|
A couple more SSH / VNC questions
First I'd like to thank, in general, the ITT forum community, and specifically all the helpful NIT gurus that have responded to my previous questions. I have learned a lot and made a lot of progress.
Anyway . . . What I want to do: Access my XP PC via my n800 when I am out and about and using public wifi. I would like to connect to the machine through a VNC client/server setup and be able to access GUI, Windows explore system, and various apps running on the XP machine. And I want to do this through an SSH so as to avoid all the nefarious predators lurking about the internets. What I've done so far: I have VNC viewer, x11VNC, and openssh installed on my n800. I have tightVNC, cygwin, and copSSh installed on my XP machine. I have connected my n800 as a VNC client to the XP VNC serve on my home WLAN. I have also established a SSH tunnel (at least, I think that's what I did) from my n800 to the XP machine by going into xterm and entering the command "ssh username@external_ip_address" (where username and external_ip_address are the appropriate names for my setup). What my question/problem is: I don't know how to make these things work together. I'm assuming that once I have my tunnel open it's not simply a matter of firing up my VNC client and expecting the session to be secure. It would be awesome if that assumption is false. But if my assumption is correct, then I lack knowing what my next step is. So if any of you tech gurus could provide some guidance, I would gladly provide my first born and eternal gratitude. |
Re: A couple more SSH / VNC questions
Could you please provide a description of your first born?
|
Re: A couple more SSH / VNC questions
Twins. So it's a bogo.
|
Re: A couple more SSH / VNC questions
When you invoke ssh on your NIT, do so including a tunnel descriptoin, such as:
-L5901:localhost:5901 This will open a tunnel on port 5901 on both ends (maybe you will want a different port on each end). This causes the ssh client on your tablet to listen for local connections on port 5901. Once the tunnel is established, you can VNC to localhost:1 and your traffic will run thru the secure tunnel. |
Re: A couple more SSH / VNC questions
Thanks for the reply lethall.
Is it simply a matter of entering "ssh -L5901:local:5901" in xterm? I tried this, but I didn't get the impression that I accomplished anything. I'm totally missing something, aren't I? |
Re: A couple more SSH / VNC questions
so, when you do
ssh -L5901:localhost:5901 user@targetIP you are connecting to your home computer at "targetIP" and at the same time have created a tunnel. This tunnel makes it so that connecting to your local computer (presumable Nokia), port 5901 will get forwarded to "localhost" port 5901 on the remote end (hence, the comptuer you logged into via ssh). Now, in VNC, you have to connect to the _NOKIA_ via "localhost", to VNC server :1 (the VNC server gets added to 5900 so this is in effect port 5901) Martin |
Re: A couple more SSH / VNC questions
Quote:
Quote:
There are two different VNC apps on my n800, the VNC Viewer and the x11VNC. Which should I be using to accomplish what is described above? Thanks for all the help. |
Re: A couple more SSH / VNC questions
Yes, tunnels are secure.
Use the VNC viewer (GUI) to connect to your (mobile client) end of the tunnel. if you have the VNC server listening at the other end, it will seem to that machine that the client is connecting locally. The x11vnc app is not required. Note that since the VNC server is a Windows machine - and Windows can only host one session (zero) - the real port at the server end is probably on port 5900 (ie server:0) That would be"-L5901:localhost:5900" Be sure your Windows machine knows what 'localhost' is... if not, you could use: "-L5901:127.0.0.1:5900" |
Re: A couple more SSH / VNC questions
Someone please correct me if I am wrong.
Once I have the tunnel established between client and server, all I have to do is launch my VNC viewer and (as long as the VNC server is active at the server end) the VNC session will be secure? I guess I've been working under the assumption that there was something more to it. Is it really that easy? |
Re: A couple more SSH / VNC questions
Quote:
|
Re: A couple more SSH / VNC questions
Quote:
(I got your PM for help; it looks like you already got it, though?) |
Re: A couple more SSH / VNC questions
Quote:
First, without involving ssh nor tunnels: You have launched a VNC server on your XP box. This is a process which is listening in the port 5900+N, where N is the number of the display (usually 0 under windows, or 1 under linux, depending on the vncserver used). In your home lan, you can connect to this server using an VNC client, giving it the address: the.ip.of.your.windows.box:0 (where 0 is the display number). This causes the VNC client to connect with the port 5900+0 (=5900) of your windows box, where the VNC server is listening. Now, use ssh to create an encrypted tunnel: When you launch in your Nokia the command ssh -L5901:localhost:5900 user@the.ip.of.your.windows.box, the following occurs:
Then, you can launch your VNC client in the nokia, and when it asks you for the host to which connect, you answer "localhost:1". Here "localhost" represents the nokia, since the VNC client is running in the Nokia. So the VNC client will try to connect to the port 5901 (5900+1) in the Nokia. At this port ssh is listening, and the traffic is forwarded to the process sshd in the Windows machine. There, sshd will forward it again to "localhost:5900" (here localhost represents the windows mahcine, since sshd it is running in the windows machine). So the traffic finally arrives to the port 5900 in windows, where the VNC server is listening. All traffic between ssh and sshd is encrypted. The unencripted traffic occurs locally, at two points: 1) in your Nokia, between the processes VNC client and ssh, 2) in your windows machine between the processess sshd and the VNC server. Confusing? Yes, it is... A diagram would be useful here... A final note: when your VNC client connects your VNC server (through the ssh tunnel), it will probably ask you a password (if you configured the server to do so). You can avoid also this annoyance, if you configure your server for not asking passwords, and for accepting only connections coming from localhost (I think it has a checkbox for this). If you combine this strategy with the use of ssh public keys, you can avoid typing any password at all in the whole process, and still have the maximum security. |
Re: A couple more SSH / VNC questions
Wow. . .this is certainly the most interesting/challenging thing I worked through with the tablet so far. And doing this kind of stuff is precisely why I got the tablet in the first place.
Early on in this process, Benson referred me to this post. Now some it it makes sense. However, what doesn't is the reference to "Change the line in /usr/bin/x11vnc:" in step 1. I attempted to follow these directions, buy was stymied early on by not being able to find x11vnc through xterm. I've dowloaded it, installed it, and run it. I know it's on the nokia. But it isn't in /usr/bin (assuming that this is the /usr/bin in the root directory). I'd like to figure out a few more things: 1) What is the purpose of the above mentioned step 1? Is it truly necessary? 2) Does it matter that I was able to establish the ssh connection without following this step? 3) Why can't I find x11vnc? Is there a way to preform an automated search for something in xterm? 4) Am I correct in assuming that x11vnc is the vnc server app for my nokia? I've already managed to connect to the nokia vnc server via my XP VNC client (on my home WLAN). I did so by setting up an SSH between the two, running x11vnc in xterm and using the tightVNC viewer on my XP box. If I am correct in my assumption in 4), I would like to be able to locate x11vnc within xterm so I can tweak it if need be. And thanks to everyone who's contributed to the thread. You've all been a lot of help. |
Re: A couple more SSH / VNC questions
And while people are still paying attention to this thread. . .I guess I need some more help establishing the ssh between my n800 and my XP box when I'm using the WAN (eg public wifi, not on my home network).
From what I can tell. I can set up the ssh between the n800 and the XP box and use VNC with no problem when I've got both devices on my home wlan. Of course, I don't really need to use an ssh on my personal wlan because it's protected by WPA. This morning, I tried to replicate the setup through the WAN. No luck. I'm thinking I need to tweak the settings on my router (D-Link DI-524). I used the router's browser page to set up a virtual server (which I understand is what D-Link call port forwarding) that is configured as so: [name] [my.XP.box's.IP] TCP 22/22 always Sooooo . . . this is where my ideas start to run out. If I want to ssh from the n800 to the XP box, do I ssh to the IP for the router or the XP box? I tried both options and neither worked, so there is probably some other problem as well. Does anyone know what I'm doing wrong? |
Re: A couple more SSH / VNC questions
Quote:
# find / -name x11vnc -print |
Re: A couple more SSH / VNC questions
Quote:
Quote:
Quote:
Oh, and if you can run a program (as indicated below), which will tell you where it is: Code:
which x11vncQuote:
For remotely connecting from your N800 (out on the internet somewhere) to your PC (on a LAN behind a NAT with a port forward for SSH), you'll need to connect via the NAT's WAN-side IP. |
Re: A couple more SSH / VNC questions
Quote:
The purpose of x11vnc is to "capture" an existent X session in a linux box, and to "serve" the display through VNC protocol. In case of the n810, this means that you can see the screen of your Nokia, remotely, from any other computer, using a VNC client. The purpose of adding -localhost option when launching x11vnc, is to disallow the access to your display from any external host. Only connections from localhost are allowed. This, apparently, goes against the objective of using VNC in first place, but it makes sense when you plan to use ssh tunnels. Remember that, when the tunnel is properly configured, the connection to the VNC server does occur from localhost (from the sshd process). [See my previous post] Quote:
Quote:
Quote:
|
Re: A couple more SSH / VNC questions
Quote:
Edited above. :o |
Re: A couple more SSH / VNC questions
Okay, since everyone has been helpful I feel like I must come clean about one really dumb mistake I made. The reason I couldn't find x11vnc in xterm was simply because I didn't really understand how to change directories. I was working under the (wrong) assumption that if I was in root (/) I could cd to /usr, and then once in /usr I could simply enter "cd /bin", expecting that to drop me into cd/usr/bin.
Now I realize that was totally wrong. Of course telling xterm to cd /bin, it's going to change the directory to /bin. I'm sure there must be a way to cd [current dir]/[desired dir] without having to enter the full path. I just don't know what it is yet. So yes, x11vnc is in /usr/bin, just as Benson said it would be in the post I referenced earlier. Also, I'd like to apologize about the confusion regarding my desired goals. Indeed I started this thread explicitly stating that I wanted to figure out how to VNC from the nokia client to the XP server. However, as I began to understand how this works, I thought that I might as well figure out how to VNC in both directions. Everyone has been so helpful, I'm sorry if I've been obtuse about what I'm trying to do. From best I can tell, if I can figure out how to set up an SSH and VNC from my nokia client to my XP server (my primary interest), then I should be able to figure out how to do it from an XP client to the nokia server. I'm just interested in learning as much about accessing my network as possible. So when I was setting up the SSH before, I was doing so as so: ssh -L5901:localhost:5900 [name]@[XP.server's.actual.IP] Now according to this: Quote:
OK, from my limited knowledge, I know that 127.0.0.1 refers to the local address. Soooo. . .I'm guessing that the :01 part of 127.0.0.1:01 somehow tells VNC to go to the other end of the SSH tunnel. Does this sound right? For example: ssh -L5901:localhost:5900 [user]@[local.IP.address]:0 Is this correct? Do I add :0 because the other end of the tunnel is defined as :5900? Would I add :1 to the localhost if I defined it as :5901? OK, that's enough questions for now. If I ask too many in one post, I can't keep all the answers straight. Thanks for the help. You guys rock. |
Re: A couple more SSH / VNC questions
Interesting thread, and will come in handy indeed.
Can someone tell me where I can download VNC client for the N810? And if anyone has ever heard of "Radmin" or Remote Administrator (www.famatech.com) is there any way to connect to a Windows box which is using this for remote control? |
Re: A couple more SSH / VNC questions
Quote:
When you specify the host 127.0.0.1:1 (or localhost:1 which is the same), the VNC client will try to connect with port 5901 of localhos, i.e. of the nokia. Quote:
|
Re: A couple more SSH / VNC questions
Quote:
Code:
cd /usrCode:
cd .Code:
cd ../shareQuote:
Warm colors designate data interpreted by ssh; cool colors designate data interpreted by sshd. (The ssh server, running on the machine you want to control.) Code:
ssh -Llocalport:forwardhost:forwardport user@remotehostssh makes a connection to remotehost[/code], telling it your username is user (this controls what password to accept, and what UID processes you run will be, if you're doing that...). It sets itself up listening on localport, and forwards any connections made there through a tunnel to the remote machine, which will then try to make a connection to forwardport on forwardhost. Now you can skip this paragraph, if you don't care; it's just an example of how you might use some of these options; stuff relevant to the specific case under consideration is later: Suppose you have a LAN behind a NAT, with one computer exposed as a DMZ; further suppose that you (from out in the internet somewhere) want to access one of the other machines on the LAN. You can't get to it directly, but you can ssh into the DMZ. You can do Code:
ssh -Llocalport:insecure.host.lan:forwardport DMZlogin@NAT's.WAN.side.IPSo to forward traffic from port 5901 (local) to 5900 on your XP box, you want: Code:
ssh -L5901:127.0.0.1:5900 XP_username@NAT's.WAN.side.IPQuote:
This is much, much simpler, because VNC only deals with two machines; the client and the server. You use Code:
servername:display or portservername is the server to connect to; since we want to connect to the near end of the tunnel, that'll be 127.0.0.1 Now the standard way of specifying a VNC display is with the display number; these start at 0. The actual port numbers used are allocated starting from 5900 for display 0, and go up as expected. But, if you put in a number like 5901 for the display, it's "helpful" enough to know that you couldn't mean display 5901, connecting on port 5900+5901 = port 11801, but must have meant port 5901. I don't remember at what cutoff it considers a number to be large; but that doesn't really matter. Since we just opened a tunnel at port 5901, subtract 5900, and it's display 1. So we need to tell VNC Viewer to connect to 127.0.0.1:1; 127.0.0.1:5901 would work, too, but is bad form. As in my previous post, you can wrap it all up with this shell script: Code:
@!/bin/sh |
Re: A couple more SSH / VNC questions
I can't believe I'm still unclear about this.
From this explanation: Quote:
ssh -L5901:localhost:5900 [name]@127.0.0.1:1 What I'm confused about (well one of the things I'm confused about) is, how does my nokia find the XP box without specifying the XP box's IP? |
Re: A couple more SSH / VNC questions
Quote:
Please, talk amongst yourselves. No, really. |
Re: A couple more SSH / VNC questions
Let's try again, this way with a picture (at the end of the post). For the sake of this example, assume that the IP of your XP box is 145.32.79.12, and the IP of your Nokia is 201.24.5.32 (you don't need this information, but anyway).
You run in XP the ssh server (called sshd) and the VNC server. Each of these processes opens a port with a well-known number. For sshd, the port number is 22, for VNC it is 5900 (plus the number of the display, but let us assume that it is zero). So, your windows machine has two open ports. If you have no firewalls, both ports would be accesible from the outside. From any computer in the world, anyone could connect to your port 22 for a ssh sesion (he would require a ssh client, such as the ssh in the nokia), or to your port 5900 for a VNC session (he would require a VNC client). You can estabilsh both connections from your nokia. Using ssh, you can issue the command: ssh user@145.32.79.12, and this will make a connection between the ssh process in your nokia, and the port 22 of your XP machine (in which the sshd server is listening). You will be prompted for a password and then you will have access to a command-line shell which is run in your XP machine. You can control your XP machine via this shell. If you prefer to control it via its graphical interface, you can launch your VNC client and specifying the host 145.32.79.12:0 This will connect your VNC client in your nokia with the port 5900 in your XP (in which the VNC server is listening). However, doing so, the data sent through the VNC protocol is unencrypted. But ssh has another functionality (in addition to allows us to access to a remote shell as described above). It can also create a "secure tunnel", thanks to his ability of forwarding ports. In order to use this functionality, the -L swicth is used. This switch requires three parameters (separated by colons):
That is, if, in machine A the following command is issued: me@machineA:~$ ssh -L P1:machineC:P2 user@machineB Then, any traffic coming to port P1 in machineA would be redirected to the sshd process in machineB, which, in turn, will forward it to port P2 of machineC. The traffic between A and B is encrypted, but between B and C is not. In our case, B and C are both the WindowsXP server, and A is the nokia. Now, once the tunnel is set up, when we launch the VNC client in the nokia, instead of specifying 145.32.79.12:0 has host:display, whe specify localhosts:1, as if a vncserver were running in the nokia in the display 1. Of course, there is not such a server. However, VNC is fooled in thinking this, so it will try to connect to port 5901 of the Nokia. In this port ssh is listening (due to the -L option), and this petition is forwaded to sshd in the XP box, which in turn translates it into a connection to the port 5900 of the XP box. Here is the VNC server, so the VNC client finds indeed an VNC server, only that (without he knowing it), it is not in the nokia, at localhost. The VNC client only talks with the local process ssh, which he takes for a VNC server. Similarly, from the viewpoint of the VNC server in XP, a connection from a client has been received, but this connection was coming from the own XP machine (sshd process), so VNC is "thinking" that the client is running in localhost (the XP). The VNC server knows nothing about the existence of the Nokia client. The VNC server only "talks" with the local process sshd, which he takes for a VNC client. This way, the ssh protocol is fooling the two ends of the comunication, pretending that he is the other end. The picture should make this clear. I hope so :-) http://www.atc.uniovi.es/~jdiaz/Tunnel.png |
Re: A couple more SSH / VNC questions
Hello again. I just wanted to write a quick post to say that I am still studying this thread. I appreciate all the helpful contributions and would like to specifically thank Benson and jldiaz for their amazing explanations.
I am learning a great deal here. I feel that the willingness of the folks here in forum (especially the aforementioned users) really demonstrates the true spirit of the open source philosophy and the things that made the internet great for sharing knowledge among users. I am going to study the recent posts more closely and try to formulate some intelligent question which I will, hopefully, post tonight. In fact, does anyone think maybe I should compile the info in this thread for a wiki entry? |
Re: A couple more SSH / VNC questions
Yes, wiki entry sounds great! There is a lot of really good info here. Thanks to everyone.
|
Re: A couple more SSH / VNC questions
Thanks again to everyone for contributing to this thread. I'm learning a lot.
Okay, what jldiaz wrote really has started to make all this info come together for me. It particularly clarifies what Benson meant when he said Quote:
The command ssh -L5901:localhost:5900 user@my.XP.box's.IP instructs the ssh client on my nokia to contact the sshd server on the XP box through port 22, they shake hands and use their mutual keys to identify each other and establish a secure tunnel over port 22. The -L is the switch function that creates the secure tunnel through the process of port forwarding. The 5901 (immediately following the -L) refers to the port on my nokia which is listening to the nokia's VNC client and sending what it gets through the nokia's port 22 to the XP box's port 22 where the sshd server's picks it up and then sends it through the XP box's port 5900 to the VNC server. localhost (immediately following 5901: ) refers to the sshd server on the XP box that is listening through the XP box's port 22. 5900 refers to the port on my XP box where it receives info from the sshd server (the info it gets from the ssh client through port 22) and transmits that info to the VNC server on the XP machine. user refers to the account that one wishes to access on the machine at my.XP.box's.IP. Finally, I think I understand this. But for some reason I can't make it work. I can set up the ssh session. xterm takes the command, and then prompts me with the CLI prompt appropriate for the Cygwin terminal. It really seems like the session is set up appropriately. But VNC won't do anything with 127.0.0.1:1 I can connect to the XP box's VNC server directly at my.XP.box's.IP.address But that's not what we're shooting for. If my ssh client is listening to the VNC client on 5901, then it should be able to send the VNC info through port 22 to the sshd server which can send it through port 5900 to the VNC server. Could this be a problem with my router? I've tried setting up port forwarding, but I can't make anything work. But that doesn't seem right. If I can connect the ssh between the nokia and the XP box on port 22, and I can connect the VNC between the nokia and the XP box on port 5901, then how could the router interfere with the nokia's port 5900 ability to talk to the nokia's port 22 to talk to the xp box's port 22 which finally sends it to the XP box's 5900. Or could it be the router? And if I can connect to the VNC server, directly, and insecurely, does that mean that any damn computer on the internet with a VNC client can connect to my XP box directly and insecurely? Or does it just work for me because I my nokia and XP box happen to be on the same wlan. So I guess this thread can keep going if everyone's still game. I certainly won't be able to post that wiki until I work through this problem and make this work properly. |
Re: A couple more SSH / VNC questions
Quote:
Quote:
Quote:
Quote:
Quote:
The most likely explanation at the moment seems to be that your XP box's VNC is not set up right. If that's the case, you're in luck, cause we're both running tightVNC. I should be able to point you exactly to the relevant settings: Double-click the tightVNC logo in the system tray to bring up the config dialog. On the Administration tab, there's a box with three checkboxes:
The second one must be checked. It's off by default, to spare you from VNCing into your console from your console (heap bad medicine), and resulting pointer freeze and such. But the way the ssh tunnel ends on the local machine means that the outcoming VNC connection is indeed a loopback connection, and we must allow that. The third one blocks all normal connection; then all that can get through is screen-grabbing horrors (don't do those) and VNC tunneled connections. It's probably wise to enable this at some point, but not necessary. Those are the only relevant options I'm aware of. G'luck in your struggles! |
Re: A couple more SSH / VNC questions
Quote:
For example, you could have two secure LANs, but an insecure WAN connecting the two LANs. You can use ssh/sshd to provide a secure tunnel through the WAN, and thus allowing a secure communication between any machine on the first LAN with any machine on the second LAN. The following convolved example is not really neccesary, but for the sake of the completness, let me elaborate it. Llet us assume that you have a secure LAN at your home, with two machines, with IPs: 145.24.12.10 and 145.24.12.11, The first one is a WindowsXP in which you have installed Cygwin/sshd. The second one is an old Windows98, without any ssh software installed, but with a VNC server running on display 0. At your work, you have a secure LAN, in which it is your desktop PC, running Windows2000, with IP 220.30.140.100. You have a VNC client in this PC, but no ssh software. You would like to connect this VNC client in the Windows2000 machine, with the VNC server of your Windows98 PC, at home. However, the insecure WAN connecting the two LANs is intimidating you... Fortunately, you have your Nokia n810 with you, in which you have a ssh client installed. You connect your n810 to the LAN of your office (and it gots the IP 220.30.140.101), and then you use the ssh in your nokia to make a tunnel to your Windows98 machine at home. Then, you connect the VNC client of your Windows2000 through this tunnel, and you got the desired and secured connection. How could this be done? I left it as an exercise to the reader.. :-) Quote:
Quote:
Quote:
|
Re: A couple more SSH / VNC questions
Okay, I think I'm up and running with the whole enchilada now. I think Benson's recommendations regarding the settings on tightVNC
Quote:
Then I left home and jumped onto a public wifi spot at a local cafe, replicating the above mentioned process. Except this time, I connected to my router's WAN IP address. The port forwarding I had set up for the router worked and it sent the tunnel to the XP box's port 22. Then I was able to VNC from my nokia to 127.0.0.1:1 and pull up the XP box's screen. It's worth mentioning that the VNC display was much slower when using the public wifi than when implementing the same process on my home wlan. Now, in order to determine if my XP machine was at risk of random VNC clients accessing it through the WAN, I killed the ssh tunnel I had established which immediately killed the VNC session as well. Then I tried to establish a VNC session again (without first establishing an ssh tunnel). Just to make sure, I first tried to VNC to 127.0.0.1:1 and obviously that didn't do anything (which is what I expected). Then I tried to VNC to the XP box's IP, and that didn't do anything (which I also expected, as the XP box's IP is isolated within my home wlan). Finally, I tried to VNC to my router's WAN IP address. This was the only one that I was truly concerned about, because it had the potential to forward the communication to my XP box's port 5900. Luckily, that also didn't work. So can I assume that what jldiaz is describing: Quote:
Also, I'm a little confused about what Benson said in post 29 Quote:
Since it seems like it's working, I would guess I'm doing it right. But if anyone sees an error I'm making, please tell me. Now as far as this is concerned: Quote:
|
Re: A couple more SSH / VNC questions
Quote:
But it's working, so obviously I'm misunderstanding/ wrongly assuming some detail here. Quote:
You might want to play with encodings to optimise speed on slow connections... Not sure how right off, though. |
Re: A couple more SSH / VNC questions
Quote:
Quote:
If you specified the display number :0, indeed, and the connection was not established, this is probably the effect of having specfied the option "Allow only loopback connections" (which means "Allow only connections coming from localhost"). We still cannot draw a conclusion about whether your router is blocking or not port 5900. Anyway, the fact is that nobody can directly connect to your VNC server, so in practical terms there is no difference: you are safe. In order to definitely know if the router blocks the port 5900, you should uncheck the option "Allow only loopback connections", and try again this last test. |
Re: A couple more SSH / VNC questions
Well as the last component of this pocess, I tested the VNC's security over the public wifi. I think its secure. Without using an SSH tunnel, I couldn't connect to anything by issuing my home network's IP:0. However the settings on my XP box's VNC server have been set to allow loopback connections but do not specify allow only loopback connections.
I've just now changed the settings on the VNC server to allow only loopback connections . Sitting in front of the XP box, using my personal wlan, I can still get an ssh tunnel to my router's WAN IP, forwarded to 22 on the XP box, and there I can set up a VNC session to 127.0.0.1:1. So, tomorow morning I swing back by the cafe and try the setup through the public wifi again. If I can get that going (through the ssh tunnel) after I have changed the setting to allow only feedback loops, then I'll feel pretty confident that everything is working right and the system is reasonably secure. |
Re: A couple more SSH / VNC questions
Now that you've successfully drained the knowledge out of everyone here, write up that wiki will ya! ;)
|
Re: A couple more SSH / VNC questions
Okay, I'll start working on the wiki. But, in accord with my overall noobness, I don't know anything about writing wikis. So I'm gonna need some time to figure out how to do it right. Is there a wiki for making wikis?
|
What about brute force attacks on port 22?
While doing some preliminary research for putting the wiki together, I ran across this page.
Actually, I had seen this page when I began this thread, but I didn’t understand it well. As you might imagine, it makes a lot more sense to me now. What caught my eye was the mention of a method of securing the SSH server against brute force attacks. I didn’t even know what a brute force attack is, but this is pretty self explanatory. What is the opinion of the gurus regarding the potential threat of brute force attacks to an SSH server? It certainly seems possible for a automated assault to access my machine's port 22 by forcing an SSH tunnel through a brute force/dictionary style attack? How significant of a threat is this and is the installation of something similar to DenyHosts something that should be included in our setup as it has thus far been described? The wiki that I reference at the beginning of this post deals with establishing the ssh tunnel to an sshd server running on a Linux machine, and then establishing the VNC session through that tunnel. More or less identical to what we've been describing, except that we've been connecting to a machine with an XP OS. Likewise, DenyHosts is a Linux app. Is it possible to implement it in Cygwin? Or, is there something similar (or for that matter, something completely different) that will help to protect the system's port 22 against this type of attack? |
Re: What about brute force attacks on port 22?
Quote:
I had meant to suggest that you use public-key authentication, and disable password authentication. Then I forgot. :o Yes, denyhosts actually looks like a pretty good idea, even with password auth disabled. One thing to think about: while different thresholds for valid/invalid users seems sane, given the differences in probability that it is a crack attempt, it does disclose information about valid usernames. This may be helpful to an attacker with multiple IPs, whether DHCP, AP roving, or a botnet. Quote:
But brute-forcing an RSA key is hard enough you don't really need denyhosts, as long as you forbid password auth. |
Re: A couple more SSH / VNC questions
Can't. . . let . . .thread. . .die. . .
Benson, or anyone else reading who knows, can you give me a hint on how to disable password authentication for my ssh server? Thanks CMD |
Re: A couple more SSH / VNC questions
Got public-key auth going? get that working first.
First promising Google result, no guarantees, but it looks sane. Make sure it works before proceeding. Then, this guide may be helpful, ignoring the putty-specific bits (i.e. almost everything), but it's basically changing this line in /etc/sshd_config: Code:
#PasswordAuthentication yesCode:
PasswordAuthentication no |
| All times are GMT. The time now is 10:38. |
vBulletin® Version 3.8.8