HowTo Limit Remote Access To "ssh" Connections: Difference between revisions

From MediaWiki
Jump to navigationJump to search
Line 71: Line 71:
  ssh nst-tunnels
  ssh nst-tunnels


== Accessing The NST WUI Through The Tunnel ==
Once you've established the ''ssh connection'', accessing the NST WUI is simple, simply point your browser at the following link and login as you normally would.


== Setting Up Tunnels ==
http://127.0.0.1:8000/


== Accessing The NST WUI Through The Tunnel ==


== Running X Applications Through The Tunnel ==
== Running X Applications Through The Tunnel ==
=== Requirements ===
In order to project ''X'' applications from the remote NST system back to your system, your system must be running a ''X'' server.
; Linux Clients
: You simply need to log into a ''X'' desktop environment (GNOME, KDE, Xfce, Fluxbox, ...). Open up a Terminal and ''ssh'' to your NST system.
; Mac OSX
: You simply need to log in, support for launching ''X'' applications is built in. Open up a Terminal and ''ssh'' to your NST system.
; Windows
: This is a bit more difficult, you will need to setup a ''X'' server. We suggest that you visit the http://www.cygwin.com/ site for details on setting up a ''X'' environment under Windows.
It should be noted, that since the ''X'' applications are being tunneled via ''ssh'', they appear as though you are running a local ''X'' application within your desktop environment. What this means is that your system does NOT need to be configured to permit direct TCP connections to the ''X'' server. Also, you don't need to worry about the ''xhost'' command as the applications will appear as local applications to your ''X'' server.
=== Verifying X Connection ===
When you established your ''ssh connection'' by logging into the NST system using '''ssh''', a secure tunnel was established such that your client system can be used as the ''X'' server for applications launched on the NST system (when you run something like ''firefox'' on the NST system, the actual application will appear on your client machine).
To verify that ''X'' support was enabled, echo the value of your ''DISPLAY'' environment variable as shown below:
[root@dhcp150 ~]# echo $DISPLAY
localhost:10.0
This indicates that the ''ssh connection'' is listening for connections to port ''6010'' on ''localhost'' and forwarding these connections back to the ''X'' server on your system. You can use the '''netstat'' command to verify this:
[root@dhcp150 ~]# netstat -tunap | grep 6010
tcp        0      0 127.0.0.1:6010              0.0.0.0:*                  LISTEN      2798/0             
tcp        0      0 ::1:6010                    :::*                        LISTEN      2798/0       
''NOTE'': The display chosen will vary. In the above example, display ''10'' (port 6010) was chosen, but this can change.
=== From The Command Line ===
Running a ''X'' application through the tunnel from the command line is trivial. You simply run the command that you would like to have projected from the NST system back to your system. For example, to bring up a '''xterm''', you simply run the following from your ''ssh'' login prompt:
[root@dhcp150 ~]# xterm &
[1] 3040
[root@dhcp150 ~]#
If things are working correctly, it really is this simple and you should see a '''xterm''' appear on your desktop.
=== From The NST WUI ===
If you would like to use the NST WUI to launch ''X'' applications, it involves the following steps:
* Determining what the ''DISPLAY'' variable should be set to for your NST WUI session.
* Setting the ''DISPLAY'' variable for your NST WUI session.
To determine the what the ''DISPLAY'' should be set to, run the following command from your ''ssh connection'':
[root@dhcp150 ~]# echo $DISPLAY
localhost:10.0
To set the DISPLAY variable for your NST WUI session:
* Select the ''X|Launch X Window Application'' page from the menu bar on the NST WUI interface. This should take you to the page: http://127.0.0.1:8000/nstwui/cgi-bin/server/x.cgi (this link should work as well if you configured your ''ssh connection'' as recommended above).
* You should see a table near the top of the page where the first row is labeled: ''X Window Application''. In the second column, click on the ''xterm'' link following the ''Action:'' label to fill in a test ''X'' application to launch.
* On the second line of the table, fill in the value of your ''DISPLAY'' environment variable (''localhost:10.0'' in this example, but yours may be different).
* Click on the ''Launch X Window Application'' button underneath the table.
If everything is working properly, a ''xterm'' should appear on your system that is running on the NST system. You can close out the ''xterm'' at this point (we were just using it to verify the connection was configured properly).
Now that the connection is configured properly, you should be able to launch the numerous ''X'' based applications found under the ''X'' option on the NST WUI menu bar (for example: ''X|Security Applications|ZenMap (Nmap GUI)'').


== Connecting To A VNC Desktop Through The Tunnel ==
== Connecting To A VNC Desktop Through The Tunnel ==

Revision as of 10:53, 28 February 2010

Overview

In order to increase operational security, it is desirable to limit the remote access points into a system, and to either disable the use of insecure protocols (such as X or VNC), or to wrap these insecure protocols within a secure networking layer such as a ssh tunnel or VPN.

The goal of this "HowTo" is to:

  • Demonstrate how to disable port 443 (https) thus limiting access to the NST system to port 22 (ssh).
  • Securely access the NST WUI using a ssh tunnel through port 22.
  • Securely run X applications across a ssh tunnel through port 22.
  • Securely run a VNC session across a ssh tunnel through port 22.


Disabling Remote HTTPS Access

The following commands will disable the httpd service from listening on port 443 for remote connections:

cd /etc/httpd/conf.d
mv ssl.conf ssl.conf.disable
service httpd restart

After running the above command, you should be able to use the netstat command to verify that port 443 is no longer open.

[root@dhcp150 conf.d]# netstat -tunap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 127.0.0.1:80                0.0.0.0:*                   LISTEN      2758/httpd          
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1451/sshd           
tcp        0      0 192.168.20.201:22           192.168.20.2:49514          ESTABLISHED 2710/0              
tcp        0      0 :::22                       :::*                        LISTEN      1451/sshd           
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               1222/dhclient       

The above output indicates that port 22 is the only IP4 TCP port that is listening for outside connections (0.0.0.0:22 in the Local Address column).

You can verify that the NST system is no longer allowing remote access to the web server by trying to connect to https://192.168.20.201/ (change the IP address to match the address of your NST system). The connection should be refused.

Using "ssh" To Access The System

The command shown below will establish a ssh connection (through port 20) to the NST system having the IP address of 192.168.20.201:

ssh -X -L 8000:127.0.0.1:80 -L 5806:127.0.0.1:5806 -L 5906:127.0.0.1:5906 root@192.168.20.201

The command line shown enables secure access to the following:

  • Launching X based applications (such as firefox) on the NST system and having them display on your system (your system must be running a X server).
  • Access to the NST WUI via: http://127.0.0.1:8000.
  • Access to a NST VNC session via: http://127.0.0.1:5806 (you'll need to setup the VNC session first).
  • Access to a NST VNC session via: vncviewer 127.0.0.1:6

In order to avoid a lot of typing, the information about can be added to your ~/.ssh/config file as a host entry.

HOST nst-tunnels
# Change to IP address of your NST system
HostName=192.168.20.201
User=root
ForwardX11=yes
# Tunnel access to NST WUI
LocalForward=8000 127.0.0.1:80
# Tunnel access to VNC web server for display :6 (optional)
LocalForward=5806 127.0.0.1:5806
# Tunnel access to VNC for display :6 
LocalForward=5906 127.0.0.1:5906
# Add following if you will be running a VNC listener on your client system
# NOTE: Only one client connection will be able to claim port 5500 on the NST system
RemoteForward=5500 127.0.0.1:5500

Once the configuration has been created, you can simply run:

ssh nst-tunnels

Accessing The NST WUI Through The Tunnel

Once you've established the ssh connection, accessing the NST WUI is simple, simply point your browser at the following link and login as you normally would.

http://127.0.0.1:8000/


Running X Applications Through The Tunnel

Requirements

In order to project X applications from the remote NST system back to your system, your system must be running a X server.

Linux Clients
You simply need to log into a X desktop environment (GNOME, KDE, Xfce, Fluxbox, ...). Open up a Terminal and ssh to your NST system.
Mac OSX
You simply need to log in, support for launching X applications is built in. Open up a Terminal and ssh to your NST system.
Windows
This is a bit more difficult, you will need to setup a X server. We suggest that you visit the http://www.cygwin.com/ site for details on setting up a X environment under Windows.

It should be noted, that since the X applications are being tunneled via ssh, they appear as though you are running a local X application within your desktop environment. What this means is that your system does NOT need to be configured to permit direct TCP connections to the X server. Also, you don't need to worry about the xhost command as the applications will appear as local applications to your X server.

Verifying X Connection

When you established your ssh connection by logging into the NST system using ssh, a secure tunnel was established such that your client system can be used as the X server for applications launched on the NST system (when you run something like firefox on the NST system, the actual application will appear on your client machine).

To verify that X support was enabled, echo the value of your DISPLAY environment variable as shown below:

[root@dhcp150 ~]# echo $DISPLAY localhost:10.0

This indicates that the ssh connection is listening for connections to port 6010 on localhost and forwarding these connections back to the X server on your system. You can use the 'netstat command to verify this:

[root@dhcp150 ~]# netstat -tunap | grep 6010 tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 2798/0 tcp 0 0 ::1:6010  :::* LISTEN 2798/0

NOTE: The display chosen will vary. In the above example, display 10 (port 6010) was chosen, but this can change.

From The Command Line

Running a X application through the tunnel from the command line is trivial. You simply run the command that you would like to have projected from the NST system back to your system. For example, to bring up a xterm, you simply run the following from your ssh login prompt:

[root@dhcp150 ~]# xterm &
[1] 3040
[root@dhcp150 ~]# 

If things are working correctly, it really is this simple and you should see a xterm appear on your desktop.

From The NST WUI

If you would like to use the NST WUI to launch X applications, it involves the following steps:

  • Determining what the DISPLAY variable should be set to for your NST WUI session.
  • Setting the DISPLAY variable for your NST WUI session.

To determine the what the DISPLAY should be set to, run the following command from your ssh connection:

[root@dhcp150 ~]# echo $DISPLAY
localhost:10.0

To set the DISPLAY variable for your NST WUI session:

  • Select the X|Launch X Window Application page from the menu bar on the NST WUI interface. This should take you to the page: http://127.0.0.1:8000/nstwui/cgi-bin/server/x.cgi (this link should work as well if you configured your ssh connection as recommended above).
  • You should see a table near the top of the page where the first row is labeled: X Window Application. In the second column, click on the xterm link following the Action: label to fill in a test X application to launch.
  • On the second line of the table, fill in the value of your DISPLAY environment variable (localhost:10.0 in this example, but yours may be different).
  • Click on the Launch X Window Application button underneath the table.

If everything is working properly, a xterm should appear on your system that is running on the NST system. You can close out the xterm at this point (we were just using it to verify the connection was configured properly).

Now that the connection is configured properly, you should be able to launch the numerous X based applications found under the X option on the NST WUI menu bar (for example: X|Security Applications|ZenMap (Nmap GUI)).

Connecting To A VNC Desktop Through The Tunnel