HowTo Limit Remote Access To "ssh" Connections: Difference between revisions

From MediaWiki
Jump to navigationJump to search
Line 53: Line 53:


  HOST nst-tunnels
  HOST nst-tunnels
  HostName=192.168.20.201 # Change to IP address of your NST system
# Change to IP address of your NST system
  HostName=192.168.20.201
  User=root
  User=root
  ForwardX11=yes
  ForwardX11=yes
  LocalForward=8000 127.0.0.1:80   # Tunnel access to NST WUI
# Tunnel access to NST WUI
  LocalForward=5806 127.0.0.1:5806  # Tunnel access to VNC web server for display :6
  LocalForward=8000 127.0.0.1:80
  LocalForward=5906 127.0.0.1:5906 # Tunnel access to VNC for display :6
# Tunnel access to VNC web server for display :6 (optional)
  LocalForward=5806 127.0.0.1:5806
  # Tunnel access to VNC for display :6  
  LocalForward=5906 127.0.0.1:5906
  # Add following if you will be running a VNC listener on your client system
  # Add following if you will be running a VNC listener on your client system
  # NOTE: Only one client connection will be able to claim port 5500 on the NST system
  # NOTE: Only one client connection will be able to claim port 5500 on the NST system

Revision as of 10:16, 28 February 2010

Overview

In order to increase operational security, it is desirable to limit the remote access points into a system, and to either disable the use of insecure protocols (such as X or VNC), or to wrap these insecure protocols within a secure networking layer such as a ssh tunnel or VPN.

The goal of this "HowTo" is to:

  • Demonstrate how to disable port 443 (https) thus limiting access to the NST system to port 22 (ssh).
  • Securely access the NST WUI using a ssh tunnel through port 22.
  • Securely run X applications across a ssh tunnel through port 22.
  • Securely run a VNC session across a ssh tunnel through port 22.


Disabling Remote HTTPS Access

The following commands will disable the httpd service from listening on port 443 for remote connections:

cd /etc/httpd/conf.d
mv ssl.conf ssl.conf.disable
service httpd restart

After running the above command, you should be able to use the netstat command to verify that port 443 is no longer open.

[root@dhcp150 conf.d]# netstat -tunap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 127.0.0.1:80                0.0.0.0:*                   LISTEN      2758/httpd          
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1451/sshd           
tcp        0      0 192.168.20.201:22           192.168.20.2:49514          ESTABLISHED 2710/0              
tcp        0      0 :::22                       :::*                        LISTEN      1451/sshd           
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               1222/dhclient       

The above output indicates that port 22 is the only IP4 TCP port that is listening for outside connections (0.0.0.0:22 in the Local Address column).

You can verify that the NST system is no longer allowing remote access to the web server by trying to connect to https://192.168.20.201/ (change the IP address to match the address of your NST system). The connection should be refused.

Using "ssh" To Access The System

The command shown below will establish a ssh connection (through port 20) to the NST system having the IP address of 192.168.20.201:

ssh -X -L 8000:127.0.0.1:80 -L 5806:127.0.0.1:5806 -L 5906:127.0.0.1:5906 root@192.168.20.201

The command line shown enables secure access to the following:

  • Launching X based applications (such as firefox) on the NST system and having them display on your system (your system must be running a X server).
  • Access to the NST WUI via: http://127.0.0.1:8000.
  • Access to a NST VNC session via: http://127.0.0.1:5806 (you'll need to setup the VNC session first).
  • Access to a NST VNC session via: vncviewer 127.0.0.1:6

In order to avoid a lot of typing, the information about can be added to your ~/.ssh/config file as a host entry.

HOST nst-tunnels
# Change to IP address of your NST system
HostName=192.168.20.201
User=root
ForwardX11=yes
# Tunnel access to NST WUI
LocalForward=8000 127.0.0.1:80
# Tunnel access to VNC web server for display :6 (optional)
LocalForward=5806 127.0.0.1:5806
# Tunnel access to VNC for display :6 
LocalForward=5906 127.0.0.1:5906
# Add following if you will be running a VNC listener on your client system
# NOTE: Only one client connection will be able to claim port 5500 on the NST system
RemoteForward=5500 127.0.0.1:5500

Once the configuration has been created, you can simply run:

ssh nst-tunnels


Setting Up Tunnels

Accessing The NST WUI Through The Tunnel

Running X Applications Through The Tunnel

Connecting To A VNC Desktop Through The Tunnel