HowTo Limit Remote Access To "ssh" Connections: Difference between revisions
Line 71: | Line 71: | ||
ssh nst-tunnels | ssh nst-tunnels | ||
== Accessing The NST WUI Through The Tunnel == | |||
Once you've established the ''ssh connection'', accessing the NST WUI is simple, simply point your browser at the following link and login as you normally would. | |||
http://127.0.0.1:8000/ | |||
== Running X Applications Through The Tunnel == | == Running X Applications Through The Tunnel == | ||
=== Requirements === | |||
In order to project ''X'' applications from the remote NST system back to your system, your system must be running a ''X'' server. | |||
; Linux Clients | |||
: You simply need to log into a ''X'' desktop environment (GNOME, KDE, Xfce, Fluxbox, ...). Open up a Terminal and ''ssh'' to your NST system. | |||
; Mac OSX | |||
: You simply need to log in, support for launching ''X'' applications is built in. Open up a Terminal and ''ssh'' to your NST system. | |||
; Windows | |||
: This is a bit more difficult, you will need to setup a ''X'' server. We suggest that you visit the http://www.cygwin.com/ site for details on setting up a ''X'' environment under Windows. | |||
It should be noted, that since the ''X'' applications are being tunneled via ''ssh'', they appear as though you are running a local ''X'' application within your desktop environment. What this means is that your system does NOT need to be configured to permit direct TCP connections to the ''X'' server. Also, you don't need to worry about the ''xhost'' command as the applications will appear as local applications to your ''X'' server. | |||
=== Verifying X Connection === | |||
When you established your ''ssh connection'' by logging into the NST system using '''ssh''', a secure tunnel was established such that your client system can be used as the ''X'' server for applications launched on the NST system (when you run something like ''firefox'' on the NST system, the actual application will appear on your client machine). | |||
To verify that ''X'' support was enabled, echo the value of your ''DISPLAY'' environment variable as shown below: | |||
[root@dhcp150 ~]# echo $DISPLAY | |||
localhost:10.0 | |||
This indicates that the ''ssh connection'' is listening for connections to port ''6010'' on ''localhost'' and forwarding these connections back to the ''X'' server on your system. You can use the '''netstat'' command to verify this: | |||
[root@dhcp150 ~]# netstat -tunap | grep 6010 | |||
tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 2798/0 | |||
tcp 0 0 ::1:6010 :::* LISTEN 2798/0 | |||
''NOTE'': The display chosen will vary. In the above example, display ''10'' (port 6010) was chosen, but this can change. | |||
=== From The Command Line === | |||
Running a ''X'' application through the tunnel from the command line is trivial. You simply run the command that you would like to have projected from the NST system back to your system. For example, to bring up a '''xterm''', you simply run the following from your ''ssh'' login prompt: | |||
[root@dhcp150 ~]# xterm & | |||
[1] 3040 | |||
[root@dhcp150 ~]# | |||
If things are working correctly, it really is this simple and you should see a '''xterm''' appear on your desktop. | |||
=== From The NST WUI === | |||
If you would like to use the NST WUI to launch ''X'' applications, it involves the following steps: | |||
* Determining what the ''DISPLAY'' variable should be set to for your NST WUI session. | |||
* Setting the ''DISPLAY'' variable for your NST WUI session. | |||
To determine the what the ''DISPLAY'' should be set to, run the following command from your ''ssh connection'': | |||
[root@dhcp150 ~]# echo $DISPLAY | |||
localhost:10.0 | |||
To set the DISPLAY variable for your NST WUI session: | |||
* Select the ''X|Launch X Window Application'' page from the menu bar on the NST WUI interface. This should take you to the page: http://127.0.0.1:8000/nstwui/cgi-bin/server/x.cgi (this link should work as well if you configured your ''ssh connection'' as recommended above). | |||
* You should see a table near the top of the page where the first row is labeled: ''X Window Application''. In the second column, click on the ''xterm'' link following the ''Action:'' label to fill in a test ''X'' application to launch. | |||
* On the second line of the table, fill in the value of your ''DISPLAY'' environment variable (''localhost:10.0'' in this example, but yours may be different). | |||
* Click on the ''Launch X Window Application'' button underneath the table. | |||
If everything is working properly, a ''xterm'' should appear on your system that is running on the NST system. You can close out the ''xterm'' at this point (we were just using it to verify the connection was configured properly). | |||
Now that the connection is configured properly, you should be able to launch the numerous ''X'' based applications found under the ''X'' option on the NST WUI menu bar (for example: ''X|Security Applications|ZenMap (Nmap GUI)''). | |||
== Connecting To A VNC Desktop Through The Tunnel == | == Connecting To A VNC Desktop Through The Tunnel == |
Revision as of 10:53, 28 February 2010
Overview
In order to increase operational security, it is desirable to limit the remote access points into a system, and to either disable the use of insecure protocols (such as X or VNC), or to wrap these insecure protocols within a secure networking layer such as a ssh tunnel or VPN.
The goal of this "HowTo" is to:
- Demonstrate how to disable port 443 (https) thus limiting access to the NST system to port 22 (ssh).
- Securely access the NST WUI using a ssh tunnel through port 22.
- Securely run X applications across a ssh tunnel through port 22.
- Securely run a VNC session across a ssh tunnel through port 22.
Disabling Remote HTTPS Access
The following commands will disable the httpd service from listening on port 443 for remote connections:
cd /etc/httpd/conf.d mv ssl.conf ssl.conf.disable service httpd restart
After running the above command, you should be able to use the netstat command to verify that port 443 is no longer open.
[root@dhcp150 conf.d]# netstat -tunap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 2758/httpd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1451/sshd tcp 0 0 192.168.20.201:22 192.168.20.2:49514 ESTABLISHED 2710/0 tcp 0 0 :::22 :::* LISTEN 1451/sshd udp 0 0 0.0.0.0:68 0.0.0.0:* 1222/dhclient
The above output indicates that port 22 is the only IP4 TCP port that is listening for outside connections (0.0.0.0:22 in the Local Address column).
You can verify that the NST system is no longer allowing remote access to the web server by trying to connect to https://192.168.20.201/ (change the IP address to match the address of your NST system). The connection should be refused.
Using "ssh" To Access The System
The command shown below will establish a ssh connection (through port 20) to the NST system having the IP address of 192.168.20.201:
ssh -X -L 8000:127.0.0.1:80 -L 5806:127.0.0.1:5806 -L 5906:127.0.0.1:5906 root@192.168.20.201
The command line shown enables secure access to the following:
- Launching X based applications (such as firefox) on the NST system and having them display on your system (your system must be running a X server).
- Access to the NST WUI via: http://127.0.0.1:8000.
- Access to a NST VNC session via: http://127.0.0.1:5806 (you'll need to setup the VNC session first).
- Access to a NST VNC session via: vncviewer 127.0.0.1:6
In order to avoid a lot of typing, the information about can be added to your ~/.ssh/config file as a host entry.
HOST nst-tunnels # Change to IP address of your NST system HostName=192.168.20.201 User=root ForwardX11=yes # Tunnel access to NST WUI LocalForward=8000 127.0.0.1:80 # Tunnel access to VNC web server for display :6 (optional) LocalForward=5806 127.0.0.1:5806 # Tunnel access to VNC for display :6 LocalForward=5906 127.0.0.1:5906 # Add following if you will be running a VNC listener on your client system # NOTE: Only one client connection will be able to claim port 5500 on the NST system RemoteForward=5500 127.0.0.1:5500
Once the configuration has been created, you can simply run:
ssh nst-tunnels
Accessing The NST WUI Through The Tunnel
Once you've established the ssh connection, accessing the NST WUI is simple, simply point your browser at the following link and login as you normally would.
Running X Applications Through The Tunnel
Requirements
In order to project X applications from the remote NST system back to your system, your system must be running a X server.
- Linux Clients
- You simply need to log into a X desktop environment (GNOME, KDE, Xfce, Fluxbox, ...). Open up a Terminal and ssh to your NST system.
- Mac OSX
- You simply need to log in, support for launching X applications is built in. Open up a Terminal and ssh to your NST system.
- Windows
- This is a bit more difficult, you will need to setup a X server. We suggest that you visit the http://www.cygwin.com/ site for details on setting up a X environment under Windows.
It should be noted, that since the X applications are being tunneled via ssh, they appear as though you are running a local X application within your desktop environment. What this means is that your system does NOT need to be configured to permit direct TCP connections to the X server. Also, you don't need to worry about the xhost command as the applications will appear as local applications to your X server.
Verifying X Connection
When you established your ssh connection by logging into the NST system using ssh, a secure tunnel was established such that your client system can be used as the X server for applications launched on the NST system (when you run something like firefox on the NST system, the actual application will appear on your client machine).
To verify that X support was enabled, echo the value of your DISPLAY environment variable as shown below:
[root@dhcp150 ~]# echo $DISPLAY localhost:10.0
This indicates that the ssh connection is listening for connections to port 6010 on localhost and forwarding these connections back to the X server on your system. You can use the 'netstat command to verify this:
[root@dhcp150 ~]# netstat -tunap | grep 6010 tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN 2798/0 tcp 0 0 ::1:6010 :::* LISTEN 2798/0
NOTE: The display chosen will vary. In the above example, display 10 (port 6010) was chosen, but this can change.
From The Command Line
Running a X application through the tunnel from the command line is trivial. You simply run the command that you would like to have projected from the NST system back to your system. For example, to bring up a xterm, you simply run the following from your ssh login prompt:
[root@dhcp150 ~]# xterm & [1] 3040 [root@dhcp150 ~]#
If things are working correctly, it really is this simple and you should see a xterm appear on your desktop.
From The NST WUI
If you would like to use the NST WUI to launch X applications, it involves the following steps:
- Determining what the DISPLAY variable should be set to for your NST WUI session.
- Setting the DISPLAY variable for your NST WUI session.
To determine the what the DISPLAY should be set to, run the following command from your ssh connection:
[root@dhcp150 ~]# echo $DISPLAY localhost:10.0
To set the DISPLAY variable for your NST WUI session:
- Select the X|Launch X Window Application page from the menu bar on the NST WUI interface. This should take you to the page: http://127.0.0.1:8000/nstwui/cgi-bin/server/x.cgi (this link should work as well if you configured your ssh connection as recommended above).
- You should see a table near the top of the page where the first row is labeled: X Window Application. In the second column, click on the xterm link following the Action: label to fill in a test X application to launch.
- On the second line of the table, fill in the value of your DISPLAY environment variable (localhost:10.0 in this example, but yours may be different).
- Click on the Launch X Window Application button underneath the table.
If everything is working properly, a xterm should appear on your system that is running on the NST system. You can close out the xterm at this point (we were just using it to verify the connection was configured properly).
Now that the connection is configured properly, you should be able to launch the numerous X based applications found under the X option on the NST WUI menu bar (for example: X|Security Applications|ZenMap (Nmap GUI)).