Network tools for a testing workstation

Installing and configuring network tools on our example Debian testing workstation/desktop machine

Author: Francesco Poli
Contact: invernomuto@paranoici.org
Version: 0.22
Copyright: Expat license
Notice:

Copyright (c) 2007-2023 Francesco Poli

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

About this document
Web form HyperText Markup Language
Source form reStructuredText
Web stylesheet Cascading StyleSheets
Build directives Makefile

Contents

Summary of previous episodes

In another document (HTML, reST) you saw how to configure the desktop environment on our example Debian testing workstation/desktop box. Now that you have a nice desktop, you can install and configure some useful network clients and servers.

Network configuration

The network should have been correctly configured during the installation process. You should just check that the first (IPv4) part of the /etc/hosts configuration file is:

$ head -n 2 /etc/hosts
127.0.0.1       localhost
127.0.1.1       $HOSTNAME

where $HOSTNAME is the name that was previously chosen for the machine.

Network clients

Some clients to access external services.

DNS client

Install a practical command-line DNS client:

# aptitude install bind9-host

SSH client

First of all install the OpenSSH client:

# aptitude install openssh-client

Then, you can generate a pair of SSH keys for your regular user:

$ ssh-keygen -t rsa

You'll be asked where the key should be saved: you can safely accept the default location (which is ~/.ssh/id_rsa). You'll have to choose a passphrase: think of a very good one (among other things, it should be different from any password you use) and type it twice, as requested.

Now, in order to remotely access a machine which has an SSH server up and running, you can use password-based authentication:

$ ssh remote.box.example

After entering the password for your account at remote.box.example, you'll be granted network access to the system [1].

However, for security reasons, remote.box.example administrators could have disabled password-based SSH authentication and only accept public-key-based authentication. If this is the case, you need to transfer a copy of your public key to remote.box.example and append it to the list of authorized keys for your user. Hence, copy ~/.ssh/id_rsa.pub to a USB stick (or use any other media or channel that can deliver your public key to the remote machine). Once your public key is copied to remote.box.example, you have to modify your ~/.ssh/authorized_keys file on the remote machine: firstoff, if you have no ~/.ssh directory, create it and set appropriate permissions:

$ mkdir -p ~/.ssh
$ chmod 700 ~/.ssh

then create the ~/.ssh/authorized_keys file, if necessary:

$ touch ~/.ssh/authorized_keys

and append your public key to it:

$ chmod 600 ~/.ssh/authorized_keys
$ cat id_rsa.pub >> ~/.ssh/authorized_keys
$ chmod 400 ~/.ssh/authorized_keys

After doing this, you can connect from your workstation to the remote machine by issuing the command:

$ ssh remote.box.example

and entering the passphrase for your private key on the local machine.

You can also use the SSH agent to hold your private key, so that you don't need to retype your passphrase so frequently. A practical way to do this requires that you type your passphrase when you start a Fluxbox session: install the following package:

# aptitude install ssh-askpass

and add the following lines at the beginning of your regular user's ~/.xsession file:

$ grep -i ssh ~/.xsession
# add my identity to the SSH agent
ssh-add < /dev/null

You may also enable compression in order to reduce the data transfer times, in case your network link is not too fast: just add the following stanza to your regular user's ~/.ssh/config file:

$ grep -B 1 Compression ~/.ssh/config
Host *
    Compression yes

It's anyway recommended to test data transfer and measure times with and without compression, in order to check whether you actually get an advantage.

A useful configuration enables server alive messages to keep an SSH session alive, even when there's no user activity for a while:

$ grep -B 2 Alive ~/.ssh/config
Host *
    Compression yes
    ServerAliveInterval 300
    ServerAliveCountMax 30
[1]Please note that the first time you connect to remote.box.example you will also be asked to confirm that you are sure about the authenticity of the remote host: in order to be safe, you can check the fingerprint against its known value (the fingerprint can be obtained by running the command ssh-keygen -l -f /etc/ssh/ssh_host_rsa_key.pub on the remote host).

IRC client

Install a good IRC client:

# aptitude install weechat-curses

and install its enhancement scripts:

# aptitude install weechat-scripts

Please note that some scripts require support for a given programming language (some require package weechat-python, or weechat-ruby, or weechat-lua, or...): you should ensure that the appropriate support package is installed (possibly along with needed language specific libraries), if you want to use one script.

WHOIS client

Install an intelligent WHOIS client:

# aptitude install whois

VPN client

If you need to connect to VPNs, you may find the following client useful:

# aptitude install openconnect

If you need to connect to Fortinet VPNs, you may issue the following command (as root):

# openconnect --prot=fortinet -u $VPNUSER $VPNSERVER

where $VPNUSER is the user name for the VPN on the $VPNSERVER server. Or you may want to install a specific client:

# aptitude install openfortivpn

and prepare a configuration file:

# cat > /etc/openfortivpn/$VPNNAME << EOF
host = $VPNSERVER
port = 443
username = $VPNUSER
EOF

and then issue the following command (as root):

# openfortivpn -c /etc/openfortivpn/$VPNNAME

Network servers

Servers are needed to provide services to other machines.

SSH server

Install the OpenSSH server:

# aptitude install openssh-server

and immediately stop the daemon until it is properly configured:

# service ssh stop

Now edit /etc/ssh/sshd_config so that it features the following non-comment lines:

# grep -v '^#\|^ *$' /etc/ssh/sshd_config
Include /etc/ssh/sshd_config.d/*.conf
Port 22
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PermitRootLogin no
StrictModes yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
HostbasedAuthentication no
IgnoreRhosts yes
PasswordAuthentication no
PermitEmptyPasswords no
KbdInteractiveAuthentication no
UsePAM yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
ClientAliveInterval 300
ClientAliveCountMax 150
AcceptEnv LANG LC_*
Subsystem       sftp    /usr/lib/openssh/sftp-server

Then, start the daemon:

# service ssh start

Now, in order to access your workstation from a remote machine on your LAN, you have to copy the SSH public key you have in your account on the remote machine to the local workstation and append it to the list of authorized keys for your regular user. Hence, after copying your ~/.ssh/id_rsa.pub from the remote host to your local workstation, create your ~/.ssh/authorized_keys file on the local workstation:

$ touch ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys
$ cat id_rsa.pub >> ~/.ssh/authorized_keys
$ chmod 400 ~/.ssh/authorized_keys

Conclusions

Now you have some useful network tools installed and configured. Next step is configuring the system for e-mail handling. More details in a separate document (HTML, reST).