SSH is a network protocol that allows establishing a secure connection between a local and a remote computer. You can install SSH server on your workstation and then have remote command line and Secure FTP (SFTP) access.

I use this command to install SSH server from the repositories:

$ sudo aptitude install ssh

By default, SSH server will run on port 22 and use standard username and password authentication. If you are behind a firewall, you will have to use some mechanism to allow traffic through that port if you want to access your machine remotely. I use port forwarding; I forward port 22 to the IP address of my workstation.

By opening up a port on your firewall, you now have a security concern. You need to come up with a way to keep the bad guys out while letting the good guys in. There are lots of methods to use to make your SSH server more secure, this is by no means a comprehensive list. That being said, here are a few methods that some people use:

Allow Known IP addresses with /etc/hosts.allow
If you know the IP addresses of all the machines that you want to allow access to your SSH server remotely, you can explicitly allow them using the /etc/hosts.allow file. This file does not exist by default in Ubuntu 7.04. To use this method, first create the /etc/hosts.allow and /etc/hosts.deny files:

$ sudo touch /etc/hosts.allow $ sudo touch /etc/hosts.deny

Next, start by blocking ALL users from ALL services with /etc/hosts.deny:

$ sudo gedit /etc/hosts.deny

Add this lines:

ALL: ALL
Next, edit your hosts.allow file to allow the known IP address:

$ sudo gedit /etc/hosts.allow

Then add the IP address to the file and save it. For example, if the IP address from your office is 123.456.789.999, then create the entry like this:

# allow ssh login from my office sshd: 123.456.789.999

Configured like this, all access attempts will be denied unless they originate from your office’s IP address.

Key Authentication
You can configure your SSH server so that it uses public keys for authentication instead of just username/password. Here are instructions on how to configure that.

Configure SSH server to run on a non-standard port
You can set up SSH server so that it runs on a port other than 22. This will thwart many of the less-than-tenacious attackers and zombie bots. So, for example, if you wanted to change your SSH server to run on port 1025, you would just make that change in the sshd_config file:

$ sudo gedit /etc/ssh/sshd_config

Change “Port 22″ to “Port 1025″. Then restart your SSH server:

$ sudo /etc/init.d/ssh restart

Remember, if you are behind a firewall, make sure you account for the port change there as well. Also, remember that when connecting to your server from a remote machine, you have to account for the port change in your login command:

$ ssh username@server -p 1025

DenyHosts
DenyHosts is a script that is intended to help thwart SSH server attacks (also known as dictionary based attacks and brute force attacks). This is a daemon that runs on your server and watches for failed authentication attempts. Once it sees a certain amount of failures from a particular IP address, it blocks that IP address by adding it to /etc/hosts.deny.

Here are the steps I use to install DenyHosts:

DenyHosts is written in Python, so make sure all of the Python packages that it depends on are installed:

$ sudo aptitude install python python2.3-dev python2.3

Download the DenyHosts package, the current release as of this post is available here. Download the .tar.gz file (DenyHosts-2.6.tar.gz).

Untar the file, then enter the folder with your terminal and run this command:

$ sudo python setup.py install

The next step is to configure the script. First, create the configuration files:

$ cd /usr/share/denyhosts $ sudo cp denyhosts.cfg-dist denyhosts.cfg $ sudo cp daemon-control-dist daemon-control

Edit denyhosts.cfg

$ sudo gedit denyhosts.cfg

The settings are well documented, so configure the settings according to your preferences. Here are some of the key operating system specific settings that you will need to know when setting up this file for Ubuntu 7.04:

SECURE_LOG = /var/log/secure
HOSTS_DENY = /etc/hosts.deny
LOCK_FILE = /var/run/denyhosts.pid

Also, you’ll see that there is a set of Syncronization settings in there. This script has the ability to send the list of IPs that you blocked up to a centralized server. It then keeps a running list of all the IPs that have been blocked by all the DenyHosts users and gives you the option to have all of those IPs automatically blocked by your server.

Next, edit daemon-control

$ sudo gedit daemon-control

The only thing you should have to modify in this file is DENYHOSTS_LOCK:

DENYHOSTS_LOCK = “/var/run/denyhosts.pid”

Next, we have to make sure that /etc/hosts.allow and /etc/hosts.deny exist. In Ubuntu Feisty 7.04, these files are not created during the initial installation. To create these files, do this:

$ sudo touch /etc/hosts.allow $ sudo touch /etc/hosts.deny

Finally, we need to make sure DenyHosts runs automatically on startup. First, create a symbolic link in /etc/init.d:

$ cd /etc/init.d $ ln -s /usr/share/denyhosts/daemon-control DenyHosts

I then use BUM (Boot Up Manager) to set DenyHosts to run on startup. If you don’t have bum installed, you can install it from the repositories like this:

$ sudo aptitude install bum

Open BUM by clicking System -> Adminstration -> BootUp-Manager. Look for DenyHosts in the list, check the box, then click Apply. You can check to see if DenyHosts is running with this command:

$ ps -ef|grep denyhosts.py

If you see a result that looks like this, then it is running:

root 12325 1 0 Apr20 ? 00:00:00 python /usr/bin/denyhosts.py --daemon --config=/usr/share/denyhosts/denyhosts.cfg

Note – it appears that denyhosts is now in the repositories. I’m not sure how to configure the version from the repositories, or if its already pre-configured, I may look into that in the future.

Other Methods
There are lots of other methods you can use to make your SSH server more secure. If you are interested, a couple other methods you can research are Port Knocking and fail2ban (which is in the repositories).

Here is a screenshot that shows the way I configure my Firefox toolbars, etc: (click the thumbnail for a larger image):

I use the Tiny Menu extension to condense Firefox’s main menu (File, Edit, View, etc) into one item so that I get that screen real estate back. I then drag my bookmarks up to the top row so that I can disable Firefox’s Bookmark Toolbar (again, gives me more screen real estate).

Sun Java and Adobe Flash
I install the Adobe (formerly Macromedia) Flash plugin and the Sun Java plugin from the repositories using aptitude:

$ sudo aptitude install sun-java5-plugin flashplugin-nonfree

Playing embedded video
I use the MediaPlayerConnectivity extension to automatically find all embedded videos and turn them into an icon that I can click to launch them into the video player of my choice (I use mplayer). I detailed how I installed mplayer and set up all of the codecs in this post.

My Favorite Extensions
Here is a list of the Firefox extensions that I use:

Adblock Plus
Ever been annoyed by all those ads and banners on the internet that often take longer to download than everything else on the page? Install Adblock Plus now and get rid of them.

Add Bookmark here
Allows you to add bookmarks to any folder in the bookmarks menu like in Opera.

Download Statusbar
Despite its compact size, Download Statusbar packs in more useful features than the standard download window. The fully customizable interface auto-hides when not in use, allowing full control without interruption.

DownloadThemAll
DownThemAll is all you can desire from a download manager: it features an advanced accelerator that increases speed up to 400% and it allows you to pause and resume downloads at any time.

MediaPlayerConnectivity
Allows you to launch embed video of website in an external application with a simple click.

Tab Mix Plus
Tab Mix Plus enhances Firefox’s tab browsing capabilities. It includes such features as duplicating tabs, controlling tab focus, tab clicking options, undo closed tabs and windows, plus much more. It also includes a full-featured session manager with crash recovery that can save and restore combinations of opened tabs and windows.

Tiny Menu
Replace the standard menu bar with a tiny menu popup.

MPlayer is my video player of choice. Here is how I install it and set up the codecs:

Install Mplayer from the repositories:

$ sudo aptitude install mplayer

Then, download the codecs package that MPlayer distributes from here. After you download and extract that file, copy the resulting ‘win32′ folder to ‘usr/lib’:

$ sudo cp -R win32 /usr/lib/

Now if you launch mplayer (or gmplayer), it should find those codecs and be able to play most videos.

To play videos embedded in web pages via Firefox, I use mplayer with codecs in conjunction with the MediaPlayerConnectivity extension for Firefox. This extension finds all embedded videos and replaced them with a shortcut that, when clicked, launches the video into your player of choice (mplayer).

This post shows how to get the side buttons (back/forward) on the Microsoft Wireless Intellimouse Explorer 2.0 to work in Firefox in Ubuntu 7.04:

Edit xorg.conf
$ sudo gedit /etc/X11/xorg.conf

Find this section:
Section "InputDevice" Identifier "Configured Mouse" Driver "mouse" Option "CorePointer" Option "Device" "/dev/input/mice" Option "Protocol" "ImPS/2" Option "ZAxisMapping" "4 5" Option "Emulate3Buttons" "true" EndSection
and replace it with this:
Section "InputDevice" Identifier "Configured Mouse" Driver "mouse" Option "CorePointer" Option "Device" "/dev/input/mice" Option "Protocol" "ExplorerPS/2" Option "Buttons" "7" Option "ZAxisMapping" "4 5" Option "ButtonMapping" "1 2 3 6 7" EndSection
Save the file. Next time you restart Gnome, your back/forward mouse buttons should work in FireFox. You can restart Gnome by pressing CTRL+ALT+Backspace on your keyboard, or by running this command in terminal:

$ sudo /etc/init.d/gdm restart

Ubuntu and its community maintain servers full of software applications that are all compiled to be used in the Ubuntu operating system. These servers are called repositories. Instead of having to go out onto the internet and search for the application that you want, you can simply search for it in the repositories and then install it right from there.

There are several ways to install software from Ubuntu’s software repositories. There are GUI tools, like Synaptic, as well as command line tools like apt and aptitude. I prefer to use aptitude. The reason why I like aptitude is because when you install software from the repositories with it, it keeps track of all the dependencies that were needed for that installation and then removes those dependencies automatically if they are no longer needed after you uninstall the application. The other tools may do this as well, but aptitude is the one I have the most experience with and am most comfortable with.

I generally use the ‘apt-cache’ command to search the repositories, and then use aptitude to install the package once I find it. For example, if I wanted to install the BitTorrent client called Azureus, I would search the repositories for it:

$ apt-cache search azureus

That command would return a response like this:

azureus - BitTorrent client azureus-gcj - BitTorrent client (native code)

So, I see that the package that I want to install is just called ‘azureus’. I would then install it with this command:

$ sudo aptitude install azureus

That’s it! It automatically installs it, and then I’m ready to go. Once the installation finishes, I would launch it by clicking the Gnome Application menu, then Internet, then Azureus.

So, now that you’ve had a brief introduction to how Ubuntu’s software repositories work, here is a list of the software packages that I install right away on a fresh Ubuntu installation:

bum – Boot Up Manager, graphical runlevel editor that helps you control the ‘services’ that start when you start your machine
build-essential – a package of various compilers that are needed when installing certain applications, etc
nvidia-glx – the 3d NVidia driver for my video card
msttcorefonts – Microsoft native fonts, such as Arial, Comic Sans, etc. These fonts are used by various web pages, etc
ssh – Secure shell client and server, I use ssh to access my machine from work. It gives me both command line access as well as FTP-style access via SCP
gaim-extendedprefs – a plugin for GAIM that gives it more functionality, like hiding the buddy list automatically on sign-on
fast-user-switch-applet – Applet used to switch between user accounts
beep-media-player – a nice MP3 player, basically a Winamp clone
mail-notification – an applet that sits in your notification area and lets you know when you have new mail
unrar – adds the ability to handle rar files to the Gnome archive manager
par2 – utility to handle parity files
wine – Microsoft Windows Compatibility Layer, you can install and use some Windows applications with this
mpg123 – package needed to allow you to preview an MP3 file by holding your mouse over it
xchat – IRC client
xchat-systray – a plugin that allows you to minimize xchat to your notification area
mplayer – my favorite movie player
vmware-player – allows you to run VMWare images
gftp – FTP client
soundconverter – converts FLAC (and others) to MP3 (and others)
xinetd – replacement for inetd with many enhancements, needed for some applications
frozen-bubble – the best game ever?
neverball – the second-best game ever?

Various Codecs for multimedia playback:
gstreamer0.8-plugins
gstreamer0.8-lame
gstreamer0.8-ffmpeg
lame
sox
ffmpeg
mjpegtools
vorbis-tools
gstreamer0.10-plugins-ugly-multiverse

So, above I have listed 31 software packages that I install right off the bat in a new Ubuntu installation. Sounds like a lot of work…but it’s not! I install all 31 of these applications in one step using the following command that I keep saved in a text file:

$ sudo aptitude install bum build-essential nvidia-glx msttcorefonts gstreamer0.8-plugins gstreamer0.8-lame gstreamer0.8-ffmpeg lame sox ffmpeg mjpegtools vorbis-tools ssh frozen-bubble gaim-extendedprefs fast-user-switch-applet beep-media-player mail-notification unrar par2 wine neverball mpg123 xchat xchat-systray mplayer vmware-player gftp gstreamer0.10-plugins-ugly-multiverse soundconverter xinetd

That command goes out and finds each one of those application and installs it automatically on my machine. Once that command finishes running, all of those applications are then available for me to use.

I just completed my initial installation of Ubuntu Feisty Fawn 7.04. I used the standard i386 Live CD desktop installer (ubuntu-7.04-desktop-i386.iso).

The only thing that I do which is a little different than a standard installation is I keep my /home directory on its own partition. The reason I do this is because all of my configurations and personal files are in my HOME folder, and keeping it on its own partition allows me to reinstall Linux whenever I want to (rarely) with minimal extra file backup needed beforehand.

I was running Ubuntu Edgy prior to this installation of Ubuntu Feisty. I have two user accounts set up on this machine. I prefer to do fresh installs of new versions of the OS as opposed to using APT to upgrade the OS. I also like to have my user account recreated, and then import my files and settings from my old home folder as needed. So, in order to get my existing home folders out of the way for the new installation (but also keep the existing files intact), I opened Gnome Terminal and did the following:

$ cd /home $ sudo mv <USER1> <USER1>.old $ sudo mv <USER2> <USER2>.old

I replaced <USER1> with my username and replaced <USER2> with my wife’s username. Once I finished executing those commands, I rebooted the machine and booted off of the Ubuntu 7.04 Live CD installer.

After the machine finished booting from the CD, I started the installer via the shortcut on the desktop. I went through each screen entering the appropriate information at the prompts (language, my name, my username, etc). I did a typical install up until the part of the installation that handles partitioning the hard drive. I have a 250 GB hard drive, my partitions are set up like this:

/ 23622 MB swap 2146 MB /home 203748 MB free 21476 MB

I keep about 20 GB of free space on the drive, just in case I ever need to dual boot with another operation system.

During the install, I set the mountpoint of the first partition to ‘/’ and told it to format this partition. The ‘swap’ partition was already set to swap and ready to go. I set the mount point on the third partition to ‘/home’ and was sure to tell it NOT to format this partion (so I wouldn’t lose my old home folders that I renamed).

From this point, I continued through the rest of the installation screens normally. The Live CD installer is nice because you can play games like Free Cell while your installation is completing (if you don’t have anything better to do).

The installation completed without any hitches. I rebooted my computer and logged into my new Ubuntu Feisty Fawn 7.04 installation. I then proceeded to move some of my backed-up files and configurations from my old folder into my new folder like this:

$ cd /home/<USER1>.old/ $ mv <folder1> <folder2> <folder3> ../<USER1>/

(replaced <USER1> with my username)

So, that’s where I stand right now. The repositories are very slow right now because so many people are installing Ubuntu 7.04 like I am, creating a heavy load on the servers. That being said, I may wait a bit before I move on to my next step of installing my applications, codecs, etc. My next post will detail how I go about installing codecs for MP3, DVD capability, as well as applications that I commonly use.

Ubuntu Feisty Fawn 7.04 is now officially released and available for download.

http://www.ubuntu.com/getubuntu

Processor:
AMD Athlon 64 4000 SanDiego Core Socket 939 CPU

Memory:
2 GB PC3200

Motherboard:
MSI RD480 Neo2-FI Socket 939

Video Card:
XFX NVidia GeForce 7900 GT 256MB PCIe

Audio:
Cirrus Logic CS 4614/22/24 [CrystalClear SoundFusion Audio Accelerator]

Ethernet:
Realtek Semiconductor Co., Ltd. RTL-8169 Gigabit Ethernet

RAID bus controller:
ALi Corporation ULi 5287 SATA

Hard drive:
Maxtor 250GB Serial ATA HD 7200/16MB/S-ATA-150

CD/DVD:
Memorex 16x DVD-RW
LG HL-DT-ST GCE-8483B CD-RW

Floppy:
Standard Floppy Disk Drive

Ubuntu’s next release is scheduled for April 19, 2007. Once it is released, I am going to start a ‘How I Do Ubuntu’ series of posts where I will detail things like:

- How I install the operating system
- What my configuration is like
- What apps I use and how I install them
- Tips and tricks I’ve picked up along the way

My goal will be to share my experiences in the hopes of helping other Ubuntu users, as well as to collect any feedback from the community on how I may be able to do things better/differently.

On April 19 (or sometime close to that date) I will be doing a fresh install of Ubuntu Feisty on my primary workstation and will start the posting from there.