SSH port forwarding

Let’s say you want to connect to the port 8080 on a machine that runs within the firewall of your company. If there’s VPN available, you could use it, however it would affect all your other connections. Probably the easier and most effective way is to use SSH forwarding and connect to the login server of your company or any other machine that you have shell access and can access the remote site on port 8080. You could then use use a local port of your machine to access the remote site:

ssh -L 8080:remotesite.com:8080 username@remoteloginserver.com

Having done that, you can access the remotesite:8080 by typing in your browser ‘localhost:8080’. The remote site thinks (and actually correctly) that all the connections originate from the ‘remoteloginserver.com’ to which your local request to port 8080 are forwarded to.

You may also want to do the opposite. You may want to associate a remote port of a machine to one of your local machine. The most common use of this is if you want to access your machine at home (which is behind a router or firewall) from the login server at work or university. You can associate the port, let’s say 2222 of the remote server with the port 22 of your machine, so when trying to connect to port 2222 of ‘localhost’ (on the remote site), you will be redirected at your home machine:

ssh -R 2222:localhost:22 username@remoteloginserver.com

While you are connected on ‘remoteloginserver.com’, if you try ‘ssh username@localhost -p 2222’ it will get you to your home machine.
To be sure that the chosen port is listening on the remote site, you can grep the netstat output:

# netstat -tunel | grep 2222
tcp        0      0 127.0.0.1:2222          0.0.0.0:*               LISTEN      35393      4543448    
tcp        0      0 ::1:2222                :::*                    LISTEN      35393      4543449    

Something like this can raise security concerns on who will try to get access to your home machine (or any other). Eventually, anybody who has access to the remote machine and can run an SSH client, can start trying brute-force techniques and your machine being the target. However, is supposed that you use remote port forwarding for a short period of time. It can be very handy to get a specific task done. If you need that for longer term, then you must trust a lot the users that have access to the remote machine and you should implement some kind of access control list on your home machine in order to allow only specific users to connect.

Advertisement

Microsoft Academic Alliance: For the sake of education?

At the current year we start getting ours hands on .NET Framework. Because the university is a member of the Microsoft Academic Alliance, we can get some full suites of expensive MS software at no charge in order to get our university work done as well as for any non-commercial projects of our own. But for the students to get the software for free, the university must first pay a fee to Microsoft. The university gets fees from the students anyway, so we could say that the fees include these extra fess.

The list of the software contains Visual Studio 2008 Professional Edition, MS SQL Server 2008, Express Studio Developer Edition, Windows 2008 Server and others. Of course, from a student (who is obliged to work with these technologies) point of view, that’s of great help to get his work done and see what these technologies can offer and how they work.

Some of these are notable. Visual Studio is a nice environment for developing applications. However, Visual Basic is a bit awful, ASP is ok and C# is a copy of Java, C++ and C filled with some annoyances here and there but these could be found in every programming language I guess. A very positive thing I must admit, is how all these different technologies can coporate to create a working product. They work smoothly and in harmony (until they crash). But of course, whatever the product is, it will not run on any non-MS platform (sometimes it will but it’s not MS that makes that feasible). But as I said earlier, it’s great that the student can get his hands on all that stuff on his machine at no charge.

But what Microsoft gets out of it? Do they really care for students’ education? Or do they care to get more and more users and developers, where most of them are in their early stages, around their own products? The latest MS program for providing products at no charge to educational institutions was annouced on February 2008 by Bill Gates at Stanford University [1]. It is estimated that 35 million students in 11 countries [2] (I’d guess they’d be more today) will get access to MS products provided at no charge.

Imagine now, how many of these 35 million students don’t know of the non-MS technologies? I would say most them and I think that they would look in MS alternatives if they really had to. But now, MS keeps the business running in the usual dodgy way.

–

[1]: http://en.wikipedia.org/wiki/DreamSpark
[2]: http://www.webpronews.com/topnews/2008/02/19/microsoft-dreamspark-ignites-interest

E-mail format validation with JavaScript

Having a contact form in a website, I wanted to prevented in an easy way, and as much as possible, the user to enter an invalid e-mail address. I first thought using regular expression within the PHP script but then would be better to display the error message on the form without reloading the page so I’ve choosen JavaScript.

function checkForm(form) {
  var emailFormat = /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i;
  if (form.email.value == "") {
       document.getElementById('check').innerHTML = "Please fill in your e-mail.";
       form.email.focus();
       return false ;
  } else if (form.email.value.search(emailFormat) == -1) {
       document.getElementById('check').innerHTML = "Please fill in a valid e-mail.";
       form.email.focus();
       return false ;
  }
return true;
}

The regular expression used will accept a normal e-mail format like foo@bar.com as well as something like foo_bar23@foo-bar19.com

That piece of code is part of a bigger JavaScript function where other statements check the other fields of the form in case they have null values. If the return boolean is false then the form is not submitted and the appropriate error message is displayed.

Report SSH logins script

A quick script set as a cronjob for mailing everyday the successful and failed SSH login attempts:

############################################################################
# Copyright (C) 2008  Panagiotis Kritikakos <panoskrt@gmail.com>           #
#                                                                          #
#    This program is free software: you can redistribute it and/or modify  #
#    it under the terms of the GNU General Public License as published by  #
#    the Free Software Foundation, either version 3 of the License, or     #
#    (at your option) any later version.                                   #
#                                                                          #
#    This program is distributed in the hope that it will be useful,       #
#    but WITHOUT ANY WARRANTY; without even the implied warranty of        #
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         #
#    GNU General Public License for more details.                          #
#                                                                          #
#    You should have received a copy of the GNU General Public License     #
#    along with this program.  If not, see <http://www.gnu.org/licenses/>. #
############################################################################

#!/bin/bash
month=`date +%b`
day=`date +%d`
if [ $day -lt 10 ]; then
  monthday=`printf "$month  ${day:1}"`
else
  monthday=`printf "$month $day"`
fi
hostname=`hostname`

echo "=====================" > logs
echo "= Successful logins =" >> logs
echo "=====================" >> logs
cat /var/lcfg/log/auth | grep -e "$monthday" | grep -e "authentication succeeds" \
-e "session opened" >> logs
echo "--------------------------------" >> logs
echo "================================" >> logs

printf "\n\n" >> auth_log

echo "==================" >> logs
echo "= Login failures =" >> logs
echo "==================" >> logs
cat /var/lcfg/log/auth | grep -e "$monthday" | grep -e "authentication failure" \
-e "Failed password" >> logs
echo "--------------------------------" >> logs
echo "================================" >> logs

/usr/bin/Mail -s "Logs for $hostname" foo@bar.com < logs
rm -f logs