Secure VNC connections with Free VNC edition

VNC is a usefull tool which permits to administrate remotely a computer. The free version of this tool has great features, but not the one about SSL communication during a VNC session.
This may result in different security issues, such as traffic sniffing that can cause sensitive data theft. To avoid these possible annoying issues we can route the VNC session inside a SSL connection and secure the communication.

In this tutorial I will show how make a secure tunnel connection and then route the free VNC edition through this tunnel to secure the communication of the VNC session.

What we need:

• 2 hosts, generally one is depicted as a server and the other one as a client.
• VNC server installed on the server host
• VNC viewer installed on the client host
• freesshd installed on the server host (if windows based) or openssh-server (on linux machines)
• putty installed on client machine (if windows based) or openssh-client (on linux machines)

 As seen in the post "SSH Tunneling" on this blog is possible to create a secure tunnel between two hosts. Here below we will see the commands that must be used to create a tunnel:

Under Linux machines on the client side:

ssh user@serverip -L <LOCAL_PORT>:127.0.0.1:<VNC_PORT_ON_SERVER>

Where:

• <LOCAL_PORT> is the port on the client host where VNC connection will be redirected.
• <VNC_PORT_ON_SERVER> is the port on the server where VNC service is running.
• The middle address "127.0.0.1" means that the <VNC_PORT_ON_SERVER> on the host 127.0.0.1 (so the server to which we are connecting) will be redirected to <LOCAL_PORT> on the client.

Under Windows machines on the client side:

Start putty and under the Session section place user@serverip in the circled field.

Under SSH->Tunnels:

In Source Port place the equivalent of <LOCAL_PORT>
In Destination place the equivalent of "127.0.0.1:<VNC_PORT_ON_SERVER>"

Once set up, click Open.

Now, both on Windows or Linux machines, you can open the secure VNC session connecting to:

127.0.0.1:<LOCAL_PORT>

In this case the packets will be routed through the ssh connection until they get to the server.

VNC Free + secure connections.


Enjoy

Automated Rotation Backup Script

Hi guys!

In this post we'll se something useful about backup your personal data!

Backup data is very important, especially for people that use computer for work. The loss of important data can be a nefarious event.

What we need to run this script is:

- Personal Computer with a distribution of Linux Installed
- About 5 minutes of patience :-)

-------------------------------------------------------------------------------------------------------------------------

UPDATE

The original script has been uploaded by zyphlar on a gitHub repository. The code has been improved in order to perofm security checks. Indeed, when not invoked properly, the script could have deleted data.

https://github.com/zyphlar/backup-rotation-script/blob/master/rotate.sh

Thanks to Zyphlar for the improvements

-------------------------------------------------------------------------------------------------------------------------

Description: This is the script that will makes backup of a specified directory and implements rotation. Rotation in backups means that some old backup files will be deleted automatically and newer will be shifted to replace them. You can set the number of days after which the old backup folders will be deleted. This can be done through changing the NUMDAYS variable. This variable is set up to 7 days by default. Once you have pasted script into a file, save it as "backup_script.sh"

1 - The script must obtain the "x" flag because it's necessary to make possible to eXecute it. So open linux terminal and go to the directory where the script is and type

chmod +x backup_script.sh

2 -  To run this script you must use terminal, cd to the directory where the script is and type

./backup_script.sh what where

Where:

• the parameter <what> must defines the ABSOLUTE path of the directory that must be "backupped".
• the parameter <where> must defines the ABSOLUTE path of the directory where the backup will be stored

This script generates also a log text. In fact if you run it from terminal you'll see a list of log lines talking about the backup operations. If you want to store them into a separate file you can execute the script in this way:

./backup_script.sh what where > backup_log.log 

so in this way the log lines will be stored in backup_log.log file.

3 - We need to execute the last step, the automation of this process. To automate the backup process and schedule it we can use cron. Cron is a daemon that can execute scheduled commands for every user of a machine. You can schedule a command to be executed specifying the minutes of a day when execute it, the hours, the days etc like shown here below.

.---------------- [m]inute (0 - 59) 
|  .------------- [h]our (0 - 23)
|  |  .---------- [d]ay [o]f [m]onth (1 - 31)
|  |  |  .------- [mon]th (1 - 12) OR jan,feb,mar,apr... 
|  |  |  |  .---- [d]ay [o]f [w]eek (0 - 6) (sunday=0 o 7)  OR sun,mon,tue,wed,thu,fri,sat 
|  |  |  |  |

*  *  *  *  *  comand to be executed

Now we have got to add a scheduled execution of our backup script. Here is an example that you can personalize at your own. For first thing open linux terminal and type

crontab -e

In this way you will edit your cron scheduled commands. (-e option means edit). Now we insert the scheduled execution of our script. To do this, before you can edit the content you must press the key "I" that switches the editor mode into "INSERT" mode. Now it's possible to enter data. Type something like

45 15 * * * /path/to/backup_script.sh > /path/to/backup_log.log

You have to define the absolute path to your script, so replace /path/to/ with the exactly absolute path where the script is placed. Once finished to edit the content press the button "ESC" that switches from "INSERT" mode to "VIEW" mode and type ":wq" and hit return. "wq" means "write changes and quit". Now we have added a scheduled execution of the script to the cron daemon. We can verify this typing

crontab -l

that means to "list" all the cron entries for this user. In the example above we have scheduled the execution of the script every month, every day of the week and the month, at 15.45 (in 24h notation, else 3.45PM in 12h notation). In this way your backups will be automated and the old backups will be automatically deleted and replaced with the shifting logic introduced below.

My First Post on Happy Engineer - SSH Tunneling

A very powerfull tool is SSH. SSH is the acronym of secure shell and is a kind of prehistoric version of Remote Desktop Connection or VNC. The main difference between VNC, RDC and SSH is that SSH make possible to manage a remote host using without using GUIs, but only through a prompt.

You can think "Bleah, only a poor command prompt?  Where the way to unpack tarball is made of a long sequence of chars??? WTF????"

Answer: "Yes".

Trust me, if you begin to use linux's terminal it will be the END. You'll not use linux without using terminal! It's a drug!

But, wait a second, try to think about the idea of sending only few bytes to manage remote hosts instead of large quantities of bytes for send screenshots of VNC and RDC. It sounds good!!

Leaving behind these considerations, let's talk technically.

If you want to connect to a remote host using ssh you have to be sure of two things:

1 - The remote host must have installed a SSH daemon (OpenSSH for example) and must be correctly configured.

In Ubuntu distributions is very simple to install OpenSSH, just open terminal and type:

    sudo apt-get install openssh-server

Once installed, the daemon will startup automatically when the host starts up, and all the user of the host will be enabled to use ssh service, so if you want to access to your machine you can use the credentials you normally use to access the host.

2- You must know a pair o username-password enabled on the remote host.

Try to connect to a remote host using ssh. Open the terminal and type:

    ssh username@hostip



Where:

    Username is the username on the remote host
    hostip defines the remote host ip you want to connect using SSH

 If you want to test if OpenSSH is working on your local host you can run:

    ssh yourusername@localhost



After the execution of this command you'll be asked to accept a key and you'll need to answer "yes".

    What's the meaning of this question?



SSH bases its operation on the use on a public key cryptography system and the first time you make a connection to a remote host you must accept its public key to start the conversation.

    Wow... Now i'm connected to a remote host.. And now?



The main advantage of using SSH for administrate remote hosts is the limitate usage of bandwidth. It seems a nonsense, but there are a lot of situations where the optimization of bandwidth usage can make the difference.



    Yeah. .. Boring Things...



Wait!

There's a little funcionality of SSH that is very powerfull. The Tunneling. Tunneling defines the possibility to make a tunnel between two hosts and make possible to exchange data between them.

Imagine to have three hosts:

    host A, connected to the internet, placed in Australia
    host B and C in the same subnet but only B is directly connected to the Internet. These two hosts are in Norway.

Imagine also that host A must access to C for some reasons. There are a lot of ways to do this for example VPNs (maybe we talk about this another time).. Another way can be tunneling.

Idea!

Using host B like a gateway for exchange data with C. Great! How?

SSH

There's a little tiny argument that you can pass to SSH command before execute it. The -L argument. Let's see a usage for this argument.

    ssh johndoe@hostB -L 5000:hostC:21



In this example i'm connecting to the host B placed in Norway, using the username johndoe. Passing -L argument i'm saying to ssh to bind port 21 of hostC (hostC must be the subnet's ip of host C) to the port 5000 of my host. So if i connect using a FTP client to port 5000 of my localhost, the communication will be routed through the tunnel to host C using host B like a gateway.

So if you have the possibility to access a host of a subnet using SSH, you'll be able to access on every host of that subnet.

I wish that you will appreciate this post. I'm also happy if you want to correct me in contents or in grammar (i'm not so trained about writing english :) )

Yhank you, see you soon

Installing Marlin on Ubuntu 11.10

As I got tired of Nautilus lack of certain common features (specially the hability to change from icon view to list view in one click), I decided to install a new explorer on my Ubuntu. The logical option was Marlin, the upgraded version of what was previously called "Elementary Nautilus".

Here are the steps to install it, as I found them here

Type from terminal:


sudo add-apt-repository ppa:elementary-os/daily
sudo add-apt-repository ppa:marlin-devs/marlin-daily
sudo apt-get update
sudo apt-get install marlin


After that, if you are using the gnome-fallback shell (as I am) you can go to the top panel and:
ALT+RIGHT CLICK
Add to Panel...
Custom Application Launcher
Name: Marlin - Command: marlin
And the default Marlin icon will appear.

Click OK and now you can launch Marlin from your top panel.


It worked right away for me and it's MUCH better than the default Nautilus.

RTAI installation on Linux (Kind of ultimate tutorial)

Well, I think this might be of interest to some people working with control systems in real time. Linux could be a good choice depending how skilled you are with it (the truth is, everything in Linux requires you to be a. very skilled and b. very patient).

A brief description:
RTAI: Real-time environment for Linux ( https://www.rtai.org/ )
COMEDI: It's an interface for sensing and control devices (http://www.comedi.org/doc/)
Scilab/Scicos: A computational package, kind of a Matlab-Simulink, but open source ( http://www.scilab.org/)
HART Toolbox: A group of modules to work with RTAI using Scicos ( http://hart.sourceforge.net/index.html )

I spent several weeks trying to make it work all together so no, it's not straight forward always (but, who knows, you could be lucky). But this tutorial can make it easier (I hope)

Most of it is taken from http://hart.sourceforge.net/rtai_installation_10_04.html and adapted to solve some of the most common problems.Without further introduction, here is the tutorial:

Installation RTAI

Packages:

UBUNTU 10.04

Install the following packages to proceed:

general:

sudo apt-get install cvs subversion build-essential

rtai:

sudo apt-get install libtool automake libncurses5-dev

comedi-lib:

sudo apt-get install bison flex

comedi-calibrate:

sudo apt-get install libboost-dev libboost-program-options-dev libgsl0-dev

scilab 4.1.2:

sudo apt-get install gfortran sablotron tcl8.5-dev tk8.5-dev xaw3dg-dev libpvm3 pvm-dev libgtkhtml2-dev libvte-dev ocaml-native-compilers

qrtailab:

sudo apt-get install libqt4-dev libqwt5-qt4-dev

Installation of all components

RTAI kernel from EMC

echo deb http://www.linuxcnc.org/lucid lucid base emc2.4 > /tmp/linuxcnc.list

echo deb-src http://www.linuxcnc.org/lucid lucid base emc2.4 >> /tmp/linuxcnc.list

sudo mv /tmp/linuxcnc.list /etc/apt/sources.list.d/

gpg --keyserver pgpkeys.mit.edu --recv-key 8F374FEF

gpg -a --export 8F374FEF | sudo apt-key add -

sudo apt-get update

sudo apt-get install linux-headers-2.6.32-122-rtai linux-image-2.6.32-122-rtai

If there is a problem downloading the patched Kernel, you can try this (taken from http://www.rtaixml.net/realtime-suite/part-2---machine-setup)

sudo wget http://sourceforge.net/projects/rtaixml/files/realtimesuite/1.0/realtimesuite-1.0.tar.gz/download

Decompress the downloaded file, navigate into the subfolder “kernel” inside realtimesuit-1.0, and run the .deb installers

Reboot in the new installed RTAI-kernel.

RTAI (https://www.rtai.org) #1

(cvs-Version)

cd /usr/src

sudo cvs -d:pserver:anonymous@cvs.gna.org:/cvs/rtai co magma

sudo ln -s magma rtai

(tar.gz-Version)

cd /usr/src

sudo wget --no-check-certificate https://www.rtai.org/RTAI/rtai-3.8.1.tar.bz2

sudo tar xjvf rtai-3.8.1.tar.bz2

sudo ln -s rtai-3.8.1 rtai

Installation of RTAI

cd /usr/src/rtai

sudo make menuconfig

Ensure directories are correct:

• Installation: /usr/realtime

• Linux source tree: /usr/src/linux-headers-2.6.32-122-rtai

• Under Machine, choose number of CPUs (check running cat /proc/cpuinfo and verifying how many processors are listed)

sudo make

sudo make install

sudo sed -i 's/\(PATH=\"\)/\1\/usr\/realtime\/bin:/' /etc/environment

now run export PATH=/usr/realtime/bin:$PATH for each open shell or do logout and login Now we need to load the rtai modules.

/sbin/insmod /usr/realtime/modules/rtai_smi.ko

/sbin/insmod /usr/realtime/modules/rtai_hal.ko

/sbin/insmod /usr/realtime/modules/rtai_lxrt.ko

/sbin/insmod /usr/realtime/modules/rtai_fifos.ko

/sbin/insmod /usr/realtime/modules/rtai_sem.ko

/sbin/insmod /usr/realtime/modules/rtai_mbx.ko

/sbin/insmod /usr/realtime/modules/rtai_msg.ko

/sbin/insmod /usr/realtime/modules/rtai_netrpc.ko

/sbin/insmod /usr/realtime/modules/rtai_shm.ko

Copy the lines to /usr/local/bin/start_rtai

Do a sudo chmod a+x /usr/local/bin/start_rtai

If there is trouble inserting the rtai_hal.ko module then:

Go to boot/grub/menu.lst or boot/grub/grub.cfg and add “lapic” at the end of this line:

kernel /boot/vmlinuz-2.6.22-realtime root=UUID=45d21232-cf0d-cc3d-87ce-8453214d7a6f ro quiet splash vga=794 lapic

COMEDI (www.comedi.org)

cd /usr/local/src

sudo cvs -d :pserver:anonymous@cvs.comedi.org:/cvs/comedi login

sudo cvs -d :pserver:anonymous@cvs.comedi.org:/cvs/comedi co comedi

sudo cvs -d :pserver:anonymous@cvs.comedi.org:/cvs/comedi co comedilib

sudo cvs -d :pserver:anonymous@cvs.comedi.org:/cvs/comedi co comedi_calibrate

sudo cvs -d :pserver:anonymous@cvs.comedi.org:/cvs/comedi co comedi-nonfree-firmware

If the comedi server is down, you can also find the packages in:

http://www.mev.co.uk/comedi/

Download them and decompress to /usr/local/src

COMEDILIB

cd /usr/local/src/comedilib

sudo sh autogen.sh

sudo ./configure

sudo make

sudo make install

sudo mkdir /usr/local/include/linux

COMEDI

cd /usr/local/src/comedi

sudo sh autogen.sh

sudo ./configure --with-linuxdir=/usr/src/linux-headers-2.6.32-122-rtai --with-rtaidir=/usr/realtime

sudo make

sudo make install

sudo make dev

sudo ldconfig

sudo depmod -a

COMEDI-CALIBRATE

cd /usr/local/src/comedi_calibrate

sudo autoreconf -i -B m4

sudo ./configure

sudo make

sudo make install

RTAI #2

sudo cp /usr/local/src/comedi/include/linux/comedi.h /usr/local/include/

sudo cp /usr/local/src/comedi/include/linux/comedilib.h /usr/local/include/

sudo ln -s /usr/local/include/comedi.h /usr/local/include/linux/comedi.h

sudo ln -s /usr/local/include/comedilib.h /usr/local/include/linux/comedilib.h

cd /usr/src/rtai

sudo make menuconfig

Under “Add-Ons”, select “Real Time COMEDI support in user space”

Check COMEDI installation directory, it should be /usr/local/

sudo make

sudo make install

sudo cp /usr/local/src/comedilib/include/comedilib.h /usr/local/include/

Now we need to load the comedi-modules. All rtai modules have to be loaded before! This is a example for the ni 6024e.

modprobe comedi

modprobe kcomedilib

modprobe comedi_fc

modprobe ni_mio_cs

insmod /usr/realtime/modules/rtai_comedi.ko

comedi_config -v /dev/comedi0 ni_mio_cs 0x0100

comedi_calibrate --calibrate

chmod a+rw /dev/comedi0

Copy the lines to /usr/local/bin/load_daq

Do a sudo chmod a+x /usr/local/bin/load_daq

If there is a error message "comedi.o not loaded", then you have to create and edit /etc/modprobe.d/comedi and add one of the following lines:

options comedi comedi_num_legacy_minors=4

(you can change the number 4 if you want), or:

options comedi comedi_autoconfig=0

The first option, comedi_num_legacy_minors=4 reserves 4 comedi devices for use by non-autoconfigured devices. The second option comedi_autoconfig=0 disables auto-configuration completely.

If there is this error:

comedi_calibrate: error while loading shared libraries: libcomedi.so.0: cannot open shared object file: No such file or directory

Then do:

cd /lib/

ln -s /usr/local/lib/libcomedi*

SCILAB 4.1.2

cd /opt

sudo wget http://www.scilab.org/download/4.1.2/scilab-4.1.2.bin.linux-i686.tar.gz

sudo tar xvzf scilab-4.1.2.bin.linux-i686.tar.gz

cd /opt/scilab-4.1.2

sudo wget http://hart.sourceforge.net/scilablibs.tar.gz

sudo tar xvzf scilablibs.tar.gz

sudo make

sudo ln -s /opt/scilab-4.1.2/bin/scilab /usr/local/bin/scilab

QRTAILab (www.qrtailab.sf.net)

(svn -version)

cd /usr/local/src

sudo svn co https://qrtailab.svn.sourceforge.net/svnroot/qrtailab/trunk qrtailab

(tar.gz - version)

cd /usr/local/src

sudo wget http://downloads.sourceforge.net/qrtailab/QRtaiLab-0.1.12.tar.gz

sudo tar xvzf QRtaiLab-0.1.12.tar.gz

If you use a tar.gz-version please replace qrtailab with qrtailab-x.x.x (x.x.x is the number of your installed version )

cd /usr/local/src/qrtailab

Edit qrtailab.config and replace '/usr/include/qwt/' with '/usr/include/qwt-qt4/' and '-lqwt' with '-lqwt-qt4'

sudo qmake-qt4

sudo make

sudo make install

HART Toolbox (www.hart.sf.net)

Chose a directory (/home/username/software, ...)

(svn -version)

svn co https://hart.svn.sourceforge.net/svnroot/hart/trunk hart

(tar.gz -version)

wget http://dfn.dl.sourceforge.net/sourceforge/hart/hart_0.4.1-src.tar.gz

tar xvzf hart_0.4.1-src.tar.gz

Go in your hart-directory.

Edit Makefile and set 'SCILAB = ...' to the binary file of scilab 4.1.2

Warning: sudo make will not install RTAI module! Either be a normal user and install HART or change to root (using sudo su) and then do make.

make

cd /..../scilab-xxx/contrib

sudo ln -s {link to hart-toolbox} .