Kubuntu Precise Network Management


Jump to: navigation, search
Kubuntu Precise Network Management
Full page | eBook Version



Only one network manager and GUI interface can be enabled. Network-Manager is installed by default and works for both wired and wireless connections, and for both static and dynamic (DHCP-assigned) IP addresses. In the past, some users have preferred the Wicd network manager, however, and it can be installed instead.

Network Manager

Network Manager is the network manager installed by default in (K)Ubuntu. It has a tray applet that allows you to switch between Internet connections (such as wireless APs or a wired connection).

  • After installation on my system with a wired ethernet connection and manual settings for /etc/network/interfaces, Network Manager was disabled by default ("unmanaged") at installation. To activate Network Manager and allow it to manage networking settings, I edited a file (following the advice in this thread):
kdesudo kate /etc/NetworkManager/NetworkManager.conf

and changed the following section so that it read true instead of false:


Also, I double checked the /var/lib/NetworkManager/NetworkManager.state file to make sure that Networking was enabled:


I then restarted Network Manager:

sudo /etc/init.d/network-manager restart
  • When using Network Manager to manage the settings, the default setting is to obtain an IP address from the DHCP server on the network. However, I customised the Wired Connection to accept my static IP address as a "manual" (IPv4) IP address and set my custom DNS servers (I don't use the DNS servers of my ISP for security reasons) and a random MAC address (which I change periodically to limit tracking).
  • Precise is the first version of Kubuntu in which Network Manager reliably worked for me on both wired and wireless connections. When installing on a laptop with a wireless connection, it worked (in DHCP mode) without any additional configuration. Settings could then be set through the Network Manager plasma widget on the panel bar, including the ability to manually configure a static IP address for the wireless connection, as well.

Wicd Network Manager

Wicd Network Manager is a GTK-dependent networking manager written in Python that can be used in all variants of (K)Ubuntu. To avoid networking conflicts, Wicd requires the removal of Network Manager prior to installation.

sudo apt-get remove network-manager network-manager-pptp plasma-widget-networkmanagement network-manager-kde  
sudo reboot
sudo apt-get install wicd

Note: You must have a wired connection in order to install Wicd. Either install it prior to removing Network Manager or be sure the /etc/network/interfaces configuration file is properly configured manually so the default network interface allows you to access the Internet through a wired connection:

kdesudo kate /etc/network/interfaces

and remove the #NetworkManager# comments, if present and makes sure the file contents resemble:

# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
iface eth0 inet dhcp

Then restart networking:

sudo /etc/init.d/networking restart

This restores the default networking, and then Wicd can be installed. Once Wicd is installed, the connection settings can be changed through Wicd.

Set a static IP address

  • Precise Pangolin (12.04 LTS) is the first version of (K)Ubuntu in which I have been able to get Network Manager to accept my static IP address settings (for both wired and wireless connections).
Network Manager -> Manage Connections... -> connection -> Edit... -> IPv4 address -> Method: Manual -> IP Address: -> Subnet Mask: -> Gateway: -> OK
I also add the DNS servers I like to use (I don't use the DNS servers of my ISP for security reasons).
  • If you only use only a wired interface, you do not need a network manager and it can be removed if desired. Doing so requires configuring the networking settings manually.
  • In Precise, Network Manager does not need to be removed if manual settings are used in /etc/network/interfaces. To allow the settings to take effect (and the network connection to be "unmanaged" by Network Manager), edit /etc/NetworkManager/NetworkManager.conf:
sudo kate /etc/NetworkManager/NetworkManager.conf

and change the following section so that it reads false:


Then restart Network Manager:

sudo /etc/init.d/network-manager restart
  • Edit the /etc/network/interfaces file (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):
sudo kate /etc/network/interfaces
  • and replace the line (ok if line is missing)
iface eth0 inet dhcp
  • with the following lines (using your own LAN settings and desired DNS-nameservers, of course):
auto eth0
iface eth0 inet static
  • Then restart networking:
sudo /etc/init.d/networking restart
  • Check to see if your settings are now correct:
  • The Wicd network manager also allows a wireless connection to have a static IP.
  • In versions prior to Precise Pangolin (12.04 LTS) I was not able to get Network Manager to accept my static IP address settings. If you only use only a wired interface, you do not need a network manager and it can be removed.
  • Remove Network Manager (replace network-manager-kde with network-manager if using Ubuntu instead of Kubuntu):
sudo apt-get remove network-manager-kde
sudo reboot
  • Edit the /etc/network/interfaces file (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):
sudo kate /etc/network/interfaces
  • and replace the line (ok if line is missing)
iface eth0 inet dhcp
  • with the following lines (using your own LAN settings, of course):
auto eth0
iface eth0 inet static
  • Then restart networking:
sudo /etc/init.d/networking restart
  • Check to see if your settings are now correct:

Manual configuration from the command-line

3 steps for WEP:

sudo iwconfig eth[N] essid [SSID]
sudo iwconfig eth[N] key restricted s:[PASSWORD]
sudo dhclient

WPA is more complicated:

sudo mkdir /etc/wpa_supplicant
cd /etc/wpa_supplicant
sudo echo network = { > wpa_supplicant.conf
sudo echo ssid="SSID" >> wpa_supplicant.conf
sudo echo key_mgmt=WPA-PSK >> wpa_supplicant.conf
sudo echo psk="PRESHAREDKEY" >> wpa_supplicant.conf
sudo echo } >> wpa_supplicant.conf
cd /etc/network
sudo gedit interfaces

Now add after "auto eth[N] ..." & "iface eth[N] .." :

wpa-driver wext # or whatever driver your network card needs
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Save the file and restart your system.

Internet connection sharing (DHCP server)

In most LANs, an inexpensive router is used to provide DHCP functions (internet connection sharing).

However, DHCP services can also be provided by a single host computer on your LAN if it is directly connected to the Internet. (This is useful, for instance, if you have a 3G or other wireless EVDO connection to your computer which you want to share with the other computers on your LAN). Other client computers on your LAN would then connect to the Internet through your host computer's Internet connection. The host computer now essentially performs the DHCP functions of a router.

All "client" computers on the LAN ought to be connected to a central LAN switch or router. (If using a router, it should have its own DHCP functions disabled -- you shouldn't have 2 DHCP servers on a LAN unless you know how to nest LANs). They should all be set up to obtain DHCP-assigned dynamic IP addresses and use the same LAN subnet settings (which in the example below is LAN IP range - with netmask and gateway The host computer to be used as the gateway/DHCP server is then connected (through its own ethernet port) either to one to the ports of the switch (if used), or to a LAN port of a router (don't use the WAN port). The host computer then connects directly to the Internet (WAN) through a second port (which in the example below will be a wireless (wifi) port (wlan0)).

(Note: This setup is easiest if you connect all computers on the LAN with Ethernet cables to the central switch or router. But also see using a nested wireless LAN router below.)

(Note: If you want your LAN to use the same subnet as your WAN, see network interface bridging.)

  • Install the DHCP server and firewall programs:
sudo apt-get install dhcp3-server firestarter
  • Rename the startup command (through a symbolic link) for the DHCP server. This is required or Firestarter will not know where to find it:
sudo ln -sf /etc/init.d/dhcp3-server /etc/init.d/dhcpd
  • Edit the DHCP server configuration file:
sudo nano -w /etc/default/dhcp3-server
Change the line
  • Restart the DHCP server:
sudo dhcpd restart
  • Right click on Network-Manager -> Edit Connections... -> Wired -> Add
-> Connection name: Shared internet connection
-> IPv4 Settings -> Method: Manual -> Add
-> Address: -> Netmask: -> Gateway:
-> Available to all users: [x]
  • Attach the ethernet cable to (eth0).
Network-Manager -> Wired Networks -> Shared internet connection
  • Adjust your firewall to allow the internet connection sharing. Start Firestarter:
sudo firestarter
  • Tell the firewall which port is your direct Internet Connection:

Firestarter -> Preferences -> Firewall -> Network Settings -> Internet connected network device: (wlan0)

-> IP address is assigned by DHCP: [x]
  • Tell the firewall which port is for the LAN, and specify the details for the LAN:

Firestarter -> Preferences -> Firewall -> Network Settings -> Local network connected device: (eth0)

-> Enable internet connection sharing: [x]
-> Enable DHCP for the local network: [x]
-> DHCP server details -> Create new DHCP configuration -> Lowest IP address to assign:
-> Highest IP address to assign: -> Name server: <dynamic>
Note: Use your own desired LAN settings (internal DHCP-assigned dynamic IP address range), of course. In this example I don't use the full IP range - for dynamic IP addresses because I want to reserve some LAN addresses ( - to be used as static IP addresses).
  • Notes:
  • If you wish to use this setup all the time, make the "Shared internet connection" profile your default connection profile in Network Manager.

Using a nested wireless LAN router

Many users will already have an established LAN that uses an existing wireless router and has client computers that are setup to connect wirelessly to the router. Here's how to maintain this setup and still use the internet connection sharing method of a single host computer as described above. This method is known as nested LANs. The wireless router will serve as a nested LAN for its wireless clients (only), but in turn will appear as a single device to the main LAN. The two LANs must have different IP ranges. For example, the main LAN may have an IP range - (with netmask, as in the above example. The router's nested wireless LAN must then use a different IP range (for example - with netmask

  • Do not use your wireless router's WAN (Internet) port.
  • Connect the host computer (to be used as your main LAN gateway/router) to a LAN port (not the WAN/Internet port) of the wireless LAN router.
  • Configure your wireless router's LAN so that it appears to be a single device to the main LAN:
  • Setup your wireless router so that the Internet Connection type is "Static IP" (often in the "Internet Setup" section). Configure the settings so that its "Internet IP address" is within the static IP address range of your main LAN (e.g., and make sure the subnet mask matches the one you chose for your main LAN (e.g. The gateway setting should be set to match the IP address of your host computer of the main LAN (e.g. in the example of the preceding section). Now the wireless router will appear to the host computer as just another device on the main LAN.
  • If your wireless LAN is already functioning, you probably don't have to change any settings, but double-check to make sure the schema are compatible. Configure the wireless router's settings for the nested wireless LAN. This is done by enabling the router's DHCP server functions (in "Network Setup" or some similar configuration section of the router). The router ought to have as its own wireless LAN gateway address a "local IP address" (or "LAN IP address") of (for the IP address range used in this example), and a "starting IP address" (for the DHCP-assigned dynamic IP address range to be used for the wireless clients) to be or greater. (Some routers ask you to specify the entire range (such as -
  • Make sure all your wireless client computers are set to obtain their DHCP-assigned dynamic IP addresses from the wireless router (gateway IP instead of from the main LAN gateway.
  • Now all communications from the wireless client computers will be routed to the wireless LAN router first, which will then in turn route them to the host computer (which is acting as the main LAN gateway/router), which will then in turn route them to the Internet (WAN).
  • Note: The host computer for the main LAN must have a static IP address (e.g. as in the example of the preceding section) and it must match the gateway IP address configured in the wireless LAN router settings.

Network Interfaces Bridging

  • Install bridge-utils to be able to create network bridges:
sudo apt-get install bridge-utils
  • Edit /etc/network/interfaces:
sudo nano /etc/network/interfaces

The interfaces file should look like this after editing it:

auto eth0
iface eth0 inet manual
auto br0
iface br0 inet dhcp
bridge_ports eth0 wlan0
# The loopback network interface
auto lo
iface lo inet loopback
  • Restart networking with:
sudo /etc/init.d/networking restart

Using Dynamic IP addresses for a webserver

Normally, domain name servers (DNS) that are used publicly on the Internet match a web server's URL name with the IP address of the server's host computer. If your computer has a static IP address, then you can publish your own web server's URL as belonging to the static, unchanging IP address of your computer.

However, if your IP address is dynamic (always changing) because you use an ISP (Internet Service Provider) that constantly changes your IP address (using DHCP), then you will need a Dynamic DNS service to constantly keep track of your dynamically changing IP address and match it to of your web server's URL. Fortunately, there are a few Dynamic DNS services that will do this for you, either for a small fee or even for free. For more info, see this Ubuntu Community help article.

For specific tips on setting up Dynamic DNS, see this article.



NFS is the default networking protocol for network file sharing in *nix systems (including (K)Ubuntu Linux). Here are some tips for setting up NFS from the Little Girl's Mostly Linux Blog.

Samba File Sharing

Samba client

Samba is a networking protocol that allows compatibility with Windows-based networks. The Samba client is installed by default in Ubuntu and should work seamlessly (unless you have have a firewall blocking the ports).

Samba server

Samba provides file/print services for the SMB/CIFS protocol used in Windows-based networks. See the official Ubuntu documentation for more information about providing services in a Windows network. A Samba server can be installed using the tasksel option during installation of the Ubuntu server from the LiveCD, or at any time using:

sudo tasksel install samba-server
  • An alternative method of installation is:
sudo apt-get install samba samba-tools system-config-samba smbfs
Note: samba-tools, system-config-samba, and smbfs are optional.
  • Modify Samba settings.
  • Method 1:
Menu -> System -> Administration -> Samba
(Note: this is available only if you installed system-config-samba.)

It is recommended that your user be a member of the sambashare group, as well.

  • Method 2:
Enable File Sharing Server With User Login (Very Reliable Method)
Do the following on the machine that has the files to be shared:
  • Add current user to Samba:
sudo smbpasswd -a username
(replacing username with your login username)
  • Open the samba config file:
sudo nano /etc/samba/smb.conf
  • Add the directories to be added (right at the end) in the following format:
path = /home/username/<folder_to_be_shared>
(Replace username with your username and <folder_to_be_shared> with the folder you want to share)
Press CTRL+X and then Y to save.
  • Restart Samba:
sudo service smbd restart
sudo service nmbd restart
Note: Prior versions used:
sudo /etc/init.d/samba restart
  • On Windows access the folder in the following format in Windows Explorer:
(replace 192.168.x.x with the actual IP address of your server which is serving the folder)
  • On Linux type the following in Konqueror or Nautilus:
(replace 192.168.x.x with the actual IP address of your server serving the folder)

Note: If you use Sharing in KDE's System Settings panel, be aware that there is a small bug, reported here. In brief, you need to comment out/delete any instances of these two lines in /etc/smb.conf :

case sensitive
msdfs proxy

Change your Workgroup

To change your Samba (Windows network) workgroup:

sudo nano /etc/samba/smb.conf

Look for the line:

workgroup = WORKGROUUP

and change the setting to whatever your LAN workgroup is.

Recognizing Win98 machines

Microsoft networking is extremely quirky. To enable recognition of PCs with Windows 98, edit your Samba configuration file:

sudo nano /etc/samba/smb.conf

Then add the following lines to the file:

client lanman auth = yes
client ntlmv2 auth = no

Integrating into Mac OS X Network

See this guide for information on integrating Ubuntu into an existing Mac OS X Appletalk network.

FTP Server

An FTP server allows the easy transfer of files between systems over the network. Clients such as Filezilla can be used to interact with an FTP server. Also see these FTP tips.


vsftpd is an FTP server available in (K)Ubuntu. For configuration information, see the official Ubuntu documentation. Install:

sudo apt-get install vsftpd


Proftpd is an FTP server available in (K)Ubuntu that can be used with either the MySQL or PostgreSQL database. Also see the Ubuntu Community documentation. Install:

sudo apt-get install proftpd-basic


WebDAV is a method for allowing remote access to local folders via an HTTP-based web browser or file manager. This can be combined with user authentication (using LDAP or other password mechanism).

Local Area Network

Modems / Dial-up

Network Manager does not accept modem connections. See Ubuntu help for information on identifying and connecting with a modem. These instructions require gnome-network-admin (install while connected to a wired ethernet connection):

sudo apt-get install gnome-network-admin

Gnome PPP and wvdial

Gnome PPP is a discontinued GUI frontend for the wvdial PPP modem dialer. It is still available as a package. Install:

sudo apt-get install gnome-ppp wvdial

See this forum thread for tweaks required to make Gnome PPP and wvdial operational in Lucid.


GPPP was the default modem dialing application in previous versions of Ubuntu.

Menu -> Applications -> Internet -> GPPP Internet Dial-up

Remote Access

There are several methods of remote access. VNC sharing allows you to view and control a remote computer's desktop. (Windows users use a similar proprietary protocol called remote desktop protocol (RDP)). XDMCP allows a complete remote X-windows based login. Remote connections are hazardous unless proper security precautions are taken to prevent unauthorized logins and to ensure encryption of transmitted data.


Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel (or "tunnel") between two computers. Encryption provides confidentiality and integrity of data. The OpenSSH client is installed by default in Ubuntu so you can connect to another computer that is running an SSH server.

Connect to a remote SSH server

From the command-line terminal

Install the OpenSSH client (if not already installed):

sudo apt-get install openssh-client

From the command-line Terminal type:

ssh -C <username>@<computer name or IP address>
Note: The -C option indicates compression, which speeds up transmission through the tunnel.

For example:

ssh -C joe@remote.computer.xyz
ssh -C mike@
ssh -C -l mike
Note: -l specifies the login id.

If the SSH server is listening on a port other than port 22 (the default), you can specify that in your connection (with the -p option). For example, if the SSH server is listening on port 11022, connect:

ssh -C joe.friday@remote.computer.xyz:11022
ssh -C remote.computer.xyz -p 11022 -l joe.friday

If you have made a public/private key using ssh-keygen, the private key must be stored in /home/user/.ssh. The key should be accessible only to user

sudo chmod 600 /home/user/.ssh/identity
sudo chmod 600 /home/user/.ssh/id_rsa 

To login with the key:

ssh -C remote.computer.xyz -p 11022 -l joe.friday

Note: You can run the command as a menu item, but the command must be "run in terminal."

Port forwarding through SSH

  • In brief, use
ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>

This specifies that any communications from your computer (localhost) going out through <local port> will be transmitted securely through the the SSH tunnel port. To use VNC through the tunnel, you would use an application like Krdc or Vinagre:

krdc vnc://localhost:<local port>

Note: localhost is equivalent to (and interchangeable with) Either can be used.

Note that for VNC, the default <local port> is 5900. In general, a remote VNC server (such as X11VNC) is also listening on the default <remote port> 5900 as well. The default <SSH tunnel port> is 22, as discussed above. All these can be changed, however, if you desire greater security.

For me, I noticed that I had to set <remote computer> to be the internal LAN IP address of the remote computer (such as instead of the remote router's IP address, which is specified in <remote IP>. (If the remote computer has a static IP address (i.e. is directly connected to the Internet without an intervening router), then <remote computer> and <remote ip> would be the same.)

Example: For extra security, my SSH Server uses <SSH tunnel port>=11022. I want to VNC to a remote computer on a remote LAN with a router whose IP address is <remote ip> = The remote computer to which I want to connect has a static IP address within the remote LAN of <remote computer> = I have set up an X11VNC server on this computer that is listening on <remote port> = 6912 (instead of the default 5900). I setup port forwarding on the router of this remote LAN to forward port 6912 to this server computer. I want to VNC to this remote computer from my laptop, through the Internet. My laptop VNC client (Krdc) will use the default <local port> = 5900. My name is <user> = joe.friday. This is my story.

ssh -C -p 11022 -L 5900: -l joe.friday
krdc vnc://localhost:5900

If you have set up a private/ public key pair with a passphrase, or if your SSH server requires a passphrase, of course, you will be prompted for the passphrase after issuing the SSH command.

Note: Port forwarding assumes that the ports are also forwarded through the router(s) and through any firewalls. See the documentation for your router(s) and firewall to learn how to do this. The advantage of SSH tunneling is that only the <SSH tunnel port> needs to be open and forwarded by a router. All encrypted communications will go through your router using this single port. This is what makes the communications secure.


PuTTY is a GTK-based GUI client-interface for SSH connections and eases the setup for port forwarding, SSH public key authentication, and automated login. A user would run Putty to create the SSH tunnel (instead of the ssh command) and then run a program such as Krdc or Vinagre. PuTTY is available for both Linux and Windows (but for routine Linux usage OpenSSH is generally recommended instead).

sudo apt-get install putty putty-tools
  • To create a 2048-bit RSA key pair compatible with OpenSSH, it is possible to use Puttygen (part of Putty-tools). (For me the Linux version of Puttygen is occasionally buggy, however, so I recommend OpenSSH keygen for routine usage instead):
puttygen -t rsa -b 2048 -O private -o putty_rsa.ppk
puttygen putty_rsa.ppk -O public-openssh -o id_rsa.pub
puttygen putty_rsa.ppk -O private-openssh -o id_rsa
  • Move the OpenSSH-compatible keys to the ~/.ssh (i.e. the /home/user/.ssh) folder
mv id_rsa* ~/.ssh
  • Copy the public key ( /home/user/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/serveruser/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:
ssh-copy-id serveruser@remoteserver.computer.xyz
  • Connect a VNC client (such as Krdc) through SSH using the command-line:
putty -ssh -i ~/.ssh/id_rsa -l serveruser -L 5900: remoteserver.computer.xyz -P 22
krdc vnc://
or as a single command:
putty -ssh -i ~/.ssh/id_rsa -l serveruser -L 5900: remoteserver.computer.xyz -P 22 sleep 5; krdc vnc://
  • Alternatively, the PuTTY SSH Client GUI can be run (from Menu -> Internet -> PuTTY SSH Client) and options configured from there.

Using keys created by Puttygen in OpenSSH

The public security key generated by Puttygen in Windows is generally not compatible with OpenSSH security keys unless it is edited. For example, the default OpenSSH key is 2048-bit RSA (SSH-2). When a 2048-bit RSA (SSH-2) PuTTY public/private key pair is generated (by Puttygen) in Windows (see this tutorial), the public key looks like:

Comment: "rsa-key-20100302"
  • To be used by OpenSSH, the saved public key must be edited.
  • Delete the first two lines (with the BEGIN and Comment: in them) and the last line.
  • Join the remaining lines into a single line.
  • Place ssh-rsa at the beginning.
  • It should end up looking like:
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAjdp567qxsGkhELlMQup2mXHdsveCWq/maU6kunPpbkwEuhkasuOrhkAWgv5v3d8S857zdHcfnXWi2FkEaJuFxqpJ2IkFuvqRdqYDZCcASj2S0LoXdWpC4uon6VH8oBT31r+wkDfmI2a+K74jgXjtm1BWWxwOpKaWQHi9YItbY/06renRex34n3ejO20JRqD/BxnFU7ND41Szo3ZMKoa0yzhevU2ntt74BCvCbYFHdSoRbi3AH8qGInzFfhXPdrG8qA382ZKEh5Bmy8Qxb9Uen/+jjP51YxN/ykeeRwSrdSCZekB6jN6uuTLNDEXJSJizqlPU8tROqf3pYv1kxzD9bw==
  • Once the PuTTY public key is in this format, it can be appended to the ~/.ssh/authorized_keys file on the OpenSSH server. (The private key stays on the client computer, of course). PuTTY can then connect (from Windows or Linux) to an OpenSSH server using the public/private key method.

Connect using SSH Agent

With SSH Agent you can automate the use of public key authentication and open an XDM or VNC session using a script. See this tutorial.

Also see this alternative simple approach: Connect with SSH and start an application with a single command.

Setup an SSH server

Install the OpenSSH server:

sudo apt-get install openssh-server
sudo apt-get install tasksel
sudo tasksel install openssh-server

Note: The OpenSSH server can also be installed when doing a server installation as an option from the LiveCD.

Note: An OpenSSH server can also be set up on a Windows server using Cygwin. See these instructions.

  • Don't forget to forward the port on which your OpenSSH server is listening. The default SSH port is 22; if the default is used, the router should therefore forward port 22 to the computer on the LAN that is hosting the OpenSSH server. The OpenSSH listening port can be changed; in fact, each computer on the LAN can listen on its own unique SSH port, if desired. The router must forward each specified listening port to the correct computer. Therefore, if computer 1 has its OpenSSH server set to listen on port 22221, then the router should forward port 22221 to computer 1's LAN IP address. If computer 2 has its OpenSSH listening port set to 22222, then obviously the router must forward port 22222 to computer 2's LAN IP address. To change the listening port of the OpenSSH server, edit the /etc/ssh/sshd_config file (use the gedit text editor instead of kate if using Ubuntu instead of Kubuntu):
sudo kate /etc/ssh/sshd_config

and change the listening port from 22 to your desired listening port:

Port 22221

then restart the OpenSSH server:

sudo /etc/init.d/ssh restart

Limit authorized SSH users

OpenSSH Public Key Authentication

See this OpenSSH Public Key Authentication Tutorial.

In brief, it is necessary to generate a public / private key pair. On your client machine, generate the pair:


A prompt asks for a passphrase. If you wish to use OpenSSH without a password from a secure client (to which no one but you has access), leave the passphrase blank. If you enter a passphrase, you will be asked for this passphrase each time you use the SSH client. By default, a 2048-bit RSA SSH-2 key pair is generated and stored in the /home/user/.ssh folder. The private key is named id_rsa and is meant to stay in that folder. (The public key is id_rsa.pub and is meant to be copied to the OpenSSH server.)

  • The private key must only be accessible (and should be read-only) to user, the owner of the file:
chmod 600 /home/user/.ssh/id_rsa
You could also make the entire .ssh folder accessible only to user:
chmod 700 /home/user/.ssh
  • Copy the public key ( /home/user/.ssh/id_rsa.pub ) to the server that is hosting the OpenSSH server, into the /home/serveruser/.ssh (for whichever user is the administrative user for the server -- generally the user that installed the server initially). If the SSH tunnel is (still) set at default port 22, you can copy the key using the utility:
ssh-copy-id serveruser@remoteserver.computer.xyz
  • The ssh-copy-id utility only works over port 22. An alternative if you have changed your SSH port is to copy the /home/user/.ssh/id_rsa.pub key to the server manually. On the server make sure the directory /home/serveruser/.ssh exists and that there is a file authorized_keys (with write privileges) in that folder. If not, create such a file while logged into the server as serveruser (the touch command creates an empty file):
mkdir ~/.ssh
cd ~/.ssh
touch authorized_keys

Then concatenate the id_rsa.pub key you have copied to the ~/.ssh folder. (Make sure the owner of id_rsa.pub, after copying, is serveruser.):

cd ~/.ssh
chown serveruser id_rsa.pub
cat authorized_keys id_rsa.pub >> authorized_keys
  • Make sure the OpenSSH server knows to look for the key file. On the remote server, edit the OpenSSH configuration file:
sudo nano /etc/ssh/sshd_config
  • Uncomment the line (i.e. remove the # at the beginning of the line):
#AuthorizedKeysFile %h/.ssh/authorized_keys
  • Remove the ability to login to the OpenSSH server using password authentication:
 sudo nano /etc/ssh/sshd_config
  • Change the line
#PasswordAuthentication yes
PasswordAuthentication no
  • Restart the OpenSSH server:
sudo /etc/init.d/ssh restart
  • Now you can connect securely with an SSH tunnel without requiring a password, logging in as serveruser.
ssh -l serveruser -L 5900: remoteserver.computer.xyz -p 22

Connect with SSH and start an application with a single command

  • If you have created an OpenSSH key pair (without a password), you can start both the SSH tunnel and a VNC program (such as Krdc or Vinagre) to run through the SSH tunnel with a single command:
ssh -f -l serveruser -L 5900: remoteserver.computer.xyz -p 22 sleep 5; krdc vnc://
  • Alternatively (and probably preferably) you can create a Menu Item / Shortcut with the above command.

Note: This command is a command-line mini-script. The SSH option -f option tells the SSH client to fork into the background after starting. (This option is not available in the PuTTY client.) This allows the command line to continue to proceed to the next command(s) listed on the command line mini-script. The 5 second wait ("sleep") timeout allows time for the SSH tunnel to be created before proceeding to the next command. (This can be lengthened if necessary.) After the wait period, the program (Krdc VNC in this example) is started.

  • Of course, any program could be started (to be run through the SSH tunnel) in this fashion, not just a VNC program.

Automate SSH connections that require a password

This method is strongly advised against. Transmitting an unencrypted password through the Internet (in order to establish an SSH connection) invites password sniffing. Use the OpenSSH key pair methods described above, instead. This method is listed here for reference.

  • Terminal interactions (such as the SSH password challenge) can be automated using the expect utility. Install:
sudo apt-get install expect
  • If, for example, your SSH client ID is clientuserID, yourpassword is not#1sostrong, and the remote SSH server is remoteserver.computer.xyz (using the default SSH port of 22), then use this command to start the SSH tunnel:
expect -c 'spawn ssh -l clientuserID -L 5900: remoteserver.computer.xyz -p 22; expect assword ; send "not#1sostrong\n" ; interact'

There are other parameters in this example. 5900 and 5901 are the ports to be used on either side of the tunnel (port 5900 is used for VNC, for example). See Port forwarding through SSH for more details.

You can use the entire command as a menu item (must be "Run in terminal" in the Advanced menu options).


Virtual Network Computing (VNC) mirrors the desktop of a remote ("server") computer on your local ("client") computer (it is not a separate remote login, as is XDMCP). A user on the remote desktop must be logged in and running a VNC server (such as X11VNC, Vino, or Krfb). Keyboard and mouse events are transmitted between the two computers. VNC is platform-independent —- a VNC viewer on one operating system can usually connect to a VNC server on any other operating system. (Windows users can use one of several clients such as UltraVNC Viewer.)

Vino Remote Desktop VNC server

Vino-server (the Gnome VNC server) is included by default in Ubuntu. Start:

Menu -> System -> Preferences -> Remote Desktop
  • You can accept uninvited connections in the Security section. You can require a password for these connections.
  • This implementation of Vino does not allow changing the default listening ports (which start at 5900). If you wish to customize your VNC connection, use X11VNC instead.

How to securely use VNC with SSH tunneling

It is less secure to leave the VNC listening port open to the Internet, even with a password. (This can expose you to password cracking attempts.)

It is more secure to use SSH to tunnel your VNC connection. Under SSH port forwarding, the VNC listening port is the <remote port>. To increase security, this listening port can be changed from the default 5900. Only the VNC server and the SSH client need to specify the <remote port> in a secure connection.

X11VNC Server

While Vino is easy to use, X11VNC allows far more customization and therefore can be used more in situations where greater security is needed.

  • Install an X11VNC server to share your desktop with other computer:
   sudo apt-get install x11vnc
  • Run X11VNC without a password:
x11vnc -forever -rfbport 5900
Note: -rfbport 5900 specifies the port to listen on. The port number can be changed. This option is not required if the default port 5900 will be used. Don't forget to open/forward this port in your firewall/router. By default X11VNC server exits after the first client disconnects. To keep it running (and allow future connections), use the -forever option. See here for more command line options.
  • Create a password to use with X11VNC:
mkdir ~/.vnc
x11vnc -storepasswd YOUR_PASSWORD ~/.vnc/x11vnc.pass
  • X11VNC can then be started with a password:
x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0
  • You can create a startup script so that X11VNC is automatically loaded at startup (with password settings):
echo "/usr/bin/x11vnc -forever -rfbport 5900 -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0" > ~/.config/autostart/x11vnc.sh
chmod +x ~/.config/autostart/x11vnc.sh
  • You can test the startup script:

Using VNC with SSH

See Port forwarding through SSH for additional information.

Vinagre VNC client

Vinagre is the default Gnome-based VNC client used in Ubuntu.

  • Menu -> Applications -> Internet -> Remote Desktop Viewer

Terminal Server Client

The Terminal Server Client is an Ubuntu/Gnome frontend for rdesktop (for RDP connections to Windows computers) and one of several vncviewer clients (for VNC connections). In can be used instead of Vinagre.

  • Menu -> Applications -> Internet -> Terminal Server Client
  • To use it with VNC, one of the VNC clients must be installed first. For example, install the TightVNC client:
sudo apt-get install xtightvncviewer
  • Note that the TightVNC client can be used from the command line (or as a menu item) directly:
where is an example host location that is running a VNC server on port 5900. For more command-line options, use
man vncviewer

Krdc VNC client

Krdc is the default VNC client in Kubuntu/KDE but can be used in GNOME. It can be used for both VNC and RDP connections. Installing it will also install the Qt platform and many KDE utilities (a large download).

sudo apt-get install krdc
  • Run:
Menu -> Applications -> Internet -> Krdc
  • The command-line connection (for use as a menu-item, for example) is:
krdc vnc://<remote IP>
  • If the remote (Krfp) VNC server is using a <remote port> other than the default 5900 port, use
krdc vnc://<remote IP>:<remote port>
  • Krdc can also connect to a Windows server using RDP (Remote Desktop Protocol).
krdc rdp://<remote IP>:<remote port>

Using a VNC client with SSH

See this howto for an automated setup using a script (it did not work for me, but it might for you).

In brief, you would initiate an SSH tunnel with port forwarding using Putty or the command line:

ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>
then you would start a VNC client such as Krdc:
krdc vnc://localhost:<local port>

<local port> will usually be the default 5900, in which case you could simply use

krdc vnc://localhost

XVNC4Viewer VNC Client

XVNC4Viewer is an alternative to Vinagre or the Terminal Server Client (vncviewer). Install:

sudo apt-get install xvnc4viewer

Automatic user login (for use with VNC)

VNC only works if a user is logged in. When a computer (hosting one or more servers) is intended to start up unattended and VNC (with or without SSH tunneling) is to be used, the computer ought to start with the primary user logged in. To accomplish this:

Menu -> System -> System Settings -> Login Manager -> Convenience -> Enable Auto-Login (ticked) -> Lock session (ticked)
-> Pre-select user: Specified: Choose primary user (i.e. the user hosting the SSH tunnel, if any, and the VNC server)
-> Automatically log in again after X server crash (ticked)
  • Also make sure the VNC server is set to Autostart at bootup.


FreeNX is a remote desktop display server/client solution that natively incorporates SSH tunneling (unlike VNC). It is therefore more secure than VNC (unless VNC is coupled with SSH tunneling).

FreeNX Server

The Free server .deb package can be downloaded from No Machine free server downloads.

sudo add-apt-repository ppa:freenx-team
  • Install the package:
sudo apt-get update
sudo apt-get install freenx

FreeNX Client

Download the self-installing .deb file from No Machine Client downloads.


XDMCP allows a separate remote login by an authorized user. This login is separate from the local user.

  • XDMCP is not secure over the Internet and should only be used within a LAN. It cannot be tunnelled through SSH. It is turned off by default in Ubuntu. To enable it, edit the configuration file:
gedit /etc/gdm/custom.conf
  • Find and change (or add) the line from false to true so that it reads:


SSH is, basically, secure Telnet.

VPN clients

A VPN (Virtual Private Network) allows a secure encrypted connection ("tunnelling") over the Internet between a client (either standalone or on a separate LAN) and a home or corporate LAN server.

VPN through Network Manager

  • The default Network Manager in Ubuntu/Kubuntu has a VPN client available. This includes support for IPSec and Cisco-compliant VPN connections. Install:
sudo apt-get install network-manager-vpnc
  • To connect to a VPN network using OpenVPN (SSL), install the plugin:
 sudo apt-get install network-manager-openvpn
  • To connect to a VPN network using PPTP (MS Windows servers), install the plugin:
sudo apt-get install network-manager-pptp
  • Configure:
Network Manager icon (in system tray) -> VPN Connections -> Configure VPN

vpnautoconnect (vpn daemon)

vpnautoconnect is a daemon to allow automatic vpn connections through Network Manager. Download and install the .deb package for your OS version.

Other VPN clients

Standalone VPN clients based on protocol are available (but not necessary if using Network Manager):

  • vpnc, grml-vpn -- for Cisco-compliant (IPSec) VPN networks
  • openswan -- for IPSec (OpenSwan) VPN networks
  • pptp-linux -- for PPTP (MS Windows-compliant) VPN networks
  • openvpn, gadmin-openvpn-client -- for OpenSSL (OpenVPN) VPN networks

VPN servers


OpenVPN is a free, GPL-licensed open-source cross-platform VPN solution based on OpenSSL (not IPSec). Install the server (then see the website for further installation instructions):

sudo apt-get install openvpn bridge-utils

A GUI configuration utility (GTK-based) is available:

sudo apt-get install gadmin-openvpn-server

Also see these installation tips.

Poptop (PPTP Server)

Poptop is a free open-source PPTP-based VPN server compatible with MS-windows PPTP clients. Install:

sudo apt-get install pptpd


OpenSwan is the open source implementation of IPSec-based VPN connections for Linux (and is a successor to FreeSwan). Install:

sudo apt-get install openswan linux-patch-openswan


(Under construction.)


Ubuntu by default is a fairly safe system. However, if you intend to use Ubuntu as a server, or for critical applications in which loss of data (by accident or by malicious intrusion) would be disastrous, you should learn how to make Ubuntu more secure. A good introduction to Ubuntu Security Best Practices is available. Recommended reading includes the book Cyber War by Richard Clark and this interview with Joe Weiss (IT advisor for the energy-sector smart grid). Also read read this CNN Money article.

  • Unfortunately, there is a false sense of security in Linux operating systems by many users. Linux is not immune to rootkits, viruses, and trojans (no matter how often it is asserted). See this page for a partial list of malware concerns present in Linux.

USB flash drive security

USB drives are a major means of data theft. USB flash drives can also be used to spread malware and exploit operating systems. (See this article for an example.)

  • An administrator password should be set for the computer BIOS and booting from a USB drive or CD/DVD should be disabled. (Otherwise, any passerby can boot their own OS and then use it to steal data from the hard drive.)
  • For any device's user account that does not have complete security (with full access restrictions to it), it is recommended to turn off privileges for the cabability to use a plugged-in USB drive. See this thread and this article for methods of restricting USB usage to authorized users.
Settings -> System Settings -> User Management -> User Accounts -> user -> Modify -> Privileges and Groups -> Privileges: Use floppy drives (unticked) -> Groups: plugdev (unticked) -> OK

Prevent unauthorized boots and system access

Many computers are kept in places where casual passersby may have an opportunity to access the computer, unobserved for short periods. In addition to physical precautions to prevent or slow computer theft (such as locked cases, alarms, and security cables similar to those used to slow bicycle theft), precautions should be taken to prevent an unauthorized operating system from being booted using an external device (such as USB drive). Once such as external OS is booted, it can be used to access most hard drive(s) on the computer and the contents copied to a second external device (to be examined or unencrypted later). This is a common means of data theft that is fast and easy to accomplish, and means to deter it should be taken on any public or semi-public computer.

  • Set BIOS to restrict bootup to the hard drive only.
  • Set a Supervisor/Administrator password for your computer's BIOS. (I recommend writing it down and taping it to the inside cover of the computer case prior to locking the computer case.) Disable booting from all devices except the hard drive. Setting the hard drive as the first priority boot device is not enough, as most current BIOS menus allow manual selection of any enabled boot devices. Only the hard drive should be left enabled.
  • Enable Hard Drive locking, if your computer's BIOS allows it. Most hard drives allow a password to be set by the BIOS and stored in a chip on the hard drive controller which can only be reset by disassembling the hard drive. (Some manufacturers provide a backdoor security key, however.) BIOS versions found on newer computers/laptops allow this password to be set in the BIOS, so that only a BIOS containing the correct password can unlock the hard drive. (If the hard drive is then removed from the computer, it cannot be accessed by any BIOS that does not have the correct password or backdoor security key.) Note, however, that this precaution does not protect against booting from external devices if the BIOS is still set to allow that.
  • There is a risk to this security measure. If you forget the password and the BIOS passwords somehow get reset, the hard drive would become inaccessible. The BIOS and Hard Drive password(s) should always be stored in a safe location.
  • Password protect the Grub bootloader. Without password protection, Grub can be used to circumvent BIOS restrictions. See this section for Grub Legacy and this section for Grub2.
  • Make sure all user accounts are protected by a password, and always require passwords for login. Never create an "administrator" user account (hidden or not) and leave it unprotected by a password. Never enable automatic login without a password to any user account.
  • It is possible to enable automatic login to a preferred password-protected user account while simultaneously enabling a password-protected screensaver (the password for which must still be entered even before initial user access). This is a reasonable solution that offers protection while still allowing automatic login.
  • Make sure a password-protected screensaver is always enabled (that will engage after a reasonably short period of inactivity).


Network communications go through "channels" called ports. You can restrict which ports are available ("open") for network communications, creating a barricade to unwanted network intrusion. Firewalls do this job for you. But I guarantee that if you install one before you know how to use it that one or more networking programs on your system will stop working. Read every bit of documentation about a firewall before installing it -- you won't regret the time invested. All of these packages modify iptables, which is the set of rules that controls network access in and out of your computer. (You can modify iptables manually from the command line, as well, but if you are that much of an expert, you probably don't need this guide.) Also see the official Ubuntu documentation.


Firestarter is an intuitive firewall manager used to set the iptables values which provide firewall capabilities in Linux (including Ubuntu). It has a very easy-to-use GUI.

sudo apt-get install firestarter
  • When running Firestarter, some common outgoing ports that ought to be opened/unblocked/"allowed" include 80 (HTTP), 443 (HTTPS), 53 (DNS), 993 (secure IMAP), 465 (secure SMTP), 123 (NTP).

Firestarter fails to open system log

This is a problem in Precise. See the solution here.


Shorewall (Shoreline Firewall) is an open-source firewall configuration manager for Netfilter / Iptables that does not require a background process to be running. It supports VPNs. Install the IPv6 version:

sudo apt-get install shorewall6
or the "lite" IPv6 version:
sudo apt-get install shorewall6-lite
  • Alternatively, the IPv4 version can be installed:
sudo apt-get install shorewall
or the "lite" version:
sudo apt-get install shorewall-lite


Guarddog is a GUI firewall configuration utility that was used for the KDE 3.1 desktop series. It has a complex array of configurations, and is difficult to use for some beginners. As of (K)Ubuntu 11.04 Lucid Lynx, Ubuntu repositories no longer carry Guarddog. To obtain legacy packages, see here.

Uncomplicated Firewall

Uncomplicated Firewall is installed in (K)Ubuntu by default, but all ports are open initially. It is configurable through the command-line interface. See this forum thread, or this usage tutorial, or Ubuntu community help for tips on how to set up and use it. If not installed, it can be installed:

apt-get install ufw


Gufw is a graphical user interface for Uncomplicated Firewall. Install:

sudo apt-get install gufw


  • If you are running a file server, interface frequently with Windows drives or share files with Windows users, or use virtualization, you will want a virus checker for your Windows files.
  • Despite extensive minsinformation, Linux is not immune from malware (witness the explosion of malware being created for the Linux-based Google Android systems). The malware is not usually spread within the OS itself (as long as the OS is a well-respected distribution obtained through official channels), but in trojan programs downloaded and installed by users outside of the normal software distribution channels (i.e. repositories) of the OS. There is always a danger to using programs downloaded from the Internet from sources other than respected repositories -- it is the primary reason that Debian and (K)Ubuntu retain tight control over their software repositories.
  • Any file can have malware embedded in it (which is trivial to achieve by concatenation, for example: cat originalfile.avi malware.exe > originalfileplusmalware.avi). The question is whether a user will try to open a file with a program (such as a media player) that has been compromised in a way that allows it to execute the code found in the infected media (e.g. .avi) file. This can occur not only for Windows users but for any OS (including Mac OSX and Linux) with a compromised program (e.g. media player). An example is the extensive problems the Mac OS community is currently having with the Flash player.
  • Routine scanning of any file downloaded from the Internet, any file imported from another user's computer (even a trusted source, since their attention to virus prevention may not be as compulsive as yours), or any attachment received in an email (even from a trusted sender) should be done with an anti-virus program.


ClamAV is the open source virus tool for Linux. To install ClamAV:

sudo apt-get install clamav
  • If an error is returned: "The database directory must be writable for UID 1000 or GID 1000" in order for the virus database to be updated, then change the ownership of the installation directory (/var/lib/clamav):
sudo chown 1000 /var/lib/clamav

ClamTk (ClamAV GUI)

ClamTk is a GTK-based GUI frontend for ClamAV. Install:

sudo apt-get install clamtk


AVG offers a free virus scanner for Linux in a .deb package. Download and install from the website.


Avast offers a Linux edition (for home users only) in a .deb package. Download and install from the website.


Spam Assasin

SpamAssasin is written in perl, and is mostly for use with a server (such as a groupware server or Apache). Install:

sudo apt-get spamassassin

Rootkit checkers

Rootkits are malicious trojan-like programs to allow an intruder to become a root user and therefore have complete administrative control over the system. There aren't many rootkits in the wild for Linux. Still, this is a growing security problem (especially in other operating systems) and it is a matter of time before more rootkits appear in Linux. Checking for rootkits isn't always successful from a system that is already infected. Your rootkit checker should therefore be run from another system, or a USB pendrive with an Ubuntu LiveCD installation. See the rootkit checker manuals for instructions how to do this. If you are infected with a rootkit, you must backup all your files and re-install your system. (Thank goodness this is easy with Ubuntu, unlike with other operating systems).


Chkrootkit checks locally for signs of a rootkit. See the chkrootkit manual for usage instructions.

sudo apt-get install chkrootkit
sudo chkrootkit

Rootkit Hunter

Rootkit Hunter is compatible with (K)Ubuntu systems. See the usage instructions.

sudo apt-get install rkhunter
sudo rkhunter

Malicious commands to avoid

There are many malicious commands to be avoided in Linux (as in all operating systems). It is worthwhile to be aware of these dangerous commands so that they are not executed by accident or by malicious advice.

PHP Security

Many open-source web publishing / groupware systems and programs rely heavily on PHP scripting.

  • Spambot Security offers ZB Block and other tools to help protect PHP-utilising sites from spam, malware, and other nuisances.

Network Monitors

There are two types of network monitors: those that monitor your own system's network settings and those that monitor network traffic. The latter includes security tools (that can also be used as hackers tools) for exposing security weaknesses in a network. Be aware and be safe! A list of available tools is at Top Ubuntu Security Tools.


Netstat is the Linux command-line tool to monitor network status and functions. There are many usage parameters. See the manual for help.


Etherape (Network monitoring)

EtherApe is a graphical utility that allows you to see (in real-time) where connections are being made on your network, or between your network (or computer) and the Internet. If you are experiencing unexpected network activity on your computer or LAN and wish to see where the activity is occurring, this is an easy tool to use. Both "local" user and "root user" installations are created; in general you must use the root user installation to see all your network traffic.

sudo apt-get install etherape

List open files

Sometimes you will see your network slowing and want to know which files are sending data over ports. Use this command:

lsof -i -n -P


Nmap is a free open source utility for network exploration (including showing open ports and running services) and security auditing. Also see these usage tips. Install:

sudo apt-get install nmap

Scan your own PC:

nmap localhost

(Once you have found out which ports are open, use a firewall to close the ones you don't want open.)

Nmap GUI


sudo apt-get install nmapfe
or you can try Zenmap:
sudo apt-get install zenmap


Nessus is a proprietary comprehensive vulnerability scanning suite that is free for personal, non-enterprise usage. See the website for details.


Snort is the de facto open source standard for intrusion detection. Install:

sudo apt-get install snort

It can be used with an MySQL database (sudo apt-get install snort-mysql) or with a PostgreSQL database (sudo apt-get install snort-pgsql).


AcidBase is an intrusion detection / basic analysis and security engine that uses Snort. Install:

sudo apt-get install acidbase


AppArmor is a set of security enhancements developed by Novell for SUSE Linux. It is installed in (K)ubuntu by default.

Disable AppArmor

AppArmor can prevent some services from running as expected and cannot be used in conjunction with SELinux. To disable it:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils


SE Linux (Security Enhanced Linux) is an NSA (US National Security Administration) recommended set of tools for enhanced security in Linux systems. It enforces strict access controls (privileges) and is meant for mission-critical installations. It is not suitable for the casual desktop user. It was first available in Hardy Heron and is being updated for Intrepid Ibex. It is not compatible with AppArmor (which must first be removed).

sudo apt-get install selinux

Knockd (Port security)

Knockd is a small server that listens for a pre-defined sequence of port opening attempts (a "knock") before opening an otherwise closed firewall port for communications. Install:

sudo apt-get install knockd

Network Management

Monitor your network or datacenter with a framework of utilities. Comparable to IBM Tivoli (which can cost thousands of dollars), these solutions are generally available as either community or enterprise editions.

  • Hyperic is an open-source network monitoring framework that can be used in either a datacenter or a cloud environment (it is used for Amazon Cloud). Both a free community version and a subscription enterprise version are available.
  • Groundwork OpenSource offers a community edition that integrates other packages such as Nagios, Nmap, and others. There is a subscription enterprise version as well. It has its roots in a university setting.
  • OpenQRM is the GPL-licensed, free open-source community successor to the very popular network monitoring solution Qlusters. It is available as a Debian/Ubuntu package. See the website for details.
  • Canonical offers the Landscape network management service for $150 per node, with a free trial available.
  • Zenoss is a commercial network monitoring subscription package (about $150/node) with a limited free "core" edition also available.


Nagios is a free open source network monitoring solution. It is administered from a web interface (http://localhost/nagios) and is expandable using a large number of available plugins. For additional configuration information, see the official Ubuntu documentation. Install:

sudo apt-get install nagios3


Munin is a free GPL-licensed open source networking monitoring tool based on RRDTool, in which a master network node queries other network resources, cataloging and graphically displaying changes. It has a web interface and multiple plugins. For additional configuration information, see the official Ubuntu documentation. Install:

sudo apt-get install munin

Cacti Monitoring Server

Cacti is a complete, free open source network graphing solution designed to harness the power of RRDTool’s data storage and graphing functionality. Cacti provides a fast poller, advanced graph templating, multiple data acquisition methods, and user management features out of the box. It uses MySQL and PHP (part of the LAMP server stack). All of this is wrapped in an intuitive, easy to use interface that makes sense for LAN-sized installations up to complex networks with hundreds of devices. For more info see Cacti Server Setup. Install:

sudo apt-get install cacti

Cluster SSH

ClusterSSH allows replication of a command on an administration console to be replicated via SSH to multiple computers in a cluster. Install:

sudo apt-get install clusterssh

Enterprise Network Firewall


IPCop is a free open source (GPL-licensed) firewall solution for use as an independent appliance (on a dedicated PC) in an enterprise network. It allows remote management and can protect multiple servers, including web and email servers. IPSec-based OpenVPN is supported. The CD image .iso and other files can be downloaded here. Installation instructions are on the website.


SmoothWall Express is an award-winning, free, open source (with a GPL license) firewall solution for use as an independent appliance (on a dedicated PC) in an enterprise network. Download the installation CD .iso image here (server OS included), burn onto a CD, and install on a new, dedicated PC. Many features, however, such as VPN server, database access authentications, and content filtering are only implemented in a commercial version, however, and are not available in the community version.


Endian is a very robust, free, open source universal threat management appliance similar to IPCop and Smoothwall. It also incorporates OpenVPN. Like Smoothwall, Dansguardian is used for content filtering (and is included in the community edition). Commercial and hardware versions with some additional features, automatic updates, and professional support are available. See the website for details.

LTSP (Thin client support)

LTSP (the Linux Terminal Server Project) adds thin-client support to Linux servers. The package is free, GPL-licensed, and the client can be used to run programs on either Linux or Windows LTSP servers. There is a module for classroom management (ltsp-controlaula) as well. Installation instructions are here. The alternate LiveCD can also be used to install a terminal server, as indicated in these instructions.

LTSP Server


sudo apt-get install ltsp-server ltsp-manager

LTSP Client


sudo apt-get ltsp-client

iTALC (Thin client for Education)

iTALC is a free, open source (GPL-licensed) thin client solution that supports both (K)Ubuntu Linux and Windows XP. It has been used widely in educational settings to monitor, share, and control multiple workstations. See the website for download and installation instructions.

Internet Cafe software

Internet Cafe (or CyberCafe) software is specialized LAN-administration software that includes time usage monitoring, billing, and administration. It can also be used in schools, libraries, and organizations with multiple monitored workstations requiring usage limits.


OutKafe is a free, open-source, GPL-licensed cybercafe solution based on a postgreSQL database server stack. It is run on hundreds of sites. It is GTK-based but can be run with Kubuntu (KDE).


OpenKiosk is a free open source multi-platform server/client solution for administering and monitoring groups of workstations, such as in libraries, school labs, and internet cafes. Installation is from source files. See the website for details.


CafePilot is a free multi-platform Java-based server/client solution for real-time monitoring and billing of Cybercafe workstations.

Miscellaneous solutions

This thread discusses several other solutions, including:

Pessulus (Lockdown Editor)

Pessulus is a GTK (Gnome)-based utility that allows an a computer administrator to restrict acccess to several administrative functions, including the command-line Terminal and many other functions. This is useful on public kiosk PCs, for example. Install:

sudo apt-get install pessulus

Cluster (cloud) computing

Cloud computing is the co-ordination of many servers to maximise computing resources and efficiency. The use of virtual machines, load balancing, and VLAN technology are combined into an integrated system. Distributed computing and parallel processing underlies the networks of computers that are now used in a number of supercomputing applications.

OpenStack cloud

OpenStack is the technology currently used by Ubuntu for cloud computing as part of the Ubuntu Cloud Infrastructure. (Also see the Ubuntu community help.) It is now included as part of Ubuntu server versions (starting with 12.04 LTS Precise).

Eucalyptus cloud

Eucalyptus is a project from University of California Santa Barbara to facilitate cluster computing on servers that have the Xen virtual machine implementation enabled. Prior to 11.10 (Oneiric) it was available for the Ubuntu server edition as the Ubuntu Enterprise Cloud.


The Beowulf cluster computing project is one of the earliest cluster computing examples and provides the underpinning for a number of Linux-based supercomputing clusters. A Beowulf cluster is designed to function like a single supercomputer, and can be scaled to any number of nodes. It uses open source components. See this introductory article on creating a Beowulf cluster with Ubuntu.

  • OSCAR is a software platform that allows the creation of a Beowulf cluster on RedHat or Debian/Ubuntu Linux servers. See here for instructions on installing the .deb packages from repositories.

BOINC (Berkeley Open Infrastructure for Network Computing)

BOINC is middleware software developed at UC Berkeley to allow multiple computers to operate as a grid-based (cloud based) supercomputer. There are over half a million computers participating in BOINC projects. To install BOINC and participate in one or more of these projects:

sudo apt-get install boinc

A warning about distributed computing

Cloud computing is often mistaken for remote hosting. While cloud computing using public hosts may be beneficial in "farming out" a few of your non-sensitive computing needs, the recent ease of cloning filesystems and the promiscuity of datacenters has placed a great deal of sensitive data at risk when databases and critical server functions themselves are remotely hosted at a site not under your complete control. Even "trusted" banks and other large businesses routinely trade and sell our sensitive "private" data to multiple partners (sometimes for profit and sometimes unwittingly). Hosted servers are compromised on a daily basis and it is not very easy for an end customer to know how effective are the security practices of a remote hosting service. Further, any data left on public storage devices (cloud servers) in the US for more than 180 days are subject to search and seizure by government agencies there. Therefore, it is almost always more secure to host your own server(s) in house and to limit the traffic and access to your databases and servers to members of your own organization. Learning how to run your own servers is worth the effort, and powerful hardware on which to run them is inexpensive these days.

The Ubuntu cloud computing environment allows you to recruit the multiple computers within your own organization for distributed ("cloud") computing and thereby keep it all "in house" (behind secure firewalls). You do not need to expose your organization to insecure remote public hosts in order to use cloud computing.

Personal tools