HowTo Limit Remote Access To "ssh" Connections

From NST Wiki
Jump to: navigation, search

Overview

In order to increase operational security, it is desirable to limit the remote access points into a system, and to either disable the use of insecure protocols (such as X or VNC), or to wrap these insecure protocols within a secure networking layer such as a ssh tunnel or VPN.

The goal of this "HowTo" is to:

  • Demonstrate how to disable port 443 (https) thus limiting access to the NST system to port 22 (ssh).
  • Securely access the NST WUI using a ssh tunnel through port 22.
  • Securely run X applications across a ssh tunnel through port 22.
  • Securely run a VNC session across a ssh tunnel through port 22.


Disabling Remote HTTPS Access

The following commands will disable the httpd service from listening on port 443 for remote connections:

cd /etc/httpd/conf.d
mv ssl.conf ssl.conf.disable
service httpd restart

After running the above command, you should be able to use the netstat command to verify that port 443 is no longer open.

[root@dhcp150 conf.d]# netstat -tunap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 127.0.0.1:80                0.0.0.0:*                   LISTEN      2758/httpd          
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1451/sshd           
tcp        0      0 192.168.20.201:22           192.168.20.2:49514          ESTABLISHED 2710/0              
tcp        0      0 :::22                       :::*                        LISTEN      1451/sshd           
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               1222/dhclient       

The above output indicates that port 22 is the only IP4 TCP port that is listening for outside connections (0.0.0.0:22 in the Local Address column).

You can verify that the NST system is no longer allowing remote access to the web server by trying to connect to https://192.168.20.201/ (change the IP address to match the address of your NST system). The connection should be refused.

Using "ssh" To Access The System

The command shown below will establish a ssh connection (through port 20) to the NST system having the IP address of 192.168.20.201:

ssh -X -L 8000:127.0.0.1:80 -L 5806:127.0.0.1:5806 -L 5906:127.0.0.1:5906 root@192.168.20.201

The command line shown enables secure access to the following:

  • Launching X based applications (such as firefox) on the NST system (-X option: Enables X11 forwarding) and having them display on your system (your system must be running a X server).
  • Access to the NST WUI via: http://127.0.0.1:8000 (-L 8000:127.0.0.1:80 option).
  • Access to a NST VNC session via: http://127.0.0.1:5806 (-L 5806:127.0.0.1:5806 option. Note: You will need to setup the VNC session first).
  • Access to a NST VNC session via: vncviewer 127.0.0.1:6 (-L 5906:127.0.0.1:5906 option Note: You will need to setup the VNC session first).
Note: One can also use "ssh -Y" which enables trusted X11 forwarding. Trusted X11 forwardings are not subjected to the X11 SECURITY extension controls..

In order to avoid a lot of typing, the information about can be added to your ~/.ssh/config file as a host entry.

HOST nst-tunnels
# Change to IP address of your NST system
HostName=192.168.20.201
User=root
ForwardX11=yes
# Tunnel access to NST WUI
LocalForward=8000 127.0.0.1:80
# Tunnel access to VNC web server for display :6 (optional)
LocalForward=5806 127.0.0.1:5806
# Tunnel access to VNC for display :6 
LocalForward=5906 127.0.0.1:5906
# Add following if you will be running a VNC listener on your client system
# NOTE: Only one client connection will be able to claim port 5500 on the NST system
RemoteForward=5500 127.0.0.1:5500

Once the configuration has been created, you can simply run:

ssh nst-tunnels

Accessing The NST WUI Through The SSH Tunnel

Once you've established the ssh connection, accessing the NST WUI is simple, simply point your browser at the following link and login as you normally would.

http://127.0.0.1:8000/

Running X Window Applications Through The SSH Tunnel

Requirements

In order to project X applications from the remote NST system back to your system, your system must be running a X server.

Linux Clients
You simply need to log into a X desktop environment (GNOME, KDE, Xfce, Fluxbox, ...). Open up a Terminal and ssh to your NST system.
Mac OSX
You simply need to log in, support for launching X applications is built in. Open up a Terminal and ssh to your NST system.
Windows
This is a bit more difficult, you will need to setup a X server. We suggest that you visit the http://www.cygwin.com/ site for details on setting up a X environment under Windows.

It should be noted, that since the X applications are being tunneled via ssh, they appear as though you are running a local X application within your desktop environment. What this means is that your system does NOT need to be configured to permit direct TCP connections to the X server. Also, you don't need to worry about the xhost command as the applications will appear as local applications to your X server.

Verifying X Connection

When you established your ssh connection by logging into the NST system using ssh, a secure tunnel was established such that your client system can be used as the X server for applications launched on the NST system (when you run something like firefox on the NST system, the actual application will appear on your client machine).

To verify that X support was enabled, echo the value of your DISPLAY environment variable as shown below:

[root@dhcp150 ~]# echo $DISPLAY
localhost:10.0

This indicates that the ssh connection is listening for connections to port 6010 on localhost and forwarding these connections back to the X server on your system. You can use the 'netstat command to verify this:

[root@dhcp150 ~]# netstat -tunap | grep 6010
tcp        0      0 127.0.0.1:6010              0.0.0.0:*                   LISTEN      2798/0              
tcp        0      0 ::1:6010                    :::*                        LISTEN      2798/0        

NOTE: The display chosen will vary. In the above example, display 10 (port 6010) was chosen, but this can change.

From The Command Line

Running a X application through the tunnel from the command line is trivial. You simply run the command that you would like to have projected from the NST system back to your system. For example, to bring up a xterm, you simply run the following from your ssh login prompt:

[root@dhcp150 ~]# xterm &
[1] 3040
[root@dhcp150 ~]# 

If things are working correctly, it really is this simple and you should see a xterm appear on your desktop.

From The NST WUI

If you would like to use the NST WUI to launch X applications, it involves the following steps:

  • Determining what the DISPLAY variable should be set to for your NST WUI session.
  • Setting the DISPLAY variable for your NST WUI session.

To determine the what the DISPLAY should be set to, run the following command from your ssh connection:

[root@dhcp150 ~]# echo $DISPLAY
localhost:10.0

To set the DISPLAY variable for your NST WUI session:

  • Select the X|Launch X Window Application page from the menu bar on the NST WUI interface. This should take you to the page: http://127.0.0.1:8000/nstwui/cgi-bin/server/x.cgi (this link should work as well if you configured your ssh connection as recommended above).
  • You should see a table near the top of the page where the first row is labeled: X Window Application. In the second column, click on the xterm link following the Action: label to fill in a test X application to launch.
  • On the second line of the table, fill in the value of your DISPLAY environment variable (localhost:10.0 in this example, but yours may be different).
  • Click on the Launch X Window Application button underneath the table.

If everything is working properly, a xterm should appear on your system that is running on the NST system. You can close out the xterm at this point (we were just using it to verify the connection was configured properly).

Now that the connection is configured properly, you should be able to launch the numerous X based applications found under the X option on the NST WUI menu bar (for example: X|Security Applications|ZenMap (Nmap GUI)).

Connecting To A VNC Desktop Through The Tunnel

Setting Up A Secure VNC Session

Using the NST WUI, select System|Virtual Computing|VNC Server Session Management from the menu bar. This should take you to: http://127.0.0.1:8000/nstwui/cgi-bin/server/vnc.cgi

The VNC setup table can be a bit overwhelming (there are a lot of options you can play with). For this example, the key settings are:

  • The display number should be set to 6 to agree with the tunnels we setup above (this should be the default display the first time you set up a VNC connection).
  • On the TCP Connections line, make sure the Local Only / Secure SSH Tunnel radio button is selected (it is not by default). If you don't select this option, then the NST system will expose ports 5806 and 5906 to the outside world and we don't want it to in this secure setup.
  • On the TCP Connections line, it is recommended that you leave the Enable: X TCP/IP and Enable: xhost + disabled (unchecked).
  • Feel free to set the other options how they best suit your needs (screen size, desktop environment, etc).

Once the settings have been specified, you can press the Start VNC Server button that is just under the settings table.


Connecting Securely Using A Native VNC Client

Now that you've setup a VNC server as display :6 on the system, you should be able to connect to it using any native VNC client (vncviewer, UltraVNC, TightVNC, TigerVNC, Chicken Of The VNC, ...) by pointing your VNC viewer at: 127.0.0.1:6 (or 127.0.0.1:5906 if your native viewer wants to see the full TCP port to connect to).

Connecting Securely Using The VNC Web Server

You should also be able to connect to the VNC server using the VNC viewer applet by pointing your Java enabled web browser at: http://127.0.0.1:5806/.

Connecting Securely Using A VNC Listener

If you are running a VNC listener on your system and you enabled the reverse ssh tunnel as shown in the sample ~/.ssh/config file entry, you should be able to connect the NST's VNC desktop to your system using the following steps:

  • You should see a table of Active VNC Server NST Desktop Sessions running on the NST system. Locate the row labeled (Local Only):6 and press the corresponding Connect button under the Actions column.
  • The VNC desktop should automatically appear on your system.