to route our VNC connection through the SSH connection, gaining the strength and protection of the SSH encryption. This is the reason that we didn't need TightVNC to open a Windows Firewall rule and we only allowed VNC connections from localhost. The TightVNC server will believe that we are connecting locally, even though we are really at the other end of the SSH connection. By allowing only loopback connections, we basically have closed off the possibility of someone directly accessing the TightVNC server and avoiding the SSH session.<br />
<br />
For this solution, I have chosen to the the OpenSSH server provided by the <a href="http://www.cygwin.com/" target="_blank">Cygwin</a> project. The Cygwin project ports standard Linux applications to run on a Windows environment. This is the most "pure" implementation of OpenSSH on Windows that I am aware of - and all of the source code is available for the public to evaluate.<br />
<br />
Enough on the background, let's get to installing software:<br />
1) Go to <a href="https://cygwin.com/install.html">https://cygwin.com/install.html</a> and download the latest installer for your operating system. You probably have a 64-bit Operating System, so make sure you choose that.<br />
2) Start the installer<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-m78tNTDLhSk/VJhSy5CUp_I/AAAAAAAAfJU/5YGR2D0cWbk/s1600/Cygwin_1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-m78tNTDLhSk/VJhSy5CUp_I/AAAAAAAAfJU/5YGR2D0cWbk/s1600/Cygwin_1.JPG" /></a></div>
<br />
2) Click Next<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-IDXNeprzBlg/VJhSzJ734nI/AAAAAAAAfKU/GXAlFVFjOGE/s1600/Cygwin_2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-IDXNeprzBlg/VJhSzJ734nI/AAAAAAAAfKU/GXAlFVFjOGE/s1600/Cygwin_2.JPG" /></a></div>
<br />
3) Leave the default setting of "Install from Internet" and click Next<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-c3tBxqCGZ6Y/VJhSzShyHZI/AAAAAAAAfJc/2ANE38RsMb0/s1600/Cygwin_3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-c3tBxqCGZ6Y/VJhSzShyHZI/AAAAAAAAfJc/2ANE38RsMb0/s1600/Cygwin_3.JPG" /></a></div>
<br />
4) Leave the default setting (in this case, C:\cygwin64) and hit Next<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-_QLxSbRMY-k/VJhSzm5QHjI/AAAAAAAAfJg/7mD_WiQY1KI/s1600/Cygwin_4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-_QLxSbRMY-k/VJhSzm5QHjI/AAAAAAAAfJg/7mD_WiQY1KI/s1600/Cygwin_4.JPG" /></a></div>
<br />
5) Leave the default setting and hit Next<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/--AgtbHmE-rI/VJhSz7sBzjI/AAAAAAAAfJo/f6vuW4TLbFs/s1600/Cygwin_5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/--AgtbHmE-rI/VJhSz7sBzjI/AAAAAAAAfJo/f6vuW4TLbFs/s1600/Cygwin_5.JPG" /></a></div>
<br />
6) In most cases, "Direct Connection" (the default) is the right choice - but enter whatever information you need to connect to the Internet and hit Next.<br />
<br />
7) Scan down the list and see if you recognize any sites near you because they will probably be faster. I have also had better luck with http instead of ftp, so pay close attention to the URL. Pick your favorite site (they all have the same content) and hit Next.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-S4JlV1nOrCI/VJhSzyslYiI/AAAAAAAAfJs/TzxjSrPoONY/s1600/Cygwin_6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-S4JlV1nOrCI/VJhSzyslYiI/AAAAAAAAfJs/TzxjSrPoONY/s1600/Cygwin_6.JPG" /></a></div>
<br />
8) <b>This step is important, please pay close attention.</b> In the search box at the top of the screen, enter "openssh", then expand the "Net" section. You will see that the version number is set to "Skip" Click on the circular icon to the left of the "Skip" once until you see a version number. This means that you will be installing OpenSSH<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-QHnISXk0KBk/VJhS0pLZ9zI/AAAAAAAAfJ8/eLSoK6fL1oE/s1600/Cygwin_7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-QHnISXk0KBk/VJhS0pLZ9zI/AAAAAAAAfJ8/eLSoK6fL1oE/s1600/Cygwin_7.JPG" /></a></div>
<br />
9) Repeat the same steps to select the package "cygrunsrv" - the program that will automatically start OpenSSH when your system boots<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Alvx_64CStU/VJhS0d0tSQI/AAAAAAAAfJ4/x4FUGzZy-Tg/s1600/Cygwin_8.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-Alvx_64CStU/VJhS0d0tSQI/AAAAAAAAfJ4/x4FUGzZy-Tg/s1600/Cygwin_8.JPG" /></a></div>
<br />
10) Press Next<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-oiu8AU9hZRg/VJhS2Lf5c2I/AAAAAAAAfKg/6hlu5BgtbKo/s1600/Cygwin_9.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-oiu8AU9hZRg/VJhS2Lf5c2I/AAAAAAAAfKg/6hlu5BgtbKo/s1600/Cygwin_9.JPG" /></a></div>
<br />
11) Press Next<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-kDxZCJLL93c/VJhSyhtz1yI/AAAAAAAAfJQ/aYANnIPTQXY/s1600/Cygwin_10.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-kDxZCJLL93c/VJhSyhtz1yI/AAAAAAAAfJQ/aYANnIPTQXY/s1600/Cygwin_10.JPG" /></a></div>
<br />
12) Wait while the installation proceeds<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-Pc2vcfiWF7o/VJhSygD9UbI/AAAAAAAAfJY/zOIApM2_2n4/s1600/Cygwin_11.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-Pc2vcfiWF7o/VJhSygD9UbI/AAAAAAAAfJY/zOIApM2_2n4/s1600/Cygwin_11.JPG" /></a></div>
<br />
13) Press Finish<br />
<br />
Now that both OpenSSh and cygrunsrv have been installed we do need to some configuration.<br />
1) Go to the Start Menu<br />
2) Go to All Programs<br />
3) Look for the Cygwin group<br />
4) Right click on Cygwin64 Terminal and choose "Run as Administrator" - <b>this is important</b>, certain steps will fail without appropriate permissions<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-1FD3uS2I8a0/VJhWZpK5xGI/AAAAAAAAfKs/t9Ad2SI6bdU/s1600/Cygwin_start.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-1FD3uS2I8a0/VJhWZpK5xGI/AAAAAAAAfKs/t9Ad2SI6bdU/s1600/Cygwin_start.jpg" /></a></div>
5) Now don't get scared - a text-based terminal will appear.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-RYKusyLpd8k/VJhdAB211SI/AAAAAAAAfK8/bm5oCXIIh1o/s1600/OpenSSH_1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-RYKusyLpd8k/VJhdAB211SI/AAAAAAAAfK8/bm5oCXIIh1o/s1600/OpenSSH_1.JPG" /></a></div>
<br />
6) Type "ssh-host-config" (without the quotes) and hit Enter<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/--MB0zUXtrpY/VJhdAnSRBiI/AAAAAAAAfLI/LSsYtHLKgUI/s1600/OpenSSH_2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/--MB0zUXtrpY/VJhdAnSRBiI/AAAAAAAAfLI/LSsYtHLKgUI/s1600/OpenSSH_2.JPG" /></a></div>
<br />
<br />
7) When asked if you want to enable StrictModes, type "no" and hit Enter<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-UTbgzcFdj8w/VJhdA0knRvI/AAAAAAAAfLQ/P2Kdy79pL-4/s1600/OpenSSH_3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-UTbgzcFdj8w/VJhdA0knRvI/AAAAAAAAfLQ/P2Kdy79pL-4/s1600/OpenSSH_3.JPG" /></a></div>
<br />
<br />
8) When asked if you want to enable Privilege Separation, type "no" and hit Enter<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-9FJaLQQGnQc/VJhdBKbNTtI/AAAAAAAAfLU/KyAejDhK-DI/s1600/OpenSSH_4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://4.bp.blogspot.com/-9FJaLQQGnQc/VJhdBKbNTtI/AAAAAAAAfLU/KyAejDhK-DI/s1600/OpenSSH_4.JPG" /></a></div>
<br />
<br />
9) When asked if you want to run the SSH server as a service, type "yes" and hit Enter.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-zJKlASPREm0/VJhdBYs89TI/AAAAAAAAfLk/MOGcIlEfnKs/s1600/OpenSSH_6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-zJKlASPREm0/VJhdBYs89TI/AAAAAAAAfLk/MOGcIlEfnKs/s1600/OpenSSH_6.JPG" /></a></div>
<br />
<br />
10) When asked "Enter the value of CYGWIN for the daemon", type "ntsec" (without the quotes) and hit Enter<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-97Jy69ZOg_M/VJhdBs6eU3I/AAAAAAAAfLc/1X4crtALSos/s1600/OpenSSH_7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-97Jy69ZOg_M/VJhdBs6eU3I/AAAAAAAAfLc/1X4crtALSos/s1600/OpenSSH_7.JPG" /></a></div>
<br />
<br />
11) The script will then attempt to create a privileged account to run the service under. You can leave the default name, so respond with "no" and hit Enter.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-HSol9E8QKkM/VJhdCMT5vsI/AAAAAAAAfLs/buJa4CFpaOQ/s1600/OpenSSH_8.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-HSol9E8QKkM/VJhdCMT5vsI/AAAAAAAAfLs/buJa4CFpaOQ/s1600/OpenSSH_8.JPG" /></a></div>
<br />
<br />
12) Accept the default username by responding "yes" and hit Enter<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-1yyuFJe0l18/VJhdCGM492I/AAAAAAAAfLo/DkiuaALPxVw/s1600/OpenSSH_9.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-1yyuFJe0l18/VJhdCGM492I/AAAAAAAAfLo/DkiuaALPxVw/s1600/OpenSSH_9.JPG" /></a></div>
<br />
<br />
13) You will be prompted for a password for the new privileged user. Type one and press Enter. <b>NOTE:</b> You will not see any characters being entered<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-pdeeY5hZx0M/VJhdAP5KvFI/AAAAAAAAfLE/85IquSqJBVk/s1600/OpenSSH_10.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-pdeeY5hZx0M/VJhdAP5KvFI/AAAAAAAAfLE/85IquSqJBVk/s1600/OpenSSH_10.JPG" /></a></div>
<br />
<br />
14) You will see a warning about some missing groups and will be asked if you want to proceed. Respond with "yes" and hit Enter.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-RpVzuMsL444/VJhdAPCqhRI/AAAAAAAAfLA/EqeQcpKNokI/s1600/OpenSSH_11.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-RpVzuMsL444/VJhdAPCqhRI/AAAAAAAAfLA/EqeQcpKNokI/s1600/OpenSSH_11.JPG" /></a></div>
<br />
<br />
15) The installation will finish. Don't worry about some of the error messages you see.<br />
<br />
16) Verify the SSH server is working by typing "net start sshd" and looking for a message stating that the service has been successfully started.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-jIC_34-vHag/VJhdAlQIpBI/AAAAAAAAfLM/5h7m-0w5M1I/s1600/OpenSSH_12.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-jIC_34-vHag/VJhdAlQIpBI/AAAAAAAAfLM/5h7m-0w5M1I/s1600/OpenSSH_12.JPG" /></a><a href="https://www.blogger.com/blogger.g?blogID=7004426518351853593" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<br />
17) Now, stop the SSH server by typing "net stop sshd" and hitting Enter<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=7004426518351853593" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://2.bp.blogspot.com/-lgIX6NxJPvw/VJhpG3CjMQI/AAAAAAAAfM4/2Z2nl4U-zEc/s1600/OpenSSH_13.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-lgIX6NxJPvw/VJhpG3CjMQI/AAAAAAAAfM4/2Z2nl4U-zEc/s1600/OpenSSH_13.JPG" /></a></div>
<br />
Depending on the version of Windows, you may encounter some file permission problems. The files that we are going to edit are:<br />
1) c:\cygwin64\etc\sshd_config<br />
2) c:\cygwin64\etc\passwd<br />
3) c:\cygwin64\home\<username>\.ssh\authorized_keys (notice the period in front of the ssh again)<br />
<br />
If you encounter access denied messages, you can simply "take ownership" of these files. To take ownership of files in Windows:<br />
1) Start Explorer<br />
<br />
2) Find the file and right-click on it<br />
<br />
3) Choose Properties<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-zV-9ctd8tU0/VJiQ8LsAktI/AAAAAAAAfRA/chgFPKH0Aik/s1600/Explorer_1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-zV-9ctd8tU0/VJiQ8LsAktI/AAAAAAAAfRA/chgFPKH0Aik/s1600/Explorer_1.JPG" /></a></div>
<br />
<br />
4) Switch to the Security Tab<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-NeD0eBqIU3k/VJiQ7_IwgxI/AAAAAAAAfQI/Py1ZjP2zemc/s1600/Explorer_2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-NeD0eBqIU3k/VJiQ7_IwgxI/AAAAAAAAfQI/Py1ZjP2zemc/s1600/Explorer_2.JPG" /></a></div>
<br />
5) Click Advanced<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-9gxO4pstTkA/VJiQ8JyjZQI/AAAAAAAAfQM/w_oLxxBQ2GM/s1600/Explorer_3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-9gxO4pstTkA/VJiQ8JyjZQI/AAAAAAAAfQM/w_oLxxBQ2GM/s1600/Explorer_3.JPG" /></a></div>
<br />
6) Change to the Owner tab<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-uZqndl9Qhac/VJiQ8RBILVI/AAAAAAAAfQQ/G4otqYYiSlo/s1600/Explorer_4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-uZqndl9Qhac/VJiQ8RBILVI/AAAAAAAAfQQ/G4otqYYiSlo/s1600/Explorer_4.JPG" /></a></div>
<br />
7) Press the Edit button<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-W2slom2FH0I/VJiQ86C9cyI/AAAAAAAAfQc/8NPGzCWZYGY/s1600/Explorer_6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-W2slom2FH0I/VJiQ86C9cyI/AAAAAAAAfQc/8NPGzCWZYGY/s1600/Explorer_6.JPG" /></a></div>
<br />
8) Highlight your name and select Apply<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-NuuRMsD3U0s/VJiQ9N1sOiI/AAAAAAAAfQg/E6o7hLfmtHs/s1600/Explorer_7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-NuuRMsD3U0s/VJiQ9N1sOiI/AAAAAAAAfQg/E6o7hLfmtHs/s1600/Explorer_7.JPG" /></a></div>
<br />
9) Close all of the popups that you opened<br />
10) When you are back in the Explorer, right click on the file again and choose Properties<br />
11) Change to the Security tab<br />
12) This time, press the Edit Button<br />
13) Press the Add button<br />
14) Enter your Windows username and press Apply<br />
15) Make sure you give yourself read and write permission<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-K8W1rvUff44/VJiQ9YTneyI/AAAAAAAAfQk/WnjAxNybzWA/s1600/Explorer_8..JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://1.bp.blogspot.com/-K8W1rvUff44/VJiQ9YTneyI/AAAAAAAAfQk/WnjAxNybzWA/s1600/Explorer_8..JPG" /></a></div>
<br />
16) Click Apply and OK until all popups have disappeared<br />
<br />
Now you will have the ability to edit these files with Wordpad - or your favorite text editor - outside of the Cygwin environment. Just remember that if you change the sshd_config file, you will need to "<b><i>net stop sshd</i></b>" and "<b><i>net start sshd</i></b>" from within a Cygwin64 Terminal or Command Prompt with administrator permissions.<br />
<br />
<br />
<u><b>Editing the SSH Server configuration files</b></u><br />
We need to make a few changes to the SSHD configuration file, which is located in c:\Cygwin64\etc\sshd_config (<b>WARNING:</b> There is also a file called ssh_config - notice the missing D - which indicates you have the wrong file)<br />
<br />
The settings that we want to check are:<br />
<blockquote class="tr_bq">
Port xxxxx<br />
PubkeyAuthentication yes<br />
AuthorizedKeyFiles .ssh/authorized_keys<br />
PasswordAuthentication no<br />
PermitEmptyPasswords no<br />
ChallengeResponseAuthentication no<br />
Subsystem sftp internal-sftp</blockquote>
The only setting that you need to make a decision about is the Port setting. This is the remote port that will be used to connect to your system. The default port is 22 - but most ISPs block that port for incoming connections. It is safest to pick something over 1024.<br />
<br />
<br />
<u><b>Adding your digital certificate</b></u><br />
Before you take this step, some programs on mobile devices will do some of this for you. For example, I am using a program called <a href="https://itunes.apple.com/us/app/remoter-pro-vnc-ssh-rdp/id519768191?mt=8" target="_blank">Remoter Pro</a> on my iPad that will make SSH keypairs and send you the public portion to put on your server (see the screenshots below for an example). Other programs may have similar functions.<br />
<br />
You have to create an SSH public/private keypair. To create the keypair:<br />
1) Open a Cygwin64 Terminal<br />
2) Type the following (or copy and paste from below) - accept all of the defaults for ssh-keygen:<br />
<blockquote class="tr_bq">
ssh-keygen<br />
cd ~/.ssh<br />
cat id_rsa.pub >> authorized_keys</blockquote>
The public portion of the keypair needs to be stored in c:\Cygwin64\home\<username>\.ssh\authorized_keys (please notice there is a period before the letters ssh) By using the cat line with the double greater than signs, we are basically appending the contents of our newly generated key to the existing keys. If there are currently no keys, this will create the authorized_keys file.<br />
<br />
You need to get the private portion of this key on any device that you want to be able to connect. In this case, the private key will be named id_rsa<br />
<br />
The public portion will be a single <b>really long</b> line of text. It should look something like this:<br />
<blockquote class="tr_bq">
ssh-rsa AAA__BUNCH OF CHARACTERS REMOVED____ADAQECy/ dmorlitz@Win7-clean</blockquote>
<u><b>Restricting the shell</b></u><br />
This is simply an added security measure - to make sure that no commands can be entered over the remote connection that will affect your Windows system. You will still be able to have remote control access and transfer files back and forth but remote commands will be blocked<br />
<br />
1) Open the Cygwin64 Terminal in Administrator mode - as we did above<br />
2) Enter the following two commands:<br />
cd /bin<br />
cp bash.exe rbash.exe<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-PvmgKvSiy5s/VJh0lasufJI/AAAAAAAAfNI/_BvFUVb_MVM/s1600/rbash.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2.bp.blogspot.com/-PvmgKvSiy5s/VJh0lasufJI/AAAAAAAAfNI/_BvFUVb_MVM/s1600/rbash.jpg" /></a></div>
3) Open Wordpad and load c:\Cygwin64\etc\passwd<br />
4) Look for the line with your Windows username<br />
5) At the end of the line, change /bin/bash to /bin/<span style="color: red;"><b>r</b></span>bash<br />
<blockquote class="tr_bq">
dmorlitz:unused:1000:513:U-Win7-clean\dmorlitz,S-1-5-21-4133065026-3972575935-3297098951-1000:/home/dmorlitz:/bin/rbash</blockquote>
6) Save the changes to this file and close the editor<br />
<div>
<br /></div>
Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-65291406728686541762014-12-25T18:30:00.000-08:002014-12-27T13:32:34.791-08:00System z: Accurate benchmarking tipsEarlier this year, September 2014 to be exact, I wrote my first article for the online version on the <a href="http://www.ibmsystemsmag.com/" target="_blank">IBM Systems Magazine</a>. The article was titled "<a href="http://www.ibmsystemsmag.com/mainframe/tipstechniques/systemsmanagement/accurate-benchmark/" target="_blank">An accurate benchmark is important</a>".<br />
<br />
In this article, I talk about some best practices for designing benchmarks that are meant to compare the same workload on various platforms. Specifically, I call out reasons why benchmarks might "miss the mark" and will not yield realistic results that you can make sound business decisions on.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-_wB3nqbTbmE/VJzGfW7SzeI/AAAAAAAAfSw/v_1Ujata7Qk/s1600/tape_measure.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://3.bp.blogspot.com/-_wB3nqbTbmE/VJzGfW7SzeI/AAAAAAAAfSw/v_1Ujata7Qk/s1600/tape_measure.jpg" height="150" width="320" /></a></div>
Surprisingly, designing a "real-world" benchmark that is entirely accurate is not as simple as running the same workload on multiple servers. There is quite a bit more to it than that.....and having inaccurate information (no matter how scientifically you generate it) is still inaccurate.<br />
<br />
Before you design your next benchmark, why don't you consider some of the suggestions in this article and run a well-designed benchmark? Even if you don't agree with all of my points, at least you thought about it and made a choice that you can hang your career on.<br />
<br />
My article, "An accurate benchmark is important", is available to read at <a href="http://www.ibmsystemsmag.com/mainframe/tipstechniques/systemsmanagement/accurate-benchmark/">http://www.ibmsystemsmag.com/mainframe/tipstechniques/systemsmanagement/accurate-benchmark/</a><br />
<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-7004426518351853593.post-42524156248805095272014-12-22T07:47:00.000-08:002020-03-03T06:10:21.584-08:00*Security: Road Warrior Remote Access - control a PC from iOS or Android<table bordercolor="#23c100" width="2px"><tr></td>
<br /><b>NOTE: This page has moved to </b>
<a href="https://datamakes.com/2014/12/22/road-warrier-remote-access-control-a-pc-from-android-or-ios/">https://datamakes.com/2014/12/22/road-warrier-remote-access-control-a-pc-from-android-or-ios/</a>
<script>
var loc=self.location.pathname;
if (loc != "/") {self.location='https://datamakes.com/2014/12/22/road-warrier-remote-access-control-a-pc-from-android-or-ios/'; }
</script>
</td></tr></table>
<br />
Don't you wish that you could bring
something more portable - such as a tablet or cell phone? They are so
much lighter, easier to carry, and may have a battery that lasts longer
than your laptop.<br />
<br />
But.....there is always that fear
that you will need a file from your machine at home or want to one of
those rare applications that does not have a mobile equivalent.<br />
<br />
Fear no more - you can have the best of both worlds by following this "<b>Road Warrior Remote Access</b>" guide. This tutorial will show you how to configure a machine to be remotely available to you in a secure fashion.<br />
<br />
<h2>
<span style="color: #38761d;"><u><b>Road Warrior Architectural Decisions</b></u></span></h2>
When designing this solution, I tried to stick to a few simple architectural decisions, which are:<br />
1) It had to be secure - no, <u><b>very</b></u> secure<br />
2) I didn't want to rely on any 3rd party relay or proxy service<br />
3) I wanted to use well-proven open-source software, when possible<br />
4) Keep the cost as small as possible, with a strong preference on avoiding subscription based services<br />
5) It has to be available from computers, Android tablets and phones and Apple tablets and phones <br />
<br />
<h2>
<span style="color: #38761d;"><u><b>Road Warrior Overall Solution</b></u></span></h2>
This led me to a solution consisting of:<br />
1) TightVNC (<a href="http://www.tightvnc.com/">http://www.TightVNC.com/</a>)<br />
2) OpenSSH<br />
3) A dynamic DNS name provided by No-IP (<a href="http://www.noip.com/">http://www.noip.com/</a>) <br />
<br />
Now you too can have an iPad or Android tablet that displays a Windows or Linux desktop:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-eSIcTDZvH-c/VJiTgWTaqaI/AAAAAAAAfRM/wp_mBCSM7wc/s1600/Windows_on_iPad.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://3.bp.blogspot.com/-eSIcTDZvH-c/VJiTgWTaqaI/AAAAAAAAfRM/wp_mBCSM7wc/s1600/Windows_on_iPad.png" width="640" /></a></div>
<br />
<br />
<b>NOTE:</b> While I expect most readers of this article to be using Windows, I used Windows for this article. All of the principals would work
exactly the same on Linux or Mac - you just might need a different VNC
server. On almost every Linux distribution I have used, OpenSSH is either automatically installed or available to install. There are also plenty of VNC servers available, depending on your distribution.<br />
<br />
For an equivalent choice of software on Ubuntu 14.04.01 LTS, you can use<br />
<blockquote class="tr_bq">
<i>sudo apt-get install tightvncserver openssh-server</i></blockquote>
If you are using a RHEL desktop, you can install the same software using<br />
<blockquote class="tr_bq">
<i>sudo yum install tigervnc-server openssh-server </i></blockquote>
<br />
Now, for the important (and fun) part......here is how to set it up on Windows.<br />
<b><br /></b>
<b><span style="color: red;">I do want to be clear, this information is meant to provide legitimate remote access to equipment that you either own or are fully authorized to use remotely. This is not to be used to circumvent any rules or policies that govern your equipment, to be placed on someone else's computer unknowingly, or to be used in any unauthorized fashion.</span></b><br />
<br />
I also want to mention that while the instructions look daunting, the process of setting everything up is pretty simple and only has to be done once. Then you will be on your way to being a full-fledged Road Warrior. <br />
<br />
<h2>
<span style="color: #38761d;"><u><b>Setting up the Windows VNC server</b></u></span></h2>
VNC
is a well-established protocol for remote control. It might not be as
fancy as some of the other remote access protocols (such as Spice, RDP, <u><b> </b></u>NX,
etc.....) but it works and it seems to work well. There is also the
additional benefit that some applications seem to be able to detected
when you are using other protocols (such as RDP) and behave
differently. Specifically, I have found that some VPN clients will not
allow me to establish connections when I am connected for RDP - which
limits the overall functionality of the service.<br />
I ended up choosing TightVNC as my VNC server because of their very generous licensing terms. The significant point is "<span style="color: #007000;"><b>free</b></span> for both personal and commercial usage, with full source code available" It is that <span style="color: #6aa84f;"><u><b>commercial usage</b></u></span>
wording that is important and unique to TightVNC, as far as I can
tell. Here is a screenshot of their web-site showing the "commercial
usage" wording:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-n-jeN8zCJP8/VJg2qSM34iI/AAAAAAAAfHI/RmMxn0eavhc/s1600/TightVNC_commercial_usage.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-n-jeN8zCJP8/VJg2qSM34iI/AAAAAAAAfHI/RmMxn0eavhc/s1600/TightVNC_commercial_usage.jpg" /></a></div>
<br />
Now, enough talking, let's get down to it. Here are the instructions to configure TightVNC:<br />
1) Go to <a href="http://www.tightvnc.com/download.php" target="_blank">http://www.tightvnc.com/download.php</a> (link opens in new window) and download the latest version of TightVNC<br />
2) Start the installer. At the time of this writing, the latest version was tightvnc-2.7.10-setup-64bit.msi<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-bDSJLN0GtMI/VJhK2C3Ll0I/AAAAAAAAfHc/vqic8qxvpp4/s1600/TightVNC_1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-bDSJLN0GtMI/VJhK2C3Ll0I/AAAAAAAAfHc/vqic8qxvpp4/s1600/TightVNC_1.JPG" /></a></div>
<br />
3) Hit "Next" and you will see:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-5F0ZhXPUrDI/VJhK2OgZgeI/AAAAAAAAfHY/-APrg4isL1Y/s1600/TightVNC_2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-5F0ZhXPUrDI/VJhK2OgZgeI/AAAAAAAAfHY/-APrg4isL1Y/s1600/TightVNC_2.JPG" /></a></div>
<br />
<br />
4) Read (yeah, right) and accept the license and press Next<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-AHf2jxrQUmg/VJhK2Oa0v_I/AAAAAAAAfHg/eXGzfUmGUDk/s1600/TightVNC_3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-AHf2jxrQUmg/VJhK2Oa0v_I/AAAAAAAAfHg/eXGzfUmGUDk/s1600/TightVNC_3.JPG" /></a></div>
<br />
<br />
5) Press "Typical" and you will see<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-dMvPGECjluI/VJhK2ilEIpI/AAAAAAAAfHk/eg4f666DRWs/s1600/TightVNC_4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="246" src="https://1.bp.blogspot.com/-dMvPGECjluI/VJhK2ilEIpI/AAAAAAAAfHk/eg4f666DRWs/s1600/TightVNC_4.JPG" width="320" /></a></div>
<br />
<br />
6) Uncheck "Add exception for TightVNC to Windows Firewall" and press Next. Remember, we are after security and OpenSSH will provide the access method, not TightVNC. Therefore, there is no reason to open a firewall port specifically for TightVNC.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-VV7hXhvtDrU/VJhK2mrBwgI/AAAAAAAAfHo/C2f7hzr7x2I/s1600/TightVNC_5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-VV7hXhvtDrU/VJhK2mrBwgI/AAAAAAAAfHo/C2f7hzr7x2I/s1600/TightVNC_5.JPG" /></a></div>
<br />
<br />
7) Press Install. Files will be copied and then you will see<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-NYeVPXBw1XI/VJhK2x_h0bI/AAAAAAAAfHs/b4KSkh-ebrQ/s1600/TightVNC_6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-NYeVPXBw1XI/VJhK2x_h0bI/AAAAAAAAfHs/b4KSkh-ebrQ/s1600/TightVNC_6.JPG" /></a></div>
<br />
<br />
8)
Set both passwords. The first one is the password you will use to
access this computer remotely via VNC, and the second one will protect
the VNC server's settings from being changed. I will be honest, I use
the same password for both. Press OK<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-gXZMyYoRxto/VJhK3Ayu2eI/AAAAAAAAfHw/XueyRhCwII4/s1600/TightVNC_7.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-gXZMyYoRxto/VJhK3Ayu2eI/AAAAAAAAfHw/XueyRhCwII4/s1600/TightVNC_7.JPG" /></a></div>
<br />
<br />
<br />
9)
Your TightVNC server is ready. You may also notice that an additional
icon has appeared in your Windows System tray, which looks like<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-HSWa2lFVcig/VJhL1WLsNEI/AAAAAAAAfIg/2Qo_O9gBbDA/s1600/TightVNC_system_tray.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-HSWa2lFVcig/VJhL1WLsNEI/AAAAAAAAfIg/2Qo_O9gBbDA/s1600/TightVNC_system_tray.JPG" /></a></div>
<br />
10) Double clicking this icon in the system tray will bring up the settings
dialog for TightVNC. While most of the default settings for TightVNC
are appropriate for our usage but there are some that we need to change.<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-tjsK6sklrWA/VJhK3GB_WSI/AAAAAAAAfH0/Zb7_-4S46J8/s1600/TightVNC_8.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-tjsK6sklrWA/VJhK3GB_WSI/AAAAAAAAfH0/Zb7_-4S46J8/s1600/TightVNC_8.JPG" /></a></div>
<br />
<br />
<br />
11) On the first tab, in the "Web Access" section, uncheck "Serve Java Viewer to Web Clients" from the top right then go to the Access Control tab<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=7004426518351853593" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://3.bp.blogspot.com/-ah70mVQdajw/VJhK3VQQKHI/AAAAAAAAfH4/_TjeQ-NN7s0/s1600/TightVNC_9.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-ah70mVQdajw/VJhK3VQQKHI/AAAAAAAAfH4/_TjeQ-NN7s0/s1600/TightVNC_9.jpg" /></a></div>
<br />
<br />
12) You will have to check the "Allow loopback connections" and "Allow only loopback connections" options. Then press Apply<br />
<br />
Your TightVNC Server is now ready for usage. Let's test it to make sure it works:<br />
1) Go to the Start Menu<br />
2) Look for the TightVNC group<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=7004426518351853593" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://2.bp.blogspot.com/-x5ByCNrQupQ/VJhNfyVrIAI/AAAAAAAAfIs/_o0xApTRWf4/s1600/TightVNC_Viewer_Start_Menu.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-x5ByCNrQupQ/VJhNfyVrIAI/AAAAAAAAfIs/_o0xApTRWf4/s1600/TightVNC_Viewer_Start_Menu.jpg" /></a></div>
<br />
3) Start the TightVNC Viewer<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-_UorsaHZKgo/VJhOG33-7-I/AAAAAAAAfI0/s-qGzbUyoj4/s1600/TightVNC_Viewer_1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://2.bp.blogspot.com/-_UorsaHZKgo/VJhOG33-7-I/AAAAAAAAfI0/s-qGzbUyoj4/s1600/TightVNC_Viewer_1.JPG" width="320" /></a></div>
<br />
4) Enter localhost as the Remote Host and press Connect<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=7004426518351853593" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"></a><a href="http://2.bp.blogspot.com/-qG58w8yj8d8/VJhOHL2Ib7I/AAAAAAAAfI4/zs8MCcMbTvA/s1600/TightVNC_Viewer_2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-qG58w8yj8d8/VJhOHL2Ib7I/AAAAAAAAfI4/zs8MCcMbTvA/s1600/TightVNC_Viewer_2.JPG" /></a></div>
<br />
5) Enter the password you selected for remote access and hit OK<br />
<br />
If everything went well, you will see a screen that shows your current laptop screen. Don't be surprised, you will get an effect of looking into a TV screen that has the same image over and over and over. This is normal and it means that your TightVNC Server is working just fine.<br />
<br />
You can close the TightVNC Viewer and move onto setting up the SSH server.<br />
<br />
<h2>
<span style="color: #38761d;"><u><b>Setting up the OpenSSH server using public key authentication:</b></u></span></h2>
To provide secure access, I used OpenSSH. OpenSSH is normally a Linux program that provides an encrypted connection between two machines. OpenSSH also has the attributes of being open source, well studied, generally considered to be secure, provides public/private key authentication and port tunneling.<br />
<br />
Those last 2 attributes are very important to increasing the security of this solution. By using public/private key authentication, it is significantly more difficult for someone to access our system or capture and decrypt our traffic at a later time. The port tunneling feature will allow us to route our VNC connection through the SSH connection, gaining the strength and protection of the SSH encryption. This is the reason that we didn't need TightVNC to open a Windows Firewall rule and we only allowed VNC connections from localhost. The TightVNC server will believe that we are connecting locally, even though we are really at the other end of the SSH connection. By allowing only loopback connections, we basically have closed off the possibility of someone directly accessing the TightVNC server and avoiding the SSH session.<br />
<br />
For this solution, I have chosen to the the OpenSSH server as packaged by ITeFlx. The reason I chose this packaging is because it takes the binary provided by Cygwin and packages a nice user interface on top. You also don't have to edit configuration files manually. If you prefer to use Cygwin directly yourself, I have posted instructions at <a href="http://blog.visideas.com/2015/01/security-openssh-on-windows-using-cygwin.html">http://blog.visideas.com/2015/01/security-openssh-on-windows-using-cygwin.html</a><br />
<br />
Enough talking, let's get to installing:<br />
1) Go to <a href="https://www.itefix.net/content/copssh-free-edition">https://www.itefix.net/content/copssh-free-edition</a> and download the free edition. The only restriction that I am aware of on this version is that you can only activate a single SSH user. This limitation should be fine for what we are trying to accomplish.<br />
2) Start the installer you just downloaded<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-tu2miAn6SGU/VKwstpmLNsI/AAAAAAAAfak/HOttZAsQs1E/s1600/copssh1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-tu2miAn6SGU/VKwstpmLNsI/AAAAAAAAfak/HOttZAsQs1E/s1600/copssh1.JPG" /></a></div>
<br />
3) Click Next<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Upx2SEABsTg/VKwst-2ek3I/AAAAAAAAfao/ROKCeVe0spU/s1600/copssh2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-Upx2SEABsTg/VKwst-2ek3I/AAAAAAAAfao/ROKCeVe0spU/s1600/copssh2.JPG" /></a></div>
<br />
4) Read and accept the license agreement (if you agree)<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-xaLvaAsSn7o/VKwstje8YMI/AAAAAAAAfa4/ISnYtEEOUPM/s1600/copssh3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-xaLvaAsSn7o/VKwstje8YMI/AAAAAAAAfa4/ISnYtEEOUPM/s1600/copssh3.JPG" /></a></div>
<br />
5) Accept the default installation directory by clicking Install<br />
6) Wait for the files to finish copying <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-1y_JKTH6dqc/VKwsuCV5ZuI/AAAAAAAAfas/Mx8xqZlnZ1o/s1600/copssh4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-1y_JKTH6dqc/VKwsuCV5ZuI/AAAAAAAAfas/Mx8xqZlnZ1o/s1600/copssh4.JPG" /></a></div>
<br />
6) Click Finish - leaving "Run Copssh Control Panel" checked<br />
<br />
Now that the OpenSSH server is installed, we will use the Copssh Control Panel to check (and change) a few of the configuration settings. The Control Panel should have automatically launched when the installer finished.and it will look like this:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Brc8mhAxJjs/VKwtgwierLI/AAAAAAAAfbE/a56mpAsz2Bc/s1600/copyssh_control.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-Brc8mhAxJjs/VKwtgwierLI/AAAAAAAAfbE/a56mpAsz2Bc/s1600/copyssh_control.JPG" /></a></div>
<br />
1) Switch to the "Configuration" tab and change the listening port to a number over 1024 then hit Apply<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-4UoampfH0MU/VKwt8_ICNKI/AAAAAAAAfbM/3jSQhn_4Gp0/s1600/copyssh_port.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-4UoampfH0MU/VKwt8_ICNKI/AAAAAAAAfbM/3jSQhn_4Gp0/s1600/copyssh_port.JPG" /></a></div>
2) Change to the "Users" tab<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-bmEAn4RT2uU/VKwvYtsfJRI/AAAAAAAAfbY/vR_6kzPnjpY/s1600/copssh_users_1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-bmEAn4RT2uU/VKwvYtsfJRI/AAAAAAAAfbY/vR_6kzPnjpY/s1600/copssh_users_1.JPG" /></a></div>
<br />
3) Click "Add" which will start the Copssh User Activation Wizard<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-6d8WTf-KFlM/VKwvYoDSwKI/AAAAAAAAfbc/STFlNFGQg5M/s1600/copssh_users_2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-6d8WTf-KFlM/VKwvYoDSwKI/AAAAAAAAfbc/STFlNFGQg5M/s1600/copssh_users_2.JPG" /></a></div>
<br />
4) Click Forward<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-y3-0Bjzf_R8/VKwvYlLTTuI/AAAAAAAAfbg/Wvs2Tya8nbk/s1600/copssh_users_3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-y3-0Bjzf_R8/VKwvYlLTTuI/AAAAAAAAfbg/Wvs2Tya8nbk/s1600/copssh_users_3.JPG" /></a></div>
<br />
5) Hit the down arrow next to the white user entry area, and pick the username you wish to activate<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Yc759To56yA/VKwvZPyzIYI/AAAAAAAAfbk/h_EscpO7wsg/s1600/copssh_users_4.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-Yc759To56yA/VKwvZPyzIYI/AAAAAAAAfbk/h_EscpO7wsg/s1600/copssh_users_4.JPG" /></a></div>
<br />
6) Hit Forward<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Po6II_zGKGo/VKwyvkVn3VI/AAAAAAAAfcU/IYdz77fi-Ow/s1600/copssh_users_3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://3.bp.blogspot.com/-Po6II_zGKGo/VKwyvkVn3VI/AAAAAAAAfcU/IYdz77fi-Ow/s1600/copssh_users_3.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-biHCjaJlIfc/VKwvZQYDnhI/AAAAAAAAfbo/u95T03blXDQ/s1600/copssh_users_5.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<br />
7) Change "Access Type": to Sftp and Uncheck "Allow password authentication" - leaving the other default settings of:<br />
Access type: Linux Shell and Sftp<br />
Home directory: c:\users\<username><br />
Allow PKA authentication: checked<br />
Allow port forwarding: checked<br />
<blockquote class="tr_bq">
<b>NOTE:</b> Pay close attention to the Home Directory setting. You will be restricted to transferring files to that directory and below when you transferring files via SFTP. If you want to transfer files anywhere on any of your disks, you will need to enable full shell access</blockquote>
8) Click forward<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-4LKc_bAcfDw/VKwvZqbsnAI/AAAAAAAAfbs/lF2YuvOLmug/s1600/copssh_users_6.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-4LKc_bAcfDw/VKwvZqbsnAI/AAAAAAAAfbs/lF2YuvOLmug/s1600/copssh_users_6.JPG" /></a></div>
<br />
9) Review the settings and click "Apply"<br />
<br />
Upon successful completion of this User Activation Wizard, you will be returned to the COPSSH Control Panel and it should look similar to:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-6YNsYTRD230/VKwzQWoA4sI/AAAAAAAAfcc/Tv0V3NuB400/s1600/activated.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-6YNsYTRD230/VKwzQWoA4sI/AAAAAAAAfcc/Tv0V3NuB400/s1600/activated.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-hAIKH9Ihyso/VKwv-PCMV0I/AAAAAAAAfcI/bQfhtLmVsMg/s1600/activated.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><br /></a></div>
<blockquote class="tr_bq">
<b>NOTE: The username you use to connect to this SSH server will be only what is after the final backslash (\)</b> <b>and always in lower-case. In the example above, the username for the SSH server is dmorlitz - regardless of the rest of the line</b></blockquote>
<br />
Because we have chosen an access type of Sftp, we will not have any shell access remotely. We will only be able to connect to the SSH server to transfer files via SFTP or to connect to remote services (such as VNC) via port tunnelling.<br />
<br />
<h2>
<span style="color: #38761d;"><u><b>Creating the public/private keypairs with COPSSH:</b></u></span></h2>
We now have a choice to make. We can create keypairs using COPSSH and transfer them to the devices that we wish to use to remotely access this machine, or we can create the keypairs on the remote device directly.<br />
<br />
I have found that if I am working on an iOS device, I prefer to create the keypairs on the iOS device. You can find instructions for doing this later on in this posting.<br />
<br />
On Android, I have found that I really don't have a preference.<br />
<br />
In COPSSH, we can support both creating the keys locally or remotely. Either way, you start by pushing the "Keys" button on the Users tab<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-6YNsYTRD230/VKwzQWoA4sI/AAAAAAAAfcc/Tv0V3NuB400/s1600/activated.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-6YNsYTRD230/VKwzQWoA4sI/AAAAAAAAfcc/Tv0V3NuB400/s1600/activated.JPG" /> </a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
1) Click the Keys button from the screenshot above</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-QFr1MWv0n4A/VKw1sy8ewMI/AAAAAAAAfcw/CQKkL0KFnDA/s1600/Keys_1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://4.bp.blogspot.com/-QFr1MWv0n4A/VKw1sy8ewMI/AAAAAAAAfcw/CQKkL0KFnDA/s1600/Keys_1.JPG" /></a></div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
<div class="" style="clear: both; text-align: left;">
<u><b>If you want to import a public key that was created on another device:</b></u> </div>
<div class="" style="clear: both; text-align: left;">
2) Click the Import button. I have included a sample public key in the screenshot below. You will be able to recognize a SSH public key because it will usually start with ssh-rsa or ssh-dsa</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-7W45z3SJFtE/VKw1s3xRgdI/AAAAAAAAfco/o0nnrH6xcqs/s1600/keys_2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-7W45z3SJFtE/VKw1s3xRgdI/AAAAAAAAfco/o0nnrH6xcqs/s1600/keys_2.JPG" /></a></div>
<div class="" style="clear: both; text-align: left;">
<br /></div>
3) Press Apply<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-MMGeWFzX7UU/VKw1syNyGQI/AAAAAAAAfcs/IBoRaT--EpI/s1600/keys_3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-MMGeWFzX7UU/VKw1syNyGQI/AAAAAAAAfcs/IBoRaT--EpI/s1600/keys_3.JPG" /></a></div>
4) You will see your public key has been imported, and the comment is the key name you created on the other device.<br />
5) Press the Apply button - which will authorize this key to the SSH server - and then you can close this dialog box<br />
<br />
<div class="" style="clear: both; text-align: left;">
<u><b>If you want to create your keypair in COPSSH:</b></u> </div>
6) Press the "Add" button to launch the "Public Key Authentication" wizard<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-jXTGKjqlgkI/VKw3-UpdIuI/AAAAAAAAfdI/wBe5mXQ7KdY/s1600/make_key_1.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://2.bp.blogspot.com/-jXTGKjqlgkI/VKw3-UpdIuI/AAAAAAAAfdI/wBe5mXQ7KdY/s1600/make_key_1.JPG" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
7) Click Forward<br />
8) Decide the key type settings that you would like to use and click Forward<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-MNGYiLDOHCg/VKw3-RTagpI/AAAAAAAAfdE/Z6M6V-9tE6Y/s1600/make_key_2.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-MNGYiLDOHCg/VKw3-RTagpI/AAAAAAAAfdE/Z6M6V-9tE6Y/s1600/make_key_2.JPG" /></a></div>
<br />
9) The next screen will ask you where you want to store the private portion of your keypair. This is the portion that you must get onto the device that will remotely access this computer. For convenience, I choose not to encrypt the private key - because not all devices can decrypt it easily. You also need to pay attention to the folder and the file name you export the private key to.<br />
10) Once you have your private key settings right, click Forward<br />
11) Review the settings to ensure they are correct and click Apply<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-jBVqxD0c7Bc/VKw3-XbFJ6I/AAAAAAAAfdM/ljqNAE7z74E/s1600/make_key_3.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-jBVqxD0c7Bc/VKw3-XbFJ6I/AAAAAAAAfdM/ljqNAE7z74E/s1600/make_key_3.JPG" /></a></div>
<br />
12) Move the private portion of the key to your device and continue to set up your iOS or Android device using the instructions below.<br />
<br />
COPSSH allows each user to have multiple keypairs. Therefore, you could create a unique keypair for each device that connects remotely. The benefit of doing this is that in the logs you will be able to tell who is connecting, and if you lose a single device you won't have to reconfigure all of your devices.<br />
<br />
<h2>
<span style="color: #38761d;"><u><b>Opening a port on your router:</b></u></span></h2>
This section is up to you to complete. You selected a port number above when you configured your SSH server. You will need to configure your home router's port forwarding feature to forward the port number you selected to the internal IP address of the system you want to control.<u><b> </b></u><br />
I would also recommend that you assign the machine you want to control a static IP address - so the port forwarding rule always works. On many routers this is called a DHCP Reservation.<br />
<br />
<h2>
<span style="color: #38761d;"><u><b>Dynamic DNS:</b></u></span></h2>
You will need to know the IP address of your router so that you can connect to it remotely. Since the IP address may change over time, having a dynamic DNS name is easier. Personally, I use a service called No-IP - which you can find at <a href="http://noip.com/">http://NoIP.com</a>.<br />
The No-IP service allows you to have up to 3 hostnames that are tracked and mapped to DNS names. You should set up an account there and pick a hostname that you can remember.<br />
<br />
No-IP is also nice because they provide a dynamic DNS client which you can download from <a href="http://www.noip.com/download?page=win">http://www.noip.com/download?page=win</a> This program will monitor the public IP address of whatever network your computer is plugged into and keep your dynamic DNS name up to date. Your router may also have a similar function. Here is what my router's screen looks like:<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-Nkxye9-Z_o8/VJh8n3zby1I/AAAAAAAAfNY/6YLScJ1vplU/s1600/router_ddns.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://1.bp.blogspot.com/-Nkxye9-Z_o8/VJh8n3zby1I/AAAAAAAAfNY/6YLScJ1vplU/s1600/router_ddns.JPG" /></a></div>
<br />
You are now all set to connect remotely to your computer. Here is the key information you will need for any client that you use.<br />
<blockquote class="tr_bq">
SSH Tunnel hostname: <your dynamic dns name><br />
SSH Tunnel password: <leave blank><br />
SSH Tunnel identity file: <the private key portion of your SSH keys - possibly id_rsa><br />
VNC Server: 127.0.0.1<br />
VNC password: <the TightVNC password you set for remote access></blockquote>
<br />
Good luck <b>Road Warrior</b> - you are on your way to lighter travels.<br />
<br />
Now, we will talk about setting up mobile devices. Since I have more experience with Android devices, Android comes first. But don't worry iOS users, just scroll down and you will find my instructions for Apple devices.<br />
<h2>
<span style="color: #38761d;"><u><b>Android Remote Access (VNC over SSH) setup</b></u></span></h2>
As I mentioned before, any client that supports VNC over SSH will work just fine to connect to the solution that you just built. Personally, I am currently using <a href="https://play.google.com/store/apps/details?id=com.iiordanov.bVNC" target="_blank">bVNC Pro</a> on my Android devices.<br />
<br />
bVNC Pro has the capability to create your SSH public/private keypair for you. You can also transfer the private key portion of a key you generated above to your Android device. In the example above, the private key portion of the keypair is called id_rsa<br />
<br />
bVNC allows you to enter all of the necessary settings on a single screen. Here are the settings you will need after you press "New Connection":<br />
Connection type: Secure VNC over SSH (<b>NOTE: </b>There is a choice using SSL also - do not confuse them)<br />
<blockquote class="tr_bq">
Connection name --> Any descriptive name you will recognize<br />
SSH server name --> Your Dynamic DNS hostname (i.e. secret.ddns.net)<br />
SSH server port --> The port you entered in sshd_config (i.e. 34567)<br />
SSH password --> blank<br />
SSH passphrase --> blank<br />
Use Key --> checked<br />
VNC server name --> 127.0.0.1<br />
VNC port --> 5900<br />
VNC username --> blank<br />
VNC password --> The TightVNC password you chose</blockquote>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/--vyzeoefIco/VJl6IH7xrLI/AAAAAAAAfRo/38bBcrGU53Q/s1600/bVNC_1_Connection.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://4.bp.blogspot.com/--vyzeoefIco/VJl6IH7xrLI/AAAAAAAAfRo/38bBcrGU53Q/s1600/bVNC_1_Connection.png" width="640" /></a></div>
<br />
When you are ready to select your private key, tap the Manage Key button in the middle of the screen. On the screen that appears (shown below) you can either "Generate New Key" (don't forget to add the public portion to your authorized_keys file on the SSH server) or Import the private key that you transferred to your Android device. <br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-SMQ0tx8SzOo/VJl6IGOlsLI/AAAAAAAAfRs/hMHR9DLP7TE/s1600/bVNC_2_Key_Manager.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://3.bp.blogspot.com/-SMQ0tx8SzOo/VJl6IGOlsLI/AAAAAAAAfRs/hMHR9DLP7TE/s1600/bVNC_2_Key_Manager.png" width="640" /></a></div>
<h2>
<span style="color: #38761d;"><u><b>Android File Transfer (SFTP) setup</b></u></span></h2>
As with the remote control section, you can use any file manager that supports SFTP (which is different from FTPS) to connect to your system remotely. I am currently using <a href="https://play.google.com/store/apps/details?id=com.estrongs.android.pop" target="_blank">ES File Explorer</a> as my SFTP client. Here is how I setup ES File Explorer to access my remote system:<br />
<br />
Since ES File Explorer does not generate SSH keypairs (as far as I know), you will need to generate your SSH keys in your Cygwin64 Terminal, as described above. Then you will need to get the private key portion, id_rsa, onto your Android device through the file transfer method of your choice.<br />
<br />
Once you have the private key transferred, here is what you need to do:<br />
<br />
1) In the left-hand navigation area, select "Network" and then "FTP"<br />
2) From the bottom of the screen, choose "New"<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-uUyqE-sRTYI/VJl6HpDC2tI/AAAAAAAAfRc/X5xUScXmQAI/s1600/ES_File_Explorer_1_add_account.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://1.bp.blogspot.com/-uUyqE-sRTYI/VJl6HpDC2tI/AAAAAAAAfRc/X5xUScXmQAI/s1600/ES_File_Explorer_1_add_account.png" width="640" /></a></div>
2) Choose "sftp" by tapping on it<br />
3) Enter the following settings:<br />
<blockquote class="tr_bq">
Server: Your dynamic DNS hostname (i.e. secret.ddns.net)<br />
Port: The port you entered in sshd_config (i.e. 34567)<br />
Username: Your Windows username<br />
Passphrase: blank<br />
Check "Login by private key"<br />
Tap the "Private key" button and select the private key portion (i.e id_rsa) from the file listing that appears</blockquote>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-v19-JwzubXQ/VJl6HsPcQXI/AAAAAAAAfRk/Kl9vKJnF1J4/s1600/ES_File_Explorer_2_new_SFTP.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://4.bp.blogspot.com/-v19-JwzubXQ/VJl6HsPcQXI/AAAAAAAAfRk/Kl9vKJnF1J4/s1600/ES_File_Explorer_2_new_SFTP.png" width="640" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-UqxUJ24nfr0/VJl6HufIKiI/AAAAAAAAfRg/3dMDAXsPJl4/s1600/ES_File_Explorer_3_pick_key.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="400" src="https://2.bp.blogspot.com/-UqxUJ24nfr0/VJl6HufIKiI/AAAAAAAAfRg/3dMDAXsPJl4/s1600/ES_File_Explorer_3_pick_key.png" width="640" /></a></div>
4) Save the connection<br />
<br />
You can now access your remote system via SFTP and transfer files back and system. When you first login, you probably won't see any files. To find everything on your Windows system, you will need to browse to /cygdrive/C - which will show you your entire C: drive. If you have additional drives on your Windows system, they will appear under /cygdrive/D, /cygdrive/E, etc.......<br />
<br />
<h2>
<span style="color: #38761d;"><u><b>iPad Remote Access (VNC over SSH) setup</b></u></span></h2>
Here is a sample configuration that will work on an iPad using a program called <a href="https://itunes.apple.com/us/app/remoter-pro-vnc-ssh-rdp/id519768191?mt=8" target="_blank">Remoter Pro</a>. You really can use any VNC program provided it supports VNC over SSH. This happened to be the least expensive program that I found on the iTunes App Store, coming in at $7.99. (You will also notice that until this point, everything has been free)<br />
<u><br /></u>
<u>Here are the steps to follow to create an SSH keypair in Remoter Pro</u><br />
1) Press the menu button at the top right and select SSH Key Manager<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-Ub2EL4siHBo/VJiDPPbWtgI/AAAAAAAAfNo/oV1eT0QUzek/s1600/IMG_0009.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://3.bp.blogspot.com/-Ub2EL4siHBo/VJiDPPbWtgI/AAAAAAAAfNo/oV1eT0QUzek/s1600/IMG_0009.PNG" width="640" /></a></div>
2) Press the + button at the top right<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-sNfG2B_iGCQ/VJiDP1oRn7I/AAAAAAAAfN4/3AzAuFRKLZ8/s1600/Remoter_Pro_2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://3.bp.blogspot.com/-sNfG2B_iGCQ/VJiDP1oRn7I/AAAAAAAAfN4/3AzAuFRKLZ8/s1600/Remoter_Pro_2.PNG" width="640" /></a></div>
3) Select RSA SSH2<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-yxqXqavML-c/VJiDP0zokGI/AAAAAAAAfN8/jqIQc6tFxh8/s1600/Remoter_Pro_3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://4.bp.blogspot.com/-yxqXqavML-c/VJiDP0zokGI/AAAAAAAAfN8/jqIQc6tFxh8/s1600/Remoter_Pro_3.PNG" width="640" /></a></div>
<br />
4) Wait a few seconds for the "Created Successfully message"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-TXq6qAcdV-A/VJiDQsU9MqI/AAAAAAAAfOQ/TDjGiYZHIxE/s1600/Remoter_Pro_4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://2.bp.blogspot.com/-TXq6qAcdV-A/VJiDQsU9MqI/AAAAAAAAfOQ/TDjGiYZHIxE/s1600/Remoter_Pro_4.PNG" width="640" /> </a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
5) Tap the newly generated SSH key and select Rename<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-YxcQQobtIrk/VJiDQ5M5q6I/AAAAAAAAfOU/G6iASm_gbeo/s1600/Remoter_Pro_6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://1.bp.blogspot.com/-YxcQQobtIrk/VJiDQ5M5q6I/AAAAAAAAfOU/G6iASm_gbeo/s1600/Remoter_Pro_6.PNG" width="640" /></a></div>
<br />
6) Pick a useful name, so you can remember where you are going to use this key<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://3.bp.blogspot.com/-9dWSUYYX9_c/VJiDQhA7SnI/AAAAAAAAfOY/D6TB_KuGknY/s1600/Remoter_Pro_5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://3.bp.blogspot.com/-9dWSUYYX9_c/VJiDQhA7SnI/AAAAAAAAfOY/D6TB_KuGknY/s1600/Remoter_Pro_5.PNG" width="640" /></a></div>
<br />
7) Tap the new name you changed and choose E-Mail<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-YxcQQobtIrk/VJiDQ5M5q6I/AAAAAAAAfOU/G6iASm_gbeo/s1600/Remoter_Pro_6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://1.bp.blogspot.com/-YxcQQobtIrk/VJiDQ5M5q6I/AAAAAAAAfOU/G6iASm_gbeo/s1600/Remoter_Pro_6.PNG" width="640" /></a></div>
<br />
8) Send the public portion of the key to an E-Mail address you can access from a computer<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-RH8RZUxyx3Y/VJiDRcjESII/AAAAAAAAfOg/54pKX5yfc0M/s1600/Remoter_Pro_7.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://4.bp.blogspot.com/-RH8RZUxyx3Y/VJiDRcjESII/AAAAAAAAfOg/54pKX5yfc0M/s1600/Remoter_Pro_7.PNG" width="640" /></a></div>
<br />
9) Copy the single line beginning "ssh-rsa" and ending with the key name you chose to the laptop you want to remotely connect to<br />
<br />
10) Add this line to the file c:\Cygwin\home\<username>\.ssh\authorized_keys (notice the period before the ssh again)<br />
<br />
Adding this line to the authorized_keys file is what authorizes access to your iPad<br />
<br />
<u>To create the connection in Remoter Pro:</u><br />
1) Click the + button at the top left of the screen and choose "Add Session Manually" and use the following settings:<br />
<blockquote class="tr_bq">
Choose the server type "VNC over SSH"<br />
Make "Name" anything descriptive to you<br />
Set the SSH Hostname to your dynamic DNS name that you picked above<br />
Set the SSH Port to match the one you selected in sshd_config and on your router's port forwarding screen<br />
Set the SSH Username to your Windows username (spaces might not be allowed, I haven't tried that yet)<br />
For SSH Key Auth - tap the "No Key Auth" button<br />
Select the key name you just created<br />
Leave SSH passphrase blank<br />
Enter 127.0.0.1 for VNC Hostname<br />
Leave VNC port at 5900<br />
Leave VNC Username blank<br />
Enter the TightVNC access password for VNC Password</blockquote>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-pjHJdLJWiOc/VJiDRlbVThI/AAAAAAAAfOo/PyrfFGJs0SQ/s1600/Remoter_Pro_9.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://1.bp.blogspot.com/-pjHJdLJWiOc/VJiDRlbVThI/AAAAAAAAfOo/PyrfFGJs0SQ/s1600/Remoter_Pro_9.PNG" width="480" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-K3NaSFlItJo/VJiDPJveTjI/AAAAAAAAfNw/yreCd5MeK9A/s1600/Remoter_Pro_10.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://4.bp.blogspot.com/-K3NaSFlItJo/VJiDPJveTjI/AAAAAAAAfNw/yreCd5MeK9A/s1600/Remoter_Pro_10.PNG" width="480" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-6wOGZNnFKpo/VJiDPqIvMhI/AAAAAAAAfOA/sRTM8SK1sls/s1600/Remoter_Pro_11.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://4.bp.blogspot.com/-6wOGZNnFKpo/VJiDPqIvMhI/AAAAAAAAfOA/sRTM8SK1sls/s1600/Remoter_Pro_11.PNG" width="480" /></a></div>
<br />
<br />
2) Press Save at the top left of the screen<br />
<br />
<h2>
<span style="color: #38761d;"><u><b>iPad File Transfer (SFTP) setup</b></u></span></h2>
One nice benefit of SSH is that it provides a built-in file transfer mechanism - still protected by the SSH encryption and public/private key authentication.<br />
On the iPad, I am currently using <a href="https://itunes.apple.com/us/app/ftp-onconnect-free-ftp-sftp/id594722236?mt=8" target="_blank">FTP On Connect Free</a> as my SFTP client. I am honestly not sure what the limitations are of this version over the full one, but for $2.99 I will upgrade if I find that I run into any limitations.<br />
<br />
Here is how I got FTP On Connect Free configured. First, I put the private key portion of my SSH keypair on an FTP server that I could see inside my house - this file is called home_rsa (you might need to create another keypair based on the instructions above, unless you can get the private portion out of RemoterPro) If you don't have an FTP server handy, FileZilla Server from <a href="https://filezilla-project.org/">https://filezilla-project.org/</a> is very quick and easy to set up on any Windows PC.<br />
<br />
Once I had downloaded the private key portion to FTP On Connect Free, here is how I created the profile to connect to my remote machine:<br />
1) Go to the "My Document" section of the left-hand navigation bar<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-1ObgJBdEQJQ/VJiNC9LkeQI/AAAAAAAAfPc/5QWwwfMOHTw/s1600/FTP_1.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://2.bp.blogspot.com/-1ObgJBdEQJQ/VJiNC9LkeQI/AAAAAAAAfPc/5QWwwfMOHTw/s1600/FTP_1.PNG" width="640" /></a></div>
<br />
<br />
2) Tap the "right arrow" button to the right of home_rsa (the file that you previously downloaded)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-xdxjLC-GSLE/VJiNDGiLMBI/AAAAAAAAfPY/Dy4UbXVgOSg/s1600/FTP_2.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://4.bp.blogspot.com/-xdxjLC-GSLE/VJiNDGiLMBI/AAAAAAAAfPY/Dy4UbXVgOSg/s1600/FTP_2.PNG" width="640" /></a></div>
<br />
3) Choose "Add to private key list"<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-SrvFHK_Co74/VJiNC81AxdI/AAAAAAAAfPU/-tSxElRGRns/s1600/FTP_3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://1.bp.blogspot.com/-SrvFHK_Co74/VJiNC81AxdI/AAAAAAAAfPU/-tSxElRGRns/s1600/FTP_3.PNG" width="640" /></a></div>
<br />
4) Give the key a descriptive name you can recognize <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://1.bp.blogspot.com/-RkirY4Wc0ss/VJiND4paNUI/AAAAAAAAfPw/ULnKGEdVhp0/s1600/FTP_4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://1.bp.blogspot.com/-RkirY4Wc0ss/VJiND4paNUI/AAAAAAAAfPw/ULnKGEdVhp0/s1600/FTP_4.PNG" width="640" /></a></div>
<br />
5) Click on "Site Add" from the left hand navigation<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://4.bp.blogspot.com/-5gzwRhVfY98/VJiND0ZQ44I/AAAAAAAAfPk/eLuNfN9aTtg/s1600/FTP_5.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://4.bp.blogspot.com/-5gzwRhVfY98/VJiND0ZQ44I/AAAAAAAAfPk/eLuNfN9aTtg/s1600/FTP_5.PNG" width="640" /></a></div>
<br />
6) Set the options as follows<br />
<blockquote class="tr_bq">
SFTP - SSH File Transfer Protocol<br />
Profile --> Any name you like<br />
Host --> Your dynamic DNS hostname<br />
Port --> The port you configured your SSH server to listen on<br />
User ID --> Your Windows username<br />
Private Key --> Turn the slider on and on the popup screen, pick the Private Key that you imported earlier</blockquote>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2.bp.blogspot.com/-fAAvz7eMpLE/VJiNEDbMXrI/AAAAAAAAfPo/_iB1uP6EhQI/s1600/FTP_6.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://2.bp.blogspot.com/-fAAvz7eMpLE/VJiNEDbMXrI/AAAAAAAAfPo/_iB1uP6EhQI/s1600/FTP_6.PNG" width="640" /></a></div>
<br />
7) Press Save<br />
<br />
You should now be able to connect to your home computer and transfer files freely. Within the Cygwin environment, you can browse to the directory /cygdrive/C to see your entire C: disk on Windows. If you have other drive letters available, they will all be under /cygdrive/<br />
<br />
<br />
You should now have a session icon that will allow you to remotely connect and control your PC at home.<br />
<br />
<br />Anonymousnoreply@blogger.com