Active Topics

 


Page 4 of 6 « First 23 4 56
Reply
Thread Tools
cmdowns's Avatar
cmdowns is offline cmdowns
2008-04-09 , 14:16
Posts: 100 | Thanked: 13 times | Joined on Mar 2008
#31
Okay, I think I'm up and running with the whole enchilada now. I think Benson's recommendations regarding the settings on tightVNC

Originally Posted by Benson View Post
Double-click the tightVNC logo in the system tray to bring up the config dialog. On the Administration tab, there's a box with three checkboxes:

* Disable empty passwords
* Allow loopback connections
* Allow only loopback connections

The first one should be unchecked if you want to be able to use an empty password (not no password, just a password of zero length; there's a difference.). Doesn't really matter.

The second one must be checked. It's off by default, to spare you from VNCing into your console from your console (heap bad medicine), and resulting pointer freeze and such. But the way the ssh tunnel ends on the local machine means that the outcoming VNC connection is indeed a loopback connection, and we must allow that.

The third one blocks all normal connection; then all that can get through is screen-grabbing horrors (don't do those) and VNC tunneled connections. It's probably wise to enable this at some point, but not necessary.
were exactly what I needed to finally make the whole thing come together. After adjusting these settings as specified, I was able to establish the tunnel while working on my home network, and then VNC into the VNC server at 127.0.0.1:1

Then I left home and jumped onto a public wifi spot at a local cafe, replicating the above mentioned process. Except this time, I connected to my router's WAN IP address. The port forwarding I had set up for the router worked and it sent the tunnel to the XP box's port 22.

Then I was able to VNC from my nokia to 127.0.0.1:1 and pull up the XP box's screen. It's worth mentioning that the VNC display was much slower when using the public wifi than when implementing the same process on my home wlan.

Now, in order to determine if my XP machine was at risk of random VNC clients accessing it through the WAN, I killed the ssh tunnel I had established which immediately killed the VNC session as well. Then I tried to establish a VNC session again (without first establishing an ssh tunnel).

Just to make sure, I first tried to VNC to 127.0.0.1:1 and obviously that didn't do anything (which is what I expected). Then I tried to VNC to the XP box's IP, and that didn't do anything (which I also expected, as the XP box's IP is isolated within my home wlan). Finally, I tried to VNC to my router's WAN IP address. This was the only one that I was truly concerned about, because it had the potential to forward the communication to my XP box's port 5900.

Luckily, that also didn't work. So can I assume that what jldiaz is describing:

Originally Posted by jldiaz View Post
Most likely anyone can connect to your XP box directly, unless your router is blocking port 5900. This is why is a good idea to configure your VNC server either for asking a password, or alternatively for accepting only clients coming from localhost (i.e., in our case, coming from the ssh tunnel).
combined with my observations and experiences indicate that indeed my router does block port 5900? Is there a more definitive way to determine if my router is or is not blocking port 5900?

Also, I'm a little confused about what Benson said in post 29

Originally Posted by Benson View Post
I assume that's my.XP.box.IP:0 ? If it's a different display, then that would cause problems (you'd need to change which port you forward to).
Because I did use my.XP.box.IP:1 not my.XP.box.IP:0. And I thought the :1 was required because it is specified when I describe port 5901.

Since it seems like it's working, I would guess I'm doing it right. But if anyone sees an error I'm making, please tell me.

Now as far as this is concerned:

Originally Posted by jldiaz View Post
For example, you could have two secure LANs, but an insecure WAN connecting the two LANs. You can use ssh/sshd to provide a secure tunnel through the WAN, and thus allowing a secure communication between any machine on the first LAN with any machine on the second LAN.

The following convolved example is not really neccesary, but for the sake of the completness, let me elaborate it.

Llet us assume that you have a secure LAN at your home, with two machines, with IPs: 145.24.12.10 and 145.24.12.11, The first one is a WindowsXP in which you have installed Cygwin/sshd. The second one is an old Windows98, without any ssh software installed, but with a VNC server running on display 0.

At your work, you have a secure LAN, in which it is your desktop PC, running Windows2000, with IP 220.30.140.100. You have a VNC client in this PC, but no ssh software. You would like to connect this VNC client in the Windows2000 machine, with the VNC server of your Windows98 PC, at home. However, the insecure WAN connecting the two LANs is intimidating you...

Fortunately, you have your Nokia n810 with you, in which you have a ssh client installed. You connect your n810 to the LAN of your office (and it gots the IP 220.30.140.101), and then you use the ssh in your nokia to make a tunnel to your Windows98 machine at home. Then, you connect the VNC client of your Windows2000 through this tunnel, and you got the desired and secured connection.

How could this be done? I left it as an exercise to the reader.. :-)
I'm going to need a little time to work through this one. Maybe I'll have an answer tonight.
 
Benson's Avatar
Benson is offline Benson
2008-04-09 , 14:42
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#32
Originally Posted by cmdowns View Post
Because I did use my.XP.box.IP:1 not my.XP.box.IP:0. And I thought the :1 was required because it is specified when I describe port 5901.
Hmmm... if you're redirecting with -L5901:localhosr:5900, it should be 5900 on the server: so either 127.0.0.1:1 (through tunnel) or mmy.xp.box.ip:0 (direct) would work.

But it's working, so obviously I'm misunderstanding/ wrongly assuming some detail here.
Since it seems like it's working, I would guess I'm doing it right. But if anyone sees an error I'm making, please tell me.
Looks like you got it.

You might want to play with encodings to optimise speed on slow connections... Not sure how right off, though.
 
jldiaz's Avatar
jldiaz is offline jldiaz
2008-04-09 , 16:27
Posts: 48 | Thanked: 40 times | Joined on Apr 2008 @ Spain
#33
Originally Posted by cmdowns View Post
Okay, I think I'm up and running with the whole enchilada now. I think Benson's recommendations regarding the settings on tightVNC
Hurray!

Originally Posted by cmdowns View Post
[...] indeed my router does block port 5900? Is there a more definitive way to determine if my router is or is not blocking port 5900?
Humm. When trying to connect directly to your XP, using your router IP, which display number are you specifying? Note that, in this case, you are willing to connect to port 5900, so the display number has to be :0

If you specified the display number :0, indeed, and the connection was not established, this is probably the effect of having specfied the option "Allow only loopback connections" (which means "Allow only connections coming from localhost"). We still cannot draw a conclusion about whether your router is blocking or not port 5900. Anyway, the fact is that nobody can directly connect to your VNC server, so in practical terms there is no difference: you are safe.

In order to definitely know if the router blocks the port 5900, you should uncheck the option "Allow only loopback connections", and try again this last test.
__________________
--ル Diaz
 
cmdowns's Avatar
cmdowns is offline cmdowns
2008-04-09 , 22:29
Posts: 100 | Thanked: 13 times | Joined on Mar 2008
#34
Well as the last component of this pocess, I tested the VNC's security over the public wifi. I think its secure. Without using an SSH tunnel, I couldn't connect to anything by issuing my home network's IP:0. However the settings on my XP box's VNC server have been set to allow loopback connections but do not specify allow only loopback connections.

I've just now changed the settings on the VNC server to allow only loopback connections . Sitting in front of the XP box, using my personal wlan, I can still get an ssh tunnel to my router's WAN IP, forwarded to 22 on the XP box, and there I can set up a VNC session to 127.0.0.1:1.

So, tomorow morning I swing back by the cafe and try the setup through the public wifi again. If I can get that going (through the ssh tunnel) after I have changed the setting to allow only feedback loops, then I'll feel pretty confident that everything is working right and the system is reasonably secure.
 
morrison's Avatar
morrison is offline morrison
2008-04-10 , 08:35
Posts: 90 | Thanked: 5 times | Joined on Dec 2007
#35
Now that you've successfully drained the knowledge out of everyone here, write up that wiki will ya!
 
cmdowns's Avatar
cmdowns is offline cmdowns
2008-04-10 , 10:29
Posts: 100 | Thanked: 13 times | Joined on Mar 2008
#36
Okay, I'll start working on the wiki. But, in accord with my overall noobness, I don't know anything about writing wikis. So I'm gonna need some time to figure out how to do it right. Is there a wiki for making wikis?
 
cmdowns's Avatar
cmdowns is offline cmdowns
2008-04-10 , 15:01
Posts: 100 | Thanked: 13 times | Joined on Mar 2008
#37
While doing some preliminary research for putting the wiki together, I ran across this page.

Actually, I had seen this page when I began this thread, but I didn’t understand it well. As you might imagine, it makes a lot more sense to me now. What caught my eye was the mention of a method of securing the SSH server against brute force attacks. I didn’t even know what a brute force attack is, but this is pretty self explanatory.

What is the opinion of the gurus regarding the potential threat of brute force attacks to an SSH server? It certainly seems possible for a automated assault to access my machine's port 22 by forcing an SSH tunnel through a brute force/dictionary style attack? How significant of a threat is this and is the installation of something similar to DenyHosts something that should be included in our setup as it has thus far been described?

The wiki that I reference at the beginning of this post deals with establishing the ssh tunnel to an sshd server running on a Linux machine, and then establishing the VNC session through that tunnel. More or less identical to what we've been describing, except that we've been connecting to a machine with an XP OS. Likewise, DenyHosts is a Linux app. Is it possible to implement it in Cygwin? Or, is there something similar (or for that matter, something completely different) that will help to protect the system's port 22 against this type of attack?
 
Benson's Avatar
Benson is offline Benson
2008-04-10 , 16:17
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#38
Originally Posted by cmdowns View Post
What is the opinion of the gurus regarding the potential threat of brute force attacks to an SSH server? It certainly seems possible for a automated assault to access my machine's port 22 by forcing an SSH tunnel through a brute force/dictionary style attack? How significant of a threat is this and is the installation of something similar to DenyHosts something that should be included in our setup as it has thus far been described?
Well, DUH! (Not you, me.) I completely forgot about auth...


I had meant to suggest that you use public-key authentication, and disable password authentication. Then I forgot.

Yes, denyhosts actually looks like a pretty good idea, even with password auth disabled. One thing to think about: while different thresholds for valid/invalid users seems sane, given the differences in probability that it is a crack attempt, it does disclose information about valid usernames. This may be helpful to an attacker with multiple IPs, whether DHCP, AP roving, or a botnet.
The wiki that I reference at the beginning of this post deals with establishing the ssh tunnel to an sshd server running on a Linux machine, and then establishing the VNC session through that tunnel. More or less identical to what we've been describing, except that we've been connecting to a machine with an XP OS. Likewise, DenyHosts is a Linux app. Is it possible to implement it in Cygwin? Or, is there something similar (or for that matter, something completely different) that will help to protect the system's port 22 against this type of attack?
Specifically, it's a Python app. Cygwin has a Python interpreter, so it should work. Networking is a bit of an odd mix, but I think it should work. Worst case, you have to rig up a patch to Windows Firewall, but I think tcp_wrappers works.

But brute-forcing an RSA key is hard enough you don't really need denyhosts, as long as you forbid password auth.
 
cmdowns's Avatar
cmdowns is offline cmdowns
2008-04-13 , 23:22
Posts: 100 | Thanked: 13 times | Joined on Mar 2008
#39
Can't. . . let . . .thread. . .die. . .

Benson, or anyone else reading who knows, can you give me a hint on how to disable password authentication for my ssh server?

Thanks
CMD
 
Benson's Avatar
Benson is offline Benson
2008-04-14 , 16:23
Posts: 4,930 | Thanked: 2,272 times | Joined on Oct 2007
#40
Got public-key auth going? get that working first.
First promising Google result, no guarantees, but it looks sane. Make sure it works before proceeding.
Then, this guide may be helpful, ignoring the putty-specific bits (i.e. almost everything), but it's basically changing this line in /etc/sshd_config:
Code:
#PasswordAuthentication yes
to this:
Code:
PasswordAuthentication no
 
Reply
Page 4 of 6 « First 23 4 56

« Previous Thread | Next Thread »

 
Forum Jump


All times are GMT. The time now is 17:22.

Contact Us - Home - Archive - Top