apache and uploading
 

Hi. I have apache running on my computer. I made a web page, and I can look at it from another computer. I haven't bought an ip address yet, so I have a dynamic address from my isp. But I can get to the webpage.

My friend in Germany wants to send me some music CDs. He makes mixtures of many different kinds of music. They are good.

Question: If we are both online at the same time, and I give him my (dynamic) ip could he just upload the CDs straight to my computer? Would save time and postage!

Maybe I need to tweak apache to accept upload or something??

Don't over complicate things... and yes if you give him your public dynamic IP then he can upload. However, be aware that if you're behind a router you'll need to configure port forwarding for SSH (port 22 by default).

KISS - set up an SSH server and create a user login for your friend.

Instruct your friend to use FileZilla. When they choose the protocol tell them SFTP. He will then be able to transfer files to your computer with no problems.

I also recommend that you stop the ssh server when not in use and disable your router forwarding port 22 because it is a common attack vector for networks. I'd recommend a firewall for just your friend to access but that's a more serious security discussion than you're likely looking for.

Thanks. How do I configure port forwarding. I've actually heard of that, but I don't know what it is. Will I need that if I set up the ssh server??

I'll try to simplify the networking concepts so that they're easy for quick understanding.

Compare your private IP with your public IP.

Open a terminal and type the following command.
Look at your IP address (inet address) listed there. Now visit ifconfig.me in your web browser.

Are the IP addresses different? If not then you're likely not behind a router and you don't need to port forward. If they are different then that means you're using a router with Network Address Translation (NAT). It also means that public computers can only talk to your router but not directly to your computer.

A quick overview of port forwarding.

Here's a small diagram. Let's say Pedroski@home is your personal computer.

Now let's enable port forwarding. Here's what your new diagram will look like.
In TCP/IP networking there are 65,535 ports. There is a set of standard recognised ports in which certain services are expected to be listening on. However, standard does not mean requirement so you can run a service on any port that you like if you don't care about standards. For instance, the standard port for SSH is port 22 but you could easily run it on a not standard port such as 2222 or 65000. Note: Some internet service providers (ISP) block ports above 1000 (the bad customer service ISPs do).

So in a nutshell, when you port forward port 22 on your router it has only one job: it is passing packets from the internet directly to your machine unaltered in that single port. Some routers can port forward whole ranges (range being more than one port). But for you to file share with your friend you only need to port forward 22 if you keep the default settings for the OpenSSH server.

That is why your private IP address is called private because internet computers can't connect to it without certain configurations being set up first if you're behind a router using NAT (which all consumer routers do by default).

How to set up port forwarding.
It depends on the router you're using but luckily google exists. Google "howto portforward <brand name router>" and usually someone will have written about it.

In general, routers list port forwarding under a menu called "Advanced" in the configuration page and sometimes under a menu called "Virtual Servers". It depends on the brand of router you're using to connect to the internet.

SAM

Ok, thanks a lot. The ip address from ifconfig and the ifconfig.me page are identical. I plug into a dsl router at home. But I don't seem to have different ip addresses.

So I won't need to enable port forwarding? It's the weekend here now. I'll get the ssh installed and try it.

One problem I see is: I'm pretty sure my friend uses Windows. I use Ubuntu or Fedora. Will they be compatible??

Hi again: could you tell me how and where to set the password for FileZilla? I've been using Linux a long time now, so I've become security conscious. I read the FileZilla page, but I can't see anything about how to give someone a username/password.

Also, FileZilla says if I set SFTP, I can use a public key. I read this from Ubuntu set up ssh page:

SSH Keys

SSH keys allow authentication between two hosts without the need of a password. SSH key authentication uses two keys a private key and a public key.

To generate the keys, from a terminal prompt enter:

ssh-keygen -t dsa

This will generate the keys using a DSA authentication identity of the user. During the process you will be prompted for a password. Simply hit Enter when prompted to create the key.

By default the public key is saved in the file ~/.ssh/id_dsa.pub, while ~/.ssh/id_dsa is the private key. Now copy the id_dsa.pub file to the remote host and append it to ~/.ssh/authorized_keys by entering:

ssh-copy-id username@remotehost

Finally, double check the permissions on the authorized_keys file, only the authenticated user should have read and write permissions. If the permissions are not correct change them by:

chmod 600 .ssh/authorized_keys

You should now be able to SSH to the host without being prompted for a password.

copy the id_dsa.pub file to the remote host and append it to ~/.ssh/authorized_keys by entering:

ssh-copy-id username@remotehost
Will this work when the remote host is a Windows machine??

FileZilla also says, I can use ssh, then make sure SSH_AUTH_SOCK is set. How would I set this variable??

I'll try to break it down for you as best I can.

SFTP can access a system running SSH. Therefore, you set up a system user which can access SSH. Whatever the systems username and password are will be the user/password used to access SFTP in FileZila. For example, to create a new user and give them a password then do the following.
In a default Ubuntu install, all local users are able to access the system using SSH unless you customize it away from defaults. So as long as you're using defaults that should be the case. I usually recommend against this if the SSH server is up 24/7 but in your case you should just shut down the ssh server when you're done using it.

Documentation exists for how to use PKAuth on Windows. However, I don't think you should bother with it. You're just going to over complicate it for your friend because they are the ones who will need to generate the keys, not you.

Just create a system user and set the password for that user. Then try logging in using SFTP over port 22 to that public IP using the same user and password you created.

That should be it.

Thanks!

So I could log in to my computer using Filezilla from say work, just using my normal Ubuntu log in and password? Did I get that right? I followed the instructions on the Openssh webpage, and tested the server via localhost as per the webpage. It was successful. I didn't generate the public keys, as I won't do this often, and I would prefer to just log in via username and password. I don't have any state secrets to hide!! (Have to say that in case the Chinese Secret Police are reading this!!)

One more question, if you don't mind:

Ubuntu comes with a folder Public. That is the only one I need my friend to access. I made it read write for anyone. How do I make everything else "invisible" from the outside? Or am I looking at this wrongly? If I, or my friend,using my username/password, log on from another computer, it is me, so nothing needs to be hidden, right? I am not making a public FTP server.

Yes, they are compatible. That's the beauty of a protocol is if two systems can "speak" the protocol then it doesn't matter what they are in terms of the OS.

In a default Ubuntu install setting up SSH without customizing it will allow you to login using any user on your system. In short yes, your normal login and password will work.

For this case you want to chroot jail SSH. A quick google search for "openssh lock user home" brought me to this quick tid-bit. You can customize SSH so that you can force users into a certain directory. I'll modify the instructions a bit and give you a test case.

Here's a tutorial. One thing to note is you can't really have what you ask (locking the user into your own home directory). This is because of the security setup for a chroot environment which requires all directories in the chroot home to be owned by the root user. That would mean you would have to own your home directory by root which means you can no longer write to your own home! If you don't want to mess with the whole Chroot Jail stuff because it becomes a mess then you can simply do the following...

Now add the following to the bottom of /etc/ssh/sshd_config and restart the ssh server.
Additionally I recommend making the following security changes to your /etc/ssh/sshd_config file.
Alternatively, instead of adding pedro to AllowGroups you can create yourself an sshusers group and add the user pedro to it. Then you can simply add the sshusers group to AllowGroups.

SAM

Wow, that's great, thanks a lot!