# scp/ssh/vnc questions

## h2sammo

1. im trying to scp files from my macbook to a chrooted gentoo machine (from liveCD).  i can see the files complete the transfer in the macbook terminal but i do not see them in the respective gentoo folder (/home).  why is that?

2. can i ssh (or scp) into my gentoo machine from outside my home network (from work for example)?Last edited by h2sammo on Wed Jul 08, 2009 8:10 pm; edited 3 times in total

----------

## think4urs11

to 1) wild guess: the transferred files end up in /home _outside_ of the chroot, not inside

to 2) yes, depending on your companies security and your homesetup (port forward when behind NAT router)

----------

## h2sammo

1. how can i have it scp inside the chroot somewhere? (also, how come it can go outside the chroot, it cant write onto the live cd, can it?)

2. how would the ssh  command look if i am not on my home network?

----------

## think4urs11

to 1) you started ssh before entering the chroot, correct? Thus your scp 'lands' in the environment of the LiveCD, not the env. in the chroot. 

to 2) depending on the circumstances exactly as it looks now, e.g. ssh h2sammo@<your official home ip address>

But probably you need to use a proxy, have to have a DNS name (some corps may block access to plain IP addresses), ...

----------

## h2sammo

1 - ok i see, i will try that when i get home...unless i solve issue nr2 and then i can try it sooner

2 - i have asked one of the system admins here at work and he said i would be able to ssh from my machine at work into mine at home.  my work machine is windows xp, so i downloaded putty.  i am given the option to input the IP address and i do, 192.168.x.xx (is this the correct one?). however putty fails to connect.  in your response you say i might need to use a proxy and have to have a DNS name,  how would i knoe if i need to to that, and do you know of a good tutorial to learn how to do that?

how do i find out my official home ip address?

also, i have a surfboard motorola modem which also acts a wirelss router for my house connection (do i need to port forward?)

thx

----------

## think4urs11

192.168.x.y is a so called 'non-routable' ip. IPs like that (and similar ones as in RFC3330) are not routed thus not directly reachable via internet.

Your modem though has a so-called 'official' ip address and can be reached - you need to find out that IP. Should be easy when you have the documentation  :Wink: 

With that you can configure your modem and setup a port forwarding - so that packets from internet to your official ip and port 22/tcp (thats ssh) are forwarded to your pc. Your modem in that case just takes the packets coming from external and hands them over to internal (and vice versa).

And keep in mind that most probably your official ip changes regularly, so it is a good idea to setup a dynamic dns name.

Confused enough already? I'd bet  :Wink: 

With the above you'd have enough keywords to search for better documentations - or ask your friendly sysadmin (cookies normally help here).

----------

## krinn

as he said: but for testing purpose you could go to "whatismyip.com" from your home computer before going to work, if you have a static ip, it will always be that one, if not, you could use dynamic dns service (as no-ip.org...) in your home computer.

from work ssh yourusers@ipyougetfromwhatismyip.com

-> http://sshwindows.sourceforge.net/ (if you don't like putty, it's openssh but for windows)

----------

## h2sammo

i see, can i use one of the ports i already have forwarded for my torrent activity, or i have to stick to port 22?

thanks a lot for patience and responses

----------

## think4urs11

 *h2sammo wrote:*   

> i see, can i use one of the ports i already have forwarded for my torrent activity, or i have to stick to port 22?

 

Not in parallel, of course when you stop your torrent client and start sshd instead then yes.

You can use any (tcp)-port you like.

To avoid confusion it is better to stay with 22 (you don't need to tell the ssh client to use 22, but you'd need to tell it when you use annother port).

To avoid external attacks to your sshd it is better to use some random 50.000+ port instead though. (And yes i know thats security by obscurity)

----------

## NeddySeagoon

h2sammo,

and turn off ssh root logins so username/password guessing scripts don't get you.

use strong passwords or better yet, key based ssh logins only

----------

## krinn

 *h2sammo wrote:*   

> i see, can i use one of the ports i already have forwarded for my torrent activity, or i have to stick to port 22?
> 
> 

 

You think it could be a good idea to have X numbers of torrent users trying X times every X seconds to use a port where ssh is granting an access to your computer ?  :Very Happy: 

As Think4UrS11 said you could use any port you wish, but your client should not forget to specify it as ssh me@homecomputer -p mysshport

So ssh me@homecomputer would be easier

And i do agree with the security by obscurity  :Razz: 

If you wish more security you could disable password and use identity file only access (you can provide the file via an usb key or disk), and not a bad idea to disable root logging (you may still log as root if your user is in su list). Not to say you won't care about the complexity of your password anymore.

Still amazing how we need to disable root password, because technically it's the weakest logging, but in practice it's the strongest.

People always think root password is the strongest so they prefer trying to find a valid user assuming that user will have a weak password (in a well admin server it "could" be the fact, because strong password for root by a good admin could still have a weak password by a noob user). So practice show root is the strongest, and i said technically the weakest because if you try to access a computer it's always half the way to know at least a valid user to do your tries, and "root" is a know valid user, witch is faster than guessing a user name. That's what script kids bet on, a noob user exist.

Without saying that someone trying to be root by logging root will get more trouble because some program could temp ban, perm ban or slow retries on logging. But if someone logging as a user trying to log as root, generally nothing really exist to prevent that, and it could made all the tries he wish, and if he's not in sudo list... he could still try to run programs that try to get more privileges...

But let's stay conventionnal, let's say disable root logging.

----------

## think4urs11

when talking about security in general this post and the whole thread is always a good start for every paranoid soul out there   :Rolling Eyes: 

----------

## krinn

lol you forgot the "suicide yourself" so noone could get your password by forcing you  :Very Happy: 

I love the case intrusion one, specially when you think a simple boot CD could chroot and change root password anytime... so the case instrusion without bios password and no boot cd, usb or floppy force is well, you know....

On another note, i think that even if you force hdd boot first, i'm sure the F8 common on newers bios would bypass all of that 

I suppose we still could disable any usb support and find a motherboard without ps2 so noone could plug a keyboard : so they finally really need to reset the bios to enable usb, and so opening the case where your mouse trap will catch them  :Very Happy: 

----------

## think4urs11

 *krinn wrote:*   

> I love the case intrusion one, specially when you think a simple boot CD could chroot and change root password anytime...

 

thats why two lines below it reads as "full disk encryption (token+passphrase)" - no chance for a boot CD without the rest  :Wink: 

but we're getting off topic...

----------

## h2sammo

it worked, thank you all.

now, can i have a graphical interface over ssh?

can i see the browser for example on my home machine and browse from it or open my email editor, etc.

EDIT: i am running windows xp at work, want to operate X (browsing mostly) from my gentoo box at home.Last edited by h2sammo on Mon Jun 29, 2009 10:10 pm; edited 1 time in total

----------

## krinn

emerge -s vnc (choose your flavor, if you have gnome, there's a default vncserver installed, so you'll just need a client)

and... of course the vnc port must be opened too  :Razz: 

----------

## h2sammo

can i use the same port for ssh (22) when i use vnc from the viewer as long as i mention it after the IP address?? or do i have to open up another port?

i have tightvnc on my work computer (win xp) and it keeps failing to connect over port 22 which is forwarded properly as i use it for ssh. i have vncserver up and running on my home computer.

----------

## h2sammo

anyone?

----------

## krinn

you can use port 22 for your vnc too, but your vncserver must listen on port 22 so (witch is of course not the default, as this is really the default port for ssh, programs avoid to setup a default port to 22, except ssh (again, of course))

And stop trying to use one port for everything, even you could, it's clearly not pratical. You will have to close ssh before starting vnc and vice versa...

----------

## cach0rr0

 *krinn wrote:*   

> 
> 
> And stop trying to use one port for everything, even you could, it's clearly not pratical. You will have to close ssh before starting vnc and vice versa...

 

second this - this is why almighty Odin hath given us things like SSH tunnels, X forwarding, etc

----------

## cach0rr0

 *Think4UrS11 wrote:*   

> when talking about security in general this post and the whole thread is always a good start for every paranoid soul out there  

 

aye, bookmarked. 

though I'm still hunting about for a good "usb trick" howto

pretty sure i need to hold off on attempting it until ive done the requisite reading and learned a bit more about the design of the whole thing

----------

## h2sammo

ok, i cant get the viewer to connect to my server.

i started the server like so:

```
bobby@tux ~ $ vncserver

You will require a password to access your desktops.

Password:

Verify:

New 'tux:1 (bobby)' desktop is tux:1

Creating default startup script /home/bobby/.vnc/xstartup

Starting applications specified in /home/bobby/.vnc/xstartup

Log file is /home/bobby/.vnc/tux:1.log
```

then the viewer (tightvnc from windows) with:  a.b.c.d:5901

i have port 5901 opened at home.

i can ssh fine through port 22 from the same computer at work but i cant get through with my vnc connection. it fails every time.

help pls.

----------

## h2sammo

anyone?

----------

## Nerevar

Google for tightvnc and putty. See example #3 from the first hit:

http://www.vanemery.com/Linux/VNC/vnc-over-ssh.html

----------

## krinn

you could try at home: vncviewer localhost, if it works, you still have trouble with ports...

----------

## h2sammo

 *krinn wrote:*   

> you could try at home: vncviewer localhost, if it works, you still have trouble with ports...

 

this on the same computer where server is running:

```
bobby@tux ~ $ vncviewer localhost 

VNC Viewer Free Edition 4.1.3 for X - built Jun 30 2009 11:40:15

Copyright (C) 2002-2008 RealVNC Ltd.

See http://www.realvnc.com for information on VNC.

Wed Jul  8 20:17:27 2009

 main:        unable connect to socket: Connection refused (111)

```

----------

## Nerevar

You should use what vncserver returned. In your case:

```
vncviewer tux:1
```

----------

## h2sammo

 *Nerevar wrote:*   

> You should use what vncserver returned. In your case:
> 
> ```
> vncviewer tux:1
> ```
> ...

 

that worked:

```
bobby@tux ~ $ vncviewer tux:1

VNC Viewer Free Edition 4.1.3 for X - built Jul  8 2009 21:06:05

Copyright (C) 2002-2008 RealVNC Ltd.

See http://www.realvnc.com for information on VNC.

Thu Jul  9 16:23:15 2009

 CConn:       connected to host tux port 5901

 CConnection: Server supports RFB protocol version 3.8

 CConnection: Using RFB protocol version 3.8

Thu Jul  9 16:23:27 2009

 TXImage:     Using default colormap and visual, TrueColor, depth 24.

 CConn:       Using pixel format depth 6 (8bpp) rgb222

 CConn:       Using ZRLE encoding

Thu Jul  9 16:23:53 2009

 CConn:       Throughput 20000 kbit/s - changing to hextile encoding

 CConn:       Throughput 20000 kbit/s - changing to full colour

 CConn:       Using pixel format depth 24 (32bpp) little-endian rgb888

 CConn:       Using hextile encoding

```

i have yet still to figure out what i do wrong from my computer at work.  i have opened the correct port, 5901...

----------

