Template:Jaunty/Networking

From

Jump to: navigation, search

Contents

Networking

You may only use one GUI interface to control Network Manager.

Set a static IP address

I couldn't get the older version of Network Manager (that is installed by default in Jaunty) to accept my static IP address settings. The newest development version of Network Manager fixes the problem.

  • Add the repository key (you need port 11371 open in your firewall to use the keyserver):
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys BC8EBFE8
deb http://ppa.launchpad.net/network-manager/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/network-manager/ppa/ubuntu jaunty main
  • Update:
sudo apt-get update
  • Alternatively, you could uninstall Network Manager and the network manager widget completely and install wicd instead:
sudo apt-get remove network-manager
sudo apt-get install wicd
  • For wired connections, you can edit the network interfaces configuration file manually. You would then not use Network Manager to manage networking at all.
  • Edit the /etc/network/interfaces file:
sudo kate /etc/network/interfaces
and replace the line
iface eth0 inet dhcp
with the following lines (using your own LAN settings, of course):
iface eth0 inet static
address 192.168.0.35
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
gateway 192.168.0.1
  • Then restart networking:
sudo /etc/init.d/networking restart
  • Check to see if your settings are now correct:
ifconfig

Network-Manager Plasma Widget

The Network-Manager Plasma Widget is now the default GUI used in Kubuntu Jaunty to control Network Manager. It is found on the the Panel bar. Other Network Managers should not be needed.

KNetwork Manager

KNetwork Manager is a KDE tray applet that allows you to switch between Internet connections (such as wireless APs or wired connection). It is a KDE frontend for Network Manager and was formerly the default in Kubuntu. It has been replaced by the Network-Manager Plasma Widget, but can still be used if desired. Install and run:

sudo apt-get install knetworkmanager
knetworkmanager

I added it as a startup program:

System -> System Settings -> Advanced -> Autostart -> Add Program... -> knetworkmanager

Wicd Network Manager

Wicd is a GTK-dependent (Gnome) networking manager (written in Python) that is an alternative to the Network Manager Plasma widget. Many users report increased speed and stability with this network manager. To avoid networking conflicts, Wicd requires the removal of KNetwork Manager prior to installation.

sudo apt-get install wicd

Manual configuration from the command-line

These steps should not be necessary if using one of the GUIs for Network Manager listed above.

3 steps for WEP:

sudo iwconfig eth[N] essid [SSID]
sudo iwconfig eth[N] key restricted s:[PASSWORD]
sudo dhclient

WPA is more complicated:

su
mkdir /etc/wpa_supplicant
cd /etc/wpa_supplicant
echo network = { > wpa_supplicant.conf
echo ssid="SSID" >> wpa_supplicant.conf
echo key_mgmt=WPA-PSK >> wpa_supplicant.conf
echo psk="PRESHAREDKEY" >> wpa_supplicant.conf
echo } >> wpa_supplicant.conf
cd /etc/network
vim interfaces

Now add after "auto eth[N] ..." & "iface eth[N] .." (press 'i'):

wpa-driver wext # or whatever driver your network card needs
wpa-conf /etc/wpa_supplicant/wpa_supplicant.conf

Save the file ('Esc', ':x', 'Enter') and restart your system.

Internet connection sharing (DHCP server)

In most LANs, an inexpensive router is used to provide DHCP functions (internet connection sharing).

However, DHCP services can also be provided by a single host computer on your LAN if it is directly connected to the Internet. (This is useful, for instance, if you have a 3G or other wireless EVDO connection to your computer which you want to share with the other computers on your LAN). Other client computers on your LAN would then connect to the Internet through your host computer's Internet connection. The host computer now essentially performs the DHCP functions of a router.

All "client" computers on the LAN ought to be connected to a central LAN switch or router. (If using a router, it should have its own DHCP functions disabled -- you shouldn't have 2 DHCP servers on a LAN unless you know how to nest LANs). They should all be set up to obtain DHCP-assigned dynamic IP addresses and use the same LAN subnet settings (which in the example below is LAN IP range 10.0.0.1 - 10.0.0.250 with netmask 255.255.255.0 and gateway 10.0.0.1). The host computer to be used as the gateway/DHCP server is then connected (through its own ethernet port) either to one to the ports of the switch (if used), or to a LAN port of a router (don't use the WAN port). The host computer then connects directly to the Internet (WAN) through a second port (which in the example below will be a wireless (wifi) port (wlan0)).

(Note: This setup is easiest if you connect all computers on the LAN with Ethernet cables to the central switch or router. But also see using a nested wireless LAN router below.)

(Note: If you want your LAN to use the same subnet as your WAN, see network interface bridging.)

  • Install the DHCP server and firewall programs:
sudo apt-get install dhcp3-server firestarter
  • Rename the startup command (through a symbolic link) for the DHCP server. This is required or Firestarter will not know where to find it:
sudo ln -sf /etc/init.d/dhcp3-server /etc/init.d/dhcpd
  • Edit the DHCP server configuration file:
sudo nano -w /etc/default/dhcp3-server
Change the line
INTERFACES=""
to
INTERFACES="eth0"
  • Restart the DHCP server:
sudo dhcpd restart
  • Right click on Network-Manager -> Edit Connections... -> Wired -> Add
-> Connection name: Shared internet connection
-> IPv4 Settings -> Method: Manual -> Add
-> Address: 10.0.0.1 -> Netmask: 255.255.255.0 -> Gateway: 0.0.0.0
-> Available to all users: [x]
  • Attach the ethernet cable to (eth0).
Network-Manager -> Wired Networks -> Shared internet connection
  • Adjust your firewall to allow the internet connection sharing. Start Firestarter:
sudo firestarter
  • Tell the firewall which port is your direct Internet Connection:

Firestarter -> Preferences -> Firewall -> Network Settings -> Internet connected network device: (wlan0)

-> IP address is assigned by DHCP: [x]
  • Tell the firewall which port is for the LAN, and specify the details for the LAN:

Firestarter -> Preferences -> Firewall -> Network Settings -> Local network connected device: (eth0)

-> Enable internet connection sharing: [x]
-> Enable DHCP for the local network: [x]
-> DHCP server details -> Create new DHCP configuration -> Lowest IP address to assign: 10.0.0.2
-> Highest IP address to assign: 10.0.0.250 -> Name server: <dynamic>
Note: Use your own desired LAN settings (internal DHCP-assigned dynamic IP address range), of course. In this example I don't use the full IP range 10.0.0.2 - 10.0.0.255 for dynamic IP addresses because I want to reserve some LAN addresses (10.0.0.251 - 10.0.0.255) to be used as static IP addresses).
  • Notes:
  • If you wish to use this setup all the time, make the "Shared internet connection" profile your default connection profile in Network Manager.

Using a nested wireless LAN router

Many users will already have an established LAN that uses an existing wireless router and has client computers that are setup to connect wirelessly to the router. Here's how to maintain this setup and still use the internet connection sharing method of a single host computer as described above. This method is known as nested LANs. The wireless router will serve as a nested LAN for its wireless clients (only), but in turn will appear as a single device to the main LAN. The two LANs must have different IP ranges. For example, the main LAN may have an IP range 10.0.0.1 - 10.0.0.255 (with netmask 255.255.255.0), as in the above example. The router's nested wireless LAN must then use a different IP range (for example 192.168.0.1 - 192.168.0.255 with netmask 255.255.255.0).

  • Do not use your wireless router's WAN (Internet) port.
  • Connect the host computer (to be used as your main LAN gateway/router) to a LAN port (not the WAN/Internet port) of the wireless LAN router.
  • Configure your wireless router's LAN so that it appears to be a single device to the main LAN:
  • Setup your wireless router so that the Internet Connection type is "Static IP" (often in the "Internet Setup" section). Configure the settings so that its "Internet IP address" is within the static IP address range of your main LAN (e.g. 10.0.0.254), and make sure the subnet mask matches the one you chose for your main LAN (e.g. 255.255.255.0). The gateway setting should be set to match the IP address of your host computer of the main LAN (e.g. 10.0.0.1 in the example of the preceding section). Now the wireless router will appear to the host computer as just another device on the main LAN.
  • If your wireless LAN is already functioning, you probably don't have to change any settings, but double-check to make sure the schema are compatible. Configure the wireless router's settings for the nested wireless LAN. This is done by enabling the router's DHCP server functions (in "Network Setup" or some similar configuration section of the router). The router ought to have as its own wireless LAN gateway address a "local IP address" (or "LAN IP address") of 192.168.0.1 (for the IP address range used in this example), and a "starting IP address" (for the DHCP-assigned dynamic IP address range to be used for the wireless clients) to be 192.168.0.2 or greater. (Some routers ask you to specify the entire range (such as 192.168.0.2 - 192.168.0.255.)
  • Make sure all your wireless client computers are set to obtain their DHCP-assigned dynamic IP addresses from the wireless router (gateway IP 192.168.0.1) instead of from the main LAN gateway.
  • Now all communications from the wireless client computers will be routed to the wireless LAN router first, which will then in turn route them to the host computer (which is acting as the main LAN gateway/router), which will then in turn route them to the Internet (WAN).
  • Note: The host computer for the main LAN must have a static IP address (e.g. 10.0.0.1 as in the example of the preceding section) and it must match the gateway IP address configured in the wireless LAN router settings.

Network Interfaces Bridging

  • Install bridge-utils to be able to create network bridges:
sudo apt-get install bridge-utils
  • Edit /etc/network/interfaces:
sudo nano /etc/network/interfaces

The interfaces file should look like this after editing it:

auto eth0
iface eth0 inet manual
#
auto br0
iface br0 inet dhcp
#
bridge_ports eth0 wlan0
#
# The loopback network interface
auto lo
iface lo inet loopback
  • Restart networking with:
sudo /etc/init.d/networking restart

Using Dynamic IP addresses for a webserver

Normally, domain name servers (DNS) that are used publicly on the Internet match a web server's URL name with the IP address of the server's host computer. If your computer has a static IP address, then you can publish your own web server's URL as belonging to the static, unchanging IP address of your computer.

However, if your IP address is dynamic (always changing) because you use an ISP (Internet Service Provider) that constantly changes your IP address (using DHCP), then you will need a DNS service to constantly keep track of your dynamically changing IP address and match it to of your web server's URL. Fortunately, there are a few DNS services that will do this for you, either for a small fee or even for free. For more info, see this Ubuntu help article.

For specific tips on setting up this service, see this article.

Remote speakers for Airport Express

Audio output can be streamed over your local network to an Airport Express. Make sure your firewall is not blocking ports 5353, 5000, and 6000.

PulseAudio

These capabilities require the newest version 0.9.15 of Pulse Audio and Pulse Audio Volume Control 0.98, as well as pulseaudio-module-raop (for Airport Express). Instead of (or after) installing the default 0.9.14 packages from the Jaunty repositories, obtain them by adding the repositories from this Launchpad site:

deb http://ppa.launchpad.net/themuso/ppa/ubuntu jaunty main
deb-src http://ppa.launchpad.net/themuso/ppa/ubuntu jaunty main

then install:

sudo apt-get install pulseaudio pavucontrol pulseaudio-module-raop

Then configure Pulse Audio:

Menu -> Settings -> PulseAudio Preferences Sound Audio preferences -> Network Access

and check both:

Make discoverable network sound devices available locally
Make discoverable Apple Airtunes devices available locally

raop-client

A method to stream audio to the Airport Express uses raop-client, a tool written in Ruby. See information here.

GSTransmit

GSTransmit is a tool to allow GStreamer-based utilities to stream output to an Apple AirTunes Device (such as the Airport Express). It is available as a self-installing .deb file from the website.

Airfoil

You can stream media from a PC running Windows or Mac OS X connected to an Airport Express network to your Kubuntu Linux desktop, using Airfoil. (Unfortunately you cannot send media output from Kubuntu to the Airport Express network with Airfoil, only receive.) This can be useful in a distributed multimedia system, for example, in which your Kubuntu PC is connected to a media center. You must be running Mono. You can download the .deb package at Rogue Amoeba. Installation instructions are at Rogue Amoeba Linux support.

Filesharing

NFS

NFS is the default networking protocol for network file sharing in *nix systems (including Kubuntu Linux).

Samba File Sharing

Samba client

Samba is a networking protocol that allows compatibility with Windows-based networks. The Samba client is installed by default in Kubuntu Jaunty and should work seamlessly (unless you have have a firewall blocking the ports).

Samba server

The following instructions are to install a Samba server (which is not installed by default). This allows you to share your files over a Samba (Windows) network to other Samba clients.

  • Install:
sudo apt-get install samba samba-tools system-config-samba
Note: samba-tools and system-config-samba are optional.
  • Modify Samba settings.
  • Method 1:
K menu -> System -> Samba

or

System Settings --> Advanced --> Samba
(Note: this is available only if you installed system-config-samba.)

It is recommended that your user be a member of the sambashare group, as well.

  • Method 2:
Enable File Sharing Server With User Login (Very Reliable Method)
Do the following on the machine that has the files to be shared:
  • Add current user to Samba:
sudo smbpasswd username
(replacing username with your login username)
  • Open the samba config file:
sudo nano /etc/samba/smb.conf
  • Add the directories to be added (right at the end) in the following format:
[Pictures]
path = /home/username/<folder_to_be_shared>
browseable = no
writable = yes
(Replace username with your username and <folder_to_be_shared> with the folder you want to share)
Press CTRL+X and then Y to save.
  • Restart Samba
sudo /etc/init.d/samba restart
  • On Windows access the folder in the following format in Windows Explorer:
\\192.168.x.x
(replace 192.168.x.x with the actual IP address of your server which is serving the folder)
  • On Linux type the following in Konqueror or Nautilus:
smb://192.168.x.x
(replace 192.168.x.x with the actual IP address of your server serving the folder)

Note: If you use Sharing in KDE's System Settings panel, be aware that there is a small bug, reported here. In brief, you need to comment out/delete any instances of these two lines in /etc/smb.conf :

case sensitive
msdfs proxy

Change your Workgroup

To change your Samba (Windows network) workgroup:

sudo nano /etc/samba/smb.conf

Look for the line:

workgroup = WORKGROUUP

and change the setting to whatever your LAN workgroup is.

Recognizing Win98 machines

Microsoft networking is extremely quirky. To enable recognition of PCs with Windows 98, edit your Samba configuration file:

sudo nano /etc/samba/smb.conf

Then add the following lines to the file:

[global]
# THE LANMAN FIX
client lanman auth = yes
client ntlmv2 auth = no

Local Area Network

Modems / Dial-up

KPPP is the default modem dialing application.

K menu -> Internet -> KPPP Internet Dial-up

Remote Access

There are several methods of remote access. VNC sharing allows you to view and control a remote computer's desktop. (Windows users use a similar proprietary protocol called remote desktop protocol (RDP)). XDMCP allows a complete remote X-windows based login. Remote connections are hazardous unless proper security precautions are taken to prevent unauthorized logins and to ensure encryption of transmitted data.

SSH

Secure Shell or SSH is a network protocol that allows data to be exchanged over a secure channel (or "tunnel") between two computers. Encryption provides confidentiality and integrity of data. SSH client is installed by default in Kubuntu so you can connect to another computer that is running a SSH server.

Connect to a remote SSH server
From the command-line terminal

Install the OpenSSH client (if not already installed):

sudo apt-get install openssh-client

From the command-line terminal (Konsole) type:

ssh -C <username>@<computer name or IP address>
Note: The -C option indicates compression, which speeds up transmission through the tunnel.

For example:

ssh -C joe@remote.computer.xyz
or:
ssh -C mike@192.168.1.1
or
ssh -C 192.168.1.1 -l mike
Note: -l specifies the login id.


If the SSH server is listening on a port other than port 22 (the default), you can specify that in your connection (with the -p option). For example, if the SSH server is listening on port 11022, connect:

ssh -C joe.friday@remote.computer.xyz:11022
or
ssh -C remote.computer.xyz -p 11022 -l joe.friday

If you have made a public/private key using ssh-keygen, the private key must be stored in /home/user/.ssh. The key should be accessible only to user

sudo chmod 600 /home/user/.ssh/identity
or
sudo chmod 600 /home/user/.ssh/id_rsa 

To login with the key:

ssh -C remote.computer.xyz -p 11022 -l joe.friday

Note: You can run the command as a menu item, but the command must be "run in terminal."

Port forwarding through SSH

See Using SSH to Port Forward for full details.

In brief, use

ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>

This specifies that any communications from your computer (localhost) going out through <local port> will be transmitted securely through the the SSH tunnel port. To use VNC through the tunnel, you would use an application like Krdc:

krdc vnc:/localhost:<local port>

Note that for VNC, the default <local port> is 5900. In general, a remote VNC server (such as Krfb) is also listening on the default <remote port> 5900 as well. The default <SSH tunnel port> is 22, as discussed above. All these can be changed, however, if you desire greater security.

For me, I noticed that I had to set <remote computer> to be the internal LAN IP address of the remote computer (such as 192.168.1.155) instead of the remote router's IP address, which is specified in <remote IP>. (If the remote computer has a static IP address (i.e. is directly connected to the Internet without an intervening router), then <remote computer> and <remote ip> would be the same.)

Example: For extra security, my SSH Server uses <SSH tunnel port>=11022. I want to VNC to a remote computer on a remote LAN with a router whose IP address is <remote ip> = 244.205.123.123. The remote computer to which I want to connect has a static IP address within the remote LAN of <remote computer> = 192.168.1.155. I have set up a Krfb VNC server on this computer that is listening on <remote port> = 6912 (instead of the default 5900). I setup port forwarding on the router of this remote LAN to forward port 6912 to this server computer. I want to VNC to this remote computer from my laptop, through the Internet. My laptop VNC client (Krdc) will use the default <local port> = 5900. My name is <user> = joe.friday. This is my story.

ssh -C 244.205.123.123 -p 11022 -L 5900:192.168.1.155:6912 -l joe.friday
krdc vnc:/localhost:5900

If you have set up a private/ public key pair with a passphrase, or if your SSH server requires a passphrase, of course, you will be prompted for the passphrase after issuing the SSH command.

Note: Port forwarding assumes that the ports are also forwarded through the router(s) and through any firewalls. See the documentation for your router(s) and firewall to learn how to do this. The advantage of SSH tunneling is that only the <SSH tunnel port> needs to be open and forwarded by a router. All encrypted communications will go through your router using this single port. This is what makes the communications secure.

PuTTY

PuTTY is a GTK-based GUI client-interface for SSH connections and eases the setup for port forwarding, SSH public key authentication, and automated login.

sudo apt-get install putty

A user would run Putty to create the SSH tunnel (instead of the ssh command) and then run Krdc. Note that PuTTY security keys are not generally compatible with SSH security keys. I was not able to get PuTTY to work with Krdc.

Connect using SSH Agent

With SSH Agent you can automate the use of public key authentication and open an XDM or VNC session using a script. See this tutorial.

Setup an SSH server

VNC

Virtual Network Computing (VNC) mirrors the desktop of a remote ("server") computer on your local ("client") computer (it is not a separate remote login, as is XDMCP). A user on the remote desktop must be logged in and running a VNC server (such as X11VNC). Keyboard and mouse events are transmitted between the two computers. VNC is platform-independent —- a VNC viewer on one operating system can usually connect to a VNC server on any other operating system.

Although Krfb is the default VNC server in Kubuntu/KDE, it does not work with KDE4 (Intrepid, Jaunty). X11VNC does work well with KDE4/Kubuntu and is recommended instead. Also see Ubuntu help on VNC for more info on other VNC servers.

Krfb VNC server

Krfb is the default VNC server in Kubuntu/KDE. It can be started from:

K menu -> Internet -> Krfb

  • You can change the listening port in the Network section. Your router must forward this port to your computer (or you must use an SSH tunnel). A user trying to connect must know the listening port as well and explicitly specify it during the VNC connection.
  • You can accept uninvited connections in the Security section. You can require a password for these connections.
  • A user can connect using Krdc or any other VNC client.

Notes: As of 12-2009 I could not reliably get Krdc to work in KDE4 (Intrepid, Jaunty). You should use one of the other VNC server/client solutions, instead, such as X11VNC or FreeNX (see below). If you must use Krfb, stick with the KDE3 desktop (that was part of Kubuntu Hardy Heron), in which Krfb works properly.

How to use Krfb with SSH tunneling securely

It is less secure to leave Krfb's listening port open to the Internet, even with a password. (This can expose you to password cracking attempts.)

It is more secure to use SSH to tunnel your VNC connection. Under SSH port forwarding, Krfb's listening port is the <remote port>. To increase security, this listening port can be changed from the default 5900. Only the Kfrb server and the SSH client need to specify the <remote port> in a secure connection.

TightVNC server

TightVNC is a multi-platform servers/client VNC solution for both Windows and Linux (Kubuntu). It currently works better than Krdc/Kfrb in Intrepid but does not display the entire screen reliably (possibly due to KDE4 widget redraws).

sudo apt-get install tightvncserver xtightvncviewer
X11VNC Server
  • Install the X11VNC server to share your desktop with other computers:
sudo apt-get install x11vnc
  • Run X11VNC without a password:
x11vnc -forever
  • See here for more command-line options.
  • You can create a password:
mkdir ~/.vnc
x11vnc -storepasswd YOUR_PASSWORD ~/.vnc/x11vnc.pass
  • Run X11VNC, requiring a password:
x11vnc -forever -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0
  • You can create a startup script so that X11VNC is automatically loaded at startup (with password settings):
echo "/usr/bin/x11vnc -forever -rfbauth ~/.vnc/x11vnc.pass -o ~/.vnc/x11vnc.log -loopbg -display :0" > ~/.kde/Autostart/x11vnc.sh
chmod +x ~/.kde/Autostart/x11vnc.sh
  • You can test the startup script:
~/.kde/Autostart/x11vnc.sh
Using VNC with SSH

See Using VNC for additional information.

Krdc VNC client

Krdc is the default VNC client in Kubuntu. Make sure you have open ports (in your firewall) to allow the connections -- 5900 (by default) for VNC or 3389 (by default) for RDP.

  • K-Menu -> Internet -> Krdc
  • To connect to a VNC server using a command (in a menu item or from the command-line interface terminal):
krdc vnc://<remote IP>
  • To connect in fullscreen mode, using myusername on the remote server:
krdc --fullscreen vnc://myusername@<remote IP>
  • If the remote (Krfp) VNC server is using a <remote port> other than the default 5900 port, use
krdc --fullscreen vnc://<remote IP>:<remote port>
  • Krdc can also connect to a Windows server using RDP (Remote Desktop Protocol). RDP uses port 3389, so either this port must be open in your firewall, or you must allow connections to the IP address of the remote computer in your firewall settings.
krdc --fullscreen rdp://myusername@<remote IP>:<remote port>

Also see this list of other command-line options (or run krdc --help in the Konsole terminal).

  • Console mode connections are allowed (for users with administrative privileges on the remote Windows server) as an option when connecting through the Krdc GUI.
Using Krdc VNC client with SSH

See this howto for an automated setup using a script (it did not work for me, but it might for you).

In brief, you would initiate an SSH tunnel with port forwarding using Putty or the command line:

ssh -C <remote ip> -p <SSH tunnel port> -L <local port>:<remote computer>:<remote port> -l <user>
then you would start Krdc:
krdc vnc://localhost:<local port>

<local port> will usually be the default 5900, in which case you could simply use

krdc vnc://localhost
XVNC4Viewer VNC Client

You can also install XVNC4Viewer (if you prefer it over Krdc) using:

sudo apt-get install xvnc4viewer

FreeNX

FreeNX is a remote desktop display server/client solution that natively incorporates SSH tunneling (unlike VNC). It is therefore more secure than VNC (unless VNC is coupled with SSH tunneling).

FreeNX Server

The Free server .deb package can be downloaded from No Machine free server downloads.

deb http://ppa.launchpad.net/freenx-team/ubuntu intrepid main
deb-src http://ppa.launchpad.net/freenx-team/ubuntu intrepid main
  • Install the package:
sudo apt-get update
sudo apt-get upgrade
sudo apt-get install freenx
FreeNX Client

Download the self-installing .deb file from No Machine Client downloads.

XDMCP

XDMCP allows a separate remote login by an authorized user. This login is separate from the local user.

  • XDMCP is not secure over the Internet and should only be used within a LAN. It cannot be tunnelled through SSH. It is turned off by default in Kubuntu. To enable it, edit the KDE configuration file:
sudo nano /etc/kde4/kdm/kdmrc
  • Find and change the line from false to true so that it reads:
[Xdmcp]
Enable=true

Telnet

VPN Clients

A VPN (Virtual Private Network) allows a secure encrypted connection ("tunnelling") over the Internet between a client (either standalone or on a separate LAN) and a home or corporate LAN server.

VPN through Network Manager
  • The default Network Manager in Ubuntu/Kubuntu has a VPN client available. This includes support for IPSec and Cisco-compliant VPN connections. Install:
sudo apt-get network-manager-vpnc
  • To connect to a VPN network using OpenVPN (SSL), install the plugin:
 sudo apt-get network-manager-openvpn
  • To connect to a VPN network using PPTP (MS Windows servers), install the plugin:
sudo apt-get install network-manager-pptp
  • Configure:
Network Manager icon (in system tray) -> VPN Connections -> Configure VPN
KVpnc

Kvpnc is a KDE-based (both KDE3 and KDE4) GUI front-end for various VPN clients, including OpenSSH. It is not necessary if using Network Manager. Install:

sudo apt-get install kvpnc

It works with one or more of the VPN client packages (which must also be installed):

  • vpnc -- for Cisco-compliant (IPSec) VPN networks
  • openswan -- for IPSec (OpenSwan) VPN networks
  • pptp-linux -- for PPTP (MS Windows-compliant) VPN networks
  • openvpn -- for OpenSSL (OpenVPN) VPN networks

VPN Servers

OpenVPN

OpenVPN is a free, GPL-licensed open-source cross-platform VPN solution based on OpenSSL (not IPSec). Install the server (then see the website for further installation instructions):

sudo apt-get install openvpn bridge-utils

A GUI configuration utility (GTK-based) is available:

sudo apt-get install gadmin-openvpn-server

Also see these installation tips.

Poptop (PPTP Server)

Poptop is a free open-source PPTP-based VPN server compatible with MS-windows PPTP clients. Install:

sudo apt-get install pptpd
OpenSwan

OpenSwan is the open source implementation of IPSec-based VPN connections for Linux (and is a successor to FreeSwan). Install:

sudo apt-get install openswan linux-patch-openswan

LTSP (Thin client support)

LTSP (the Linux Terminal Server Project) adds thin-client support to Linux servers. The package is free, GPL-licensed, and the client can be used to run programs on either Linux or Windows LTSP servers. There is a module for classroom management (ltsp-controlaula) as well. Installation instructions are here. The alternate LiveCD can also be used to install a terminal server, as indicated in these instructions.

LTSP Server

Install:

sudo apt-get install ltsp-server ltsp-manager
LTSP Client

Install:

sudo apt-get ltsp-client

iTALC (Thin client for Education)

iTALC is a free, open source (GPL-licensed) thin client solution that supports both (K)Ubuntu Linux and Windows XP. It has been used widely in educational settings to monitor, share, and control multiple workstations. See the website for download and installation instructions.

Web meetings

Web meeting software allows video conferencing among many clients, with one server as host.

DimDim

DimDim OpenSource Edition is a free community version of a commercial product of the same name. Like GoToMeeting, free online group meetings for up to 20 users is available through any browser. A free open source host server for group meetings (unlimited users) is also available in a community edition, but desktop sharing is not yet available for Linux desktops (in any edition). (Scheduling and recording to notes are also not available in the community edition, although the other enterprise features are). At this time, a .deb package for the host server is not yet available, and installation must be from source (for which there are no instructions provided). However, a VMWare appliance for use within VMWare Player (or Server) is available here, and can be used after installing VMWare Player.

WebHuddle

WebHuddle is a free, open source Java-based browser client (and server) for web meetings. To install the server, first install pre-requisites, including Java, JBOSS Application Server, and xvfb.

sudo apt-get sun-java6-jre jbossas4 xvfb

For more details on setting this up in (K)ubuntu, see this.

Distance teaching

Moodle

Moodle is a free open source platform for hosting online learning courses. It can be integrated with webinar software. A LAMP server installation is required. See these Ubuntu Hardy installation tips for an overview. Install:

sudo apt-get moodle

Claroline

Claroline is a free open source platform for hosting e-learning courses and online student collaboration. A LAMP server installation is required. Installation is from source files available at the website, with instructions found here.

Security

Kubuntu by default is a fairly safe system. However, if you intend to use Kubuntu as a server, or for critical applications in which loss of data (by accident or by malicious intrusion) would be disastrous, you should learn how to make Kubuntu more secure. A good introduction to Ubuntu Security Best Practices is available.

Firewall

Network communications go through "channels" called ports. You can restrict which ports are available ("open") for network communications, creating a barricade to unwanted network intrusion. Firewalls do this job for you. But I guarantee that if you install one before you know how to use it that one or more networking programs on your system will stop working. Read every bit of documentation about a firewall before installing it -- you won't regret the time invested. All of these packages modify iptables, which is the set of rules that controls network access in and out of your computer. (You can modify iptables manually from the command line, as well, but if you are that much of an expert, you probably don't need this guide.)

Firestarter

Firestarter is an intuitive firewall manager used to set the iptables values which provide firewall capabilities in Linux (including Kubuntu). It has a very easy-to-use GUI.

sudo apt-get install firestarter

Guarddog

Guarddog is a GUI firewall configuration utility that has been used for KDE. It has a complex array of configuration, and is difficult to use for some beginners.

sudo apt-get install guarddog

Uncomplicated Firewall

Uncomplicated Firewall is installed in Kubuntu by default, but is disabled by default. It is configurable through the command-line interface (i.e. Konsole). See this usage tutorial. If not installed, it can be installed:

apt-get install ufw
Gufw

Gufw is a GTK-based (Gnome) graphical user interface for Uncomplicated Firewall. Install:

sudo apt-get install gufw

Anti-virus

If you are running a file server, interface frequently with Windows drives, or use virtualization, you will want a virus checker for your Windows files.

ClamAV

ClamAV is the open source virus tool for Linux. To install ClamAV with a KDE frontend (klamav):

sudo apt-get install klamav

Anti-spam

Spam Assasin

SpamAssasin is written in perl, and is mostly for use with a server (such as a groupware server or Apache).

Rootkit checkers

Rootkits are malicious trojan-like programs to allow an intruder to become a root user and therefore have complete administrative control over the system. There aren't many rootkits in the wild for Linux. Still, this is a growing security problem (especially in other operating systems) and it is a matter of time before more rootkits appear in Linux. Checking for rootkits isn't always successful from a system that is already infected. Your rootkit checker should therefore be run from another system, or a USB pendrive with a Kubuntu LiveCD installation. See the rootkit checker manuals for instructions how to do this. If you are infected with a rootkit, you must backup all your files and re-install your system. (Thank goodness this is easy with Kubuntu, unlike with other operating systems).

Chkrootkit

Chkrootkit checks locally for signs of a rootkit. See the chkrootkit manual for usage instructions.

Install:
sudo apt-get install chkrootkit
Run:
sudo chkrootkit

Rootkit Hunter

Rootkit Hunter is compatible with (K)ubuntu systems. See the usage instructions.

Install:
sudo apt-get install rkhunter
Run:
sudo rkhunter -c

Security hardening

Nmap

Nmap is a free open source utility for network exploration (including showing open ports and running services) and security auditing. Install:

sudo apt-get install nmap

Scan your own PC:

nmap localhost

(Once you have found out which ports are open, use a firewall to close the ones you don't want open.)

Nmap GUI

Install:

sudo apt-get install nmapfe

Nessus

Nessus is a proprietary comprehensive vulnerability scanning suite that is free for personal, non-enterprise usage. See the website for details.

AppArmor

AppArmor is a set of security enhancements developed by Novell for SUSE Linux. It is installed in (K)ubuntu by default.

Disable AppArmor

AppArmor can prevent some services from running as expected. To disable it:

/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils

SELinux

SE Linux (Security Enhanced Linux) is an NSA (US National Security Administration) recommended set of tools for enhanced security in Linux systems. It enforces strict access controls (privileges) and is meant for mission-critical installations. It is not suitable for the casual desktop user. It was first available in Hardy Heron and is being updated for Intrepid Ibex. It is not compatible with AppArmor (which must first be removed).

sudo apt-get install selinux

Knockd (Port security)

Knockd is a small server that listens for a pre-defined sequence of port opening attempts (a "knock") before opening an otherwise closed firewall port for communications. Install:

sudo apt-get install knockd
Personal tools
Sponsor
LinuCity