How to: Mount remote storage using sshfs

Mount SSHFS

For me, SSH has replaced three very flaky protocols. Telnet (true story) for an networked shell, FTP handling simple file transfers and finally NFS mounting network attached storage.

SSH provides the -encrypted- networked shell, handles simple file transfers using SCP or SFTP, and has the power to mount filesystems using SSHFS. All in one protocol!

Here’s how:
~$ sshfs USER@HOST:DIR mountpoint [options]

  • USER Remote user
  • HOST Remote host
  • DIR Remote directory to mount
  • mountpoint Local mountpoint

Example options:

  • -p PORT Specify alternate port to use
  • -C Enable compression
  • -F FILE Specify alternate ssh config file

sshfs is available on most Linux package repositories and can also be found on the fuse project page: http://fuse.sourceforge.net/sshfs.html

Happy Mounting!

How To: Monitor NetCat File Upload Progress using PV

Netcat Logo

Using NetCat to upload files can sometimes be handy, however it would be awesome if you could track the upload ETA and not just stare patiently for a prompt. PV, or “Pipe Viewer”, is a handy little command that allows you to track the progress of any Unix pipe. Using it as an replacement for “cat” in the NetCat transfer, gives you a fancy progress-bar.

For example:

lazyclient@lazyclient-desktop:~$ nc -l 7000 > verybigfile.bin

Server side…

superitguy@pro-server:~$ pv verybigfile.bin | nc 3.1.33.7 7000
70.2MB 0:00:11 [5.95MB/s] [============================================================>] 100%

Fetch the latest binary @ pv’s project homepage: http://www.ivarch.com/programs/pv.shtml

How to: Piece together Port and PID using Netstat, In Linux

Netstat

Linux and networking go hand in hand, whether running on the fancy desktop or noisy server. Regardless of which packages you choose to install, chances are, that they require networking for some functionality. A desktop may have some dns-cache, filtering proxy, anonymous socks or ssh-tunnel listening in the background. The server equally busy with its web, email, ftp, or nfs awaiting its clients. But when expected bandwidth is missing or something decides to communicate outside the expected standard, it can be difficult to guess which one of these ghosts and daemons is responsible.

Its good administrative practice to be aware of which protocols that are communicating over the wire, and who/what is allowed to do so. If open connections are not checked periodically, perhaps automatically. The system may have been subject to intrusion or be part of a massive botnet, where the activity goes unnoticed. Your system, Your sockets.

Netstat casts some light on the situation. Using the right switches, this utility can provide a detailed real-time overview of active connections. Among other things. One particular set of switches I find useful, found at cyberciti.biz (http://www.cyberciti.biz/faq/what-process-has-open-linux-port/) is as follows:

~$ netstat -tulpna (as root)

This nifty little line compress several features of netstat, and outputs almost everything you need to know.
Such as:

  • -t List TCP sockets
  • -u List UDP sockets
  • -l Display listening sockets
  • -p Display process ID related to socket
  • -n Skip domain name
  • -a Display all connected sockets

Sample Output (from cyberciti.biz)

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      1138/mysqld
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      850/portmap
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1607/apache2
tcp        0      0 0.0.0.0:55091           0.0.0.0:*               LISTEN      910/rpc.statd
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1467/dnsmasq
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      992/sshd
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      1565/cupsd
tcp        0      0 0.0.0.0:7000            0.0.0.0:*               LISTEN      3813/transmission
tcp6       0      0 :::22                   :::*                    LISTEN      992/sshd
tcp6       0      0 ::1:631                 :::*                    LISTEN      1565/cupsd
tcp6       0      0 :::7000                 :::*                    LISTEN      3813/transmission
udp        0      0 0.0.0.0:111             0.0.0.0:*                           850/portmap
udp        0      0 0.0.0.0:662             0.0.0.0:*                           910/rpc.statd
udp        0      0 192.168.122.1:53        0.0.0.0:*                           1467/dnsmasq
udp        0      0 0.0.0.0:67              0.0.0.0:*                           1467/dnsmasq
udp        0      0 0.0.0.0:68              0.0.0.0:*                           3697/dhclient
udp        0      0 0.0.0.0:7000            0.0.0.0:*                           3813/transmission
udp        0      0 0.0.0.0:54746           0.0.0.0:*                           910/rpc.statd

If you use netstat with the “-tulpna” switch regularly, put it in an bash alias. For example:
~$ alias tulpna=’netstat -tulpna’
Put it in .bashrc or .bash_aliases to make it permanent.

Happy hunting!

How To: Avoid password theft, Faceraping, Email hijacks etc. On public networks

Network SendHas your email been blacklisted? Does your forum-posts suddenly contain nothing but kittens? Did your relationship status become same-sex over night? Well, physical access to your box may be the answer to most of these scenarios. But everything you send on public wire, in plain-text that is, has the potential to be sniffed out or otherwise phished if you are careless.

Here are a few tips in avoiding disaster:

* SSL/TLS
Encrypt, encrypt, encrypt and make sure the certificate in question is properly signed – its mandatory. Wether if its web, email or chat. Most online services today allow an encrypted alternative and that includes popular services like Google, Facebook and Twitter. Just be on the lookout for https:// and not plain http:// in the address-bar. Never trust a pretty “Lock Icon”, those can be injected onto the session while SSL is being striped out, in an attempt to fool the user.

Secure Address-Bar

The same mindset applies to SMTP/IMAP/POP3-email and various chat protocols. Enable, if any, SSL option that is available. For email, the default SSL port numbers are as follows: 993 for IMAP(S), 995 for POP3(S) and 465 for SMTP(S). The port number may vary depending on your email provider.

* SSH Tunnel
When encrypted alternatives are not available, or doesn’t exist, an SSH-tunnel can be used. Simply, tunnel the traffic through an encrypted SSH-session and relay it through the trusted network where the SSH-server is located. I have a tutorial on how to do just that, complete with syntax and resources required here: http://peppoj.net/2012/10/tunnel-http-traffic-encrypted-using-polipo-and-ssh/.

* BYOIC (Bring Your Own Internet Connection)
If all else fails and trust is an issue, avoid public networks completely and use your own connection. If you already made the leap to the new generation and bought a smartphone with a generous dataplan, why not use it? Most smartphones today (and some older devices I’ve seen) allow tethering to computers and other devices. Simply enable tethering, hock it up and mess with the network settings on your host.

Disclaimer:
None of the tips above will protect you from Phishing, or otherwise plain fraudulent websites. Use you’re brain.

Feedback welcome