vsftpd behind router/firewall

Jan 28, 2012
Tested on: Ubuntu 11.04 (natty)

This is how I got vsftpd server work behind a router. If you are getting errors like "Server sent passive reply with unroutable address. Using server address instead." or "500 illegal port command" on list (ls) command, this post might help. Setting passive mode configuration correctly is the trick.

Please note that this may not be the perfect solution or even worse - not very secure. Read vsftpd.conf manual before applying any changes.

Make sure port 20, 21 and few more ports, for example 4242-4252, are being forwarded to the server. We will need these extra ports for passive mode - set pasv_min_port and pasv_max_port accordingly in the configuration file. Add following to /etc/vsftpd.conf . connect_from_port_20=YES pasv_enable=YES pasv_addr_resolve=YES pasv_address=myaddress.dyndns.com pasv_min_port=4242 pasv_max_port=4252 Set pasv_address to your domain name. You can use dyndns for dynamic ip-address. vsftpd will convert your domain name to ip address when vsftpd server starts. Note that if your ip address changes after vsftpd has started it will not update the ip-address. There has been some attempt to the solve it.
Here are some more configurations with comments: # Only allow FTP access to users listed in file /etc/vsftpd.userlist # Other users will not have ftp access userlist_enable=YES userlist_deny=NO userlist_file=/etc/vsftpd.userlist # Disable delete commands cmds_denied=DELE,RMD # Verbose logging log_ftp_protocol=YES # You may restrict local users to their home directories. See FAQ for # the possible risks in this before using chroot_local_user chroot_local_user=YES
For more security, you can also modify the login-shell of a dummy ftp user to something like /bin/false - which does not exist. Use following command sudo usermod -s /bin/false <username> In order to make this work you have to add /bin/false to the file /etc/shells. Or else vsftpd will generate login error when the user logs in using ftp.
Read more ...
Labels: , ,

Encryption + Dropbox + Android

Dec 24, 2011
Dropbox is a great application which syncs data across different computers and devices. This makes Dropbox ideal for syncing important, & often sensitive, information across devices. Saving sensitive information on cloud makes me feel uncomfortable and cranky. This is log of softwares/apps required for encrypting data. Explicit goals are:
  1. Data should never be saved to disk unencrypted.
  2. Encrypted data should be readable, even without internet access, on Windows, Linux, & Android devices.
  3. Encryption algorithm should be well known standard algorithm. Open source programs are preferable.
Following are some of the possible solutions with some notes. Not all of them achieve all the goals mentioned above.

EncFS provides encrypted filesystem in user space. It allows mounting an encrypted folder to a user defined location. Cryptonite is an android app which supports mounting of encrypted EncFS. Unfortunately, I found Cryponite to be buggy and the android app did not work out well for me. EncFS is definitely among perfect solutions for "desktop-only" systems.

BoxCryptor comes very close (and probably is heavily inspired by EncFS). It has been developed with tight integration with dropbox. It uses very popular AES-256 standard. Unfortunately its Android app requires internet connection to read the encrypted folder. Another drawback is the tight integration with dropbox. The Android app requires dropbox credentials to access data. I feel uncomfortable to give the dropbox credentials to any place other than dropbox itself.

enotes is the perfect solution for individual text files. So, each encrypted file is an independent text file and hence each individual file has to be encrypted/decrypted seperately. This can be advantage or disadvantage depending on the purpose. It also has an Android app: Encrypted Notepad. It uses AES-128 encryption and is good enough for me. The software is written in Java and hence is cross platform. Similar apps: Secret safe Lite, NoteCipher, OpenNoteSecure.

APG is an Android app which aims to provide a OpenPGP implementation. It uses public-private key or pass-phrase for encryption. But it saves unencrypted data to disk. Another app Encryption Manager Lite works in very similar fashion but with AES encryption. Similar apps: File Encrypter, Pattern Encrypt (Cool idea to use patterns for passwords).

PS: There are numerous desktop applications which can be used to encrypt/decrypt data using standard algorithms like AES. When accessing files on android device is not an issue, then any of these can be a solution. TrueCrypt is worth a mention in this category for its simple interface and powerful features. EncFS, as mentioned above, may also be suitable for some systems.


Read more ...
Labels: , ,

xpdf & X resource

Aug 7, 2011
Tested on: Ubuntu 11.04

xpdf man page is not very detailed in terms of possible values for X resource file. Following are the places where xpdf settings can be specified:
  • Ubuntu X resource file: ~/.Xresources The exact files being read can be found by looking into /etc/gdm/Xsession. My settings in ~/.Xresources # xpdf settings xpdf.geometry: 1280x1024 xpdf.initialZoom: width Run following for immediate effect: xrdb -nocpp -merge ~/.Xresources
  • xpdfrc can be found at ~/.xpdfrc and at /etc/xpdf/xpdfrc. My ~/.xpdfrc file: include /etc/xpdf/xpdfrc initialZoom width
Read more ...
Labels: ,

TeamViewer: Unattended auto-start in Ubuntu

Aug 4, 2011
Tested on: Ubuntu 11.04 (Natty Narwhal)

This is log of the steps to setup TeamViewer on Ubuntu on my laptop, so that I can access my laptop from any other computer, without any user interaction on my laptop's end. More importantly, TeamViewer should be started on each reboot automatically & should not interfere with user normal task(s).

Precisely its an effort to mimic TeamViewer on windows, where it can be used to remotely access the computer even before login to windows (Though this workaround is cheating as we use auto-login feature of Ubuntu. Read step 3 for details). Following are the main steps:
  1. Install & setup TeamViewer for auto-start - Detailed steps are here.
    • Download & install appropriate .deb file.
    • Add a new application in Menu -> System -> Preferences -> Startup Applications.
  2. (Optional) Some configuration to make sure that TeamViewer does not pop-up on user logins.
  3. Configure Ubuntu to automatically login & then lock the screen
Details of last two steps are given below.
Step 2:
This is optional step. Its safe to skip this step. If TeamViewer is added to auto-start on each login, the user gets the TeamViewer window on each login. This might be annoying after some time. So, the idea here is to use another application, devilspie, to hide TeamViewer window: put the TeamViewer window on another workspace and/or minimize it. Here is a very good devilspie tutorial.
  • Install devilspie (& maybe gDevilspie, a nice front-end)
  • Create devilspie directory mkdir ~/.devilspie
  • Create a file with name 'teamviwer.ds' & put following in it. ; generated_rule teamviewer ( if ( begin ( is ( application_name ) "TeamViewer" ) ( is ( window_name ) "TeamViewer" ) ) ( begin ( set_workspace 2 ) ( minimize ) ( println "match" ) ) ) It will put the windows with name "TeamViewer" on workspace 2 & minimize it. Make sure devilspie demon is running. Check gDevilspie GUI.

This is not a very elegant solution. There were some minor issues with the rendering of the TeamViewer window (Though it works without any flaw). There can be some other ways to put it in system tray using some application like alltray. But this workaround is good enough for me.

Step 3: Configure Ubuntu to automatically login & then lock the screen
TeamViewer will auto-start only when user is logged in. So in order to make sure that TeamViewer is started even in case of remote reboot, auto-login has to be enabled. But this is also a security/privacy threat. One of the easiest way to maintain security is to somehow lock the screen immediately after login in. We can create a custom xsession for the same. See note 2 below, if you are using some secured wireless network on Ubuntu.

Create a file /usr/share/xsessions/autolock.desktop with following content. Change username to the correct user name. [Desktop Entry] Name=Auto Lock Gnome Comment=Custom ~/.xsession script Exec=/home/<username>/.xsession X-Ubuntu-Gettext-Domain=gdm
Create another file ~/.xsession with following content: #! /bin/bash gnome-screensaver gnome-screensaver-command --lock gnome-session --session=2d-gnome Note the last line. I am loading the Ubuntu (Wihout any effects). You may want to change it to appropriate session. Check other .desktop files in /usr/share/xsessions/ for the correct command.

Now enable auto-login. Menu-> System -> Administration -> Login Screen. Select "Auto Lock Gnome" in the default session. Reboot & you should see the change. Check note 1 & 3 as well.

Notes:
  1. You may opt to allow only selected computers to connect to the TeamViewer for better security. See 10.2 "Security Category" in TeamViewer manual
  2. If auto-login is enabled, Gnome-Keyring kicks in each time after auto-login & usually affects all application related to saved passwords including network-manager. This is especially important if you are using a secured network, like WEP etc, as the internet connection won't be active till user enters the password in Gnome-Keyring manually. Here is a very easy work-around to get internet connection without Keyring kicking in. You should apply this changes for only the trusted network(s).
  3. Please note that enabling Auto-login & configuring it to connect to wireless network automatically is a potential security threat. Try it at your own risk.
Read more ...
Labels: , , ,
Subscribe to: Comments (Atom)