Server week : The essential SSH Server.

This week in “Server week” we are going to set up a variety of servers that allow you to do a variety of things. One of the most basic and versatile server you can set up must be the SSH Server. Long time fans probably know that the SSH server is the base ingredient for a lot of fun stuff you can do. For example.

• Transfer files over the internet.
• Work with command line applications from a remote computer.
• Tunnel your browser traffic through your own server to stop nosy network admins.
• Connect to your home network with a VPN connection.

These are just a couple of things you can do, but before you can do that, you will need the basic ingredient : Let’s set up an SSH Server.

Required ingredients.

• Debian based Linux distribution : ( you can do it with a redhat based one too, but we use a debian based one for the tutorial)
• Static ip for your Linux distribution.
• Connection to the internet.
• If you don’t have a static IP : A dynamic DNS service like opendns or Dyndns.
• An open port on your router forwarded to your linux machine.

Let’s get cooking.

• Open up a terminal on your linux machine and type : sudo apt-get install openssh-server
• After the server is installed, connect to it from a remote machine using a terminal application like Putty (for Windows) Secure Shell (for the Chromebooks) or from the terminal on other Mac and Linux machines.
• Connect to your Linux server with the command : ssh yourusername@theipofyourserver

And starting out that is ALL you need to do. If you want to do this from the internet you need to forward the correct port (The standard port is Port 22) from your router to your linux machine so you can make it accessible from the internet.

Lets make it pretty.

• Want to have a unique login screen when you connect ? create a cool ASCII banner using THIS tutorial.

Lets make it secure.

• SSH servers run standard on port 22, so a lot of scriptkiddies will go around the internet and “knock” on your port 22 to see if there is a server there. We are going to “obscure” the location of your SSH server a little by changing the default portnumber (Remember you also need to adjust this on your server) Follow THIS tutorial to get you started.
• Next time you connect remember to connect with ssh -p portnumberyouchose yourusername@theipofyourserver
• If you want to get rid of entering your password when you connect you can log in using secure SSH keys. Its a little bit on the advanced geeky side but it DOES keep your machine extremely secure : Only a machine with a unique digital fingerprint can connect using this method : Here is a good tutorial.

Lets start using it.

The SSH server offers you a variety of functionalities we talked about in previous blogposts. We will line up the best uses for SSH here.

• Make a VPN connection to your home network using SSHUTTLE.
• Turn your server into a proxy server and tunnel all browser traffic though your home server. (here is the pdf howto)
• Keep an eye on what your server is doing.
• Run a remote supergeeky wordprocessor.
• Run remote graphical applications.
• Have a blast controlling your server from the command line. 
• Run command line apps.

These are just a couple of examples of what you can do over this very powerful little SSH connection. Remember always to use strong passwords and keep your server up to date.  Have fun ! 

Related Posts

• kw905 : Life on a Chromebook.
• Privacy Week : Tunnel traffic through your home network with Sshuttle.
• "w" The shortest command line command … ever.
• The Knightcast Episode 35 : Remote Domination.
• KW1701 – Morning Geekspresso Episode 1

Google Hacking Week : Grab juicy info with the right search query.

So we showed you how powerful a good Google search could be this week. Time to turn to the dark side and give you some examples of how hackers can use these skills to get to some pretty scary things. To create a dangerous situation where the wrong information can fall into the wrong hands, you need 2 ingredients. Somebody who is stupid enough to put it online, and somebody who is clever enough to find it. Below are some pretty creepy examples of how some Google dorks spill some information that was supposed to be private.

Some juicy searches.

Some people write down their domain registration information in a .doc file .. and then put it on the internet. Whoever can put two and two together .. can steal their domain.

• filetype:docx Domain Registrar $user $pass

How about finding product licence files for the Avast antivirus program ? Some of them are just up for grabs.

•  

  filetype:avastlic

How about we go searching for a randomly published list of phonenumbers.

• allinurl:phonenumbers filetype:xls

Search for random resume’s that candidates (or their employees) put online.

• inurl:Curriculum Vitae filetype:pdf

How about some “Confidential Salary” documents that people put online. (we stood in awe at the first hit )

• ext:(doc | pdf | xls | txt | ps | rtf | odt | sxw | psw | ppt | pps | xml) (intext:confidential salary | intext:”budget approved”) inurl:confidential

Or take a peek at people’s random downloaded hotmail emails. 

• inurl:getmsg.html intitle:hotmail

Its a little bit of history .. but how about a random netscape browser history file. (we giggled at THIS one)

• inurl:netscape.hst

And when combining this generic search query for root directories of certain FTP servers with a certain domain .. you can find out a lot. If you use it as listed below .. its just an interesting way to browse random file directories.

• intitle:”FTP root at”

Msn messenger does not exist anymore, but there are plenty of contact lists well stocked with juicy email addresses up for grabs.

• filetype:ctt “msn”

And the list goes on and on and on. Now, standing by themselves the Google searches above are quite harmless. They are too generic to do any harm and are only good for a chuckle. The dangerous part begins when these queries are targeted at a certain person, site our domain. Armed with ONLY their browser and an internet connection, the wrong people can find out all the right things they need to know to make you / your company / your website have a really bad day. Knowledge is power and it is also ambivalent. It can be used for good and for evil… So are you SURE that there is not digital flotsam with your username/passwords floating around on the internet ? Because once Google indexes it .. anybody with the right skills can find it.

Related Posts

• Google hacking week : Using Google to “Hack” stuff.
• Google Hacking Week : Find webcams, mediacenters and more with Inurl
• kw608 : Sniffing anyones Wifi with a Pineapple.
• Google Sync: your bookmarks everywhere.
• kw908 : Getting Things Done, the cross platform way.

Access all of your cloud services from one page with CloudKafé.

Every day there is a new cloud service popping up on the internet. And for us sliders, thats a good thing. One of the ways to assure your data is accessible on most of your devices (and operating systems) is by generally ‘parking’ it in the cloud. The downside to this operation is that you end up with 20 open tabs on your browser, each logged into so some service and you realise you just spent more time logging in … then doing stuff.

One of the answers to this might be CloudKafe, A centralised “webhub” from where you can access all of your different cloud services. CloudKafe supports the majority of popular cloud services (and some more) by letting you access them from one single page. A cool feature they offer is the ability to search through your different cloud services all at once (so you can finally find that one annoying baby foto from your brother you uploaded a long time ago). The centralised “hub” is a great way to work with the cloud, but although CloudKafé is ‘certified and secure’ you have to remember that there is now ONE master key to log into all of your cloud services : Your CloudKafé account.

So give it a whirl (its free) and if you don’t like it : Delete your account and delete the access rights CloudKafé has on all of those different services. That way you know you are safe when you ever leave CloudKafé.

Cloudcafe is free and available in most browsers via www.cloudkafe.com

Related Posts

• kw905 : Life on a Chromebook.
• Server week : Trust no-one with Owncloud.
• Use your smartphone as a portable scanner with Google Drive.
• kw804 : The Cross Platform Startup.
• Saynonara mr Desktop

Keep track of all your passwords on your Android phone with Keepass2android.

Keeping track of all your logins and passwords for the hundreds of sites and services you are registered with is something that is a terrible hassle. For convenience sake we use the same logins (and even passwords) on different services and constantly need to request ‘resets’ and ‘reminders’ when we forget the password to our “One Direction” fanpage. So instead of getting Rainman as a permanent sidekick to help us remember all our passwords and logins , why not use an app for that ? 

There are plenty of password management applications out there, but because you are a “slider” and go from operating system to operating system, having your password management software available “everywhere” is a MUST. Our favorite app that lives both on Windows, Linux and the Mac is KeepassX. A free application that lets you organise and keep track of all the logins and passwords you have AND can generate supercool “random” passwords that are very very hard to crack.

The password database that KeepassX uses is “locked” with a master password (for example abc123 ?) so nobody can open up your “black book” without your knowledge or permission. When you store the database on a network share (or in the cloud via Dropbox or Bittorrent Sync) you can access it from different machines on different locations… So how about from your mobile ? 

Enter Keepass2android : A keepassX client for your android mobile phone. The interface is “mobile friendly” and in combination with Dropbox or another cloud service like Skydrive or whatever. Store the database somewhere where you can reach it, open it up with the keepass2android client and you will never have to write down a password on the inside of your shoe .. ever again.

But beware : The ‘master password’ of your database file is your achilles heel. If you lose your phone and have an offline copy of that database on your phone … all that stands between the “evil one” and ALL your passwords is that one master password. So make it a pass-phrase. We have some examples for you : 

“0MG1soLOVEjusTinBieBerRightNow!!!” “W3@llL1v31nAY3ll0w_SubM@r1n3” “supercalligragulasslyexpealidocious1049!!!_X” … And so on …

Keepass2android is free and is available in the Google Play store.

Related Posts

• Control auto-starting applications on your Android device (or Android media center)
• 10 Acer CloundMobile Smartphones enter a bar …
• KW1501 – 10 Geeky Projects for 2020
• The Many Faces of Reddit
• Fight Your Digital Redundancy

kw608 : Sniffing anyones Wifi with a Pineapple.

Time to raise the hairs on the neck of all Wifi-enabled laptop and mobile phone users in this interesting interview with Gerjon McVries ( @mcvries on Twitter) about “The pineapple” and its awesome (and malevolent) potential when it comes to exploiting basic flaws in Wifi enabled devices. If you were worried about the NSA sniffing your traffic in the Prism debacle, then try not to realise that a 14 year old scriptkiddie with a paypall account could buy this awesome toy and sniff every bit you transmit.

Shownotes

• Little Brother and Homeland by Corry Doctorow (Free books)
• The Hak 5 Forum for Pineapple users.
• What are you waiting for : Buy one.
• Rickroll everyone with your pineapple.
• The Prism Scandal
• McVries’ personal website.
• Linux Basement Podcast.

Related Posts

• Step by Step guide to hacking Wifi (and protecting your own network)
• Privacy week : Why encrypting your traffic is important.
• KW Videoblog for 7-6 : Cyberpunk Librarian tells us about cross platform sliding at work.
• Connect your Chromebook to your home network over SSH.
• Podcast week : Free Photography lessons with Konrad and Bart.