HowTo Limit Remote Access To "ssh" Connections: Difference between revisions
(Created page with '= Overview = In order to increase operational security, it is desirable to limit the remote access points into a system, and to either disable the use of insecure protocols (suc…') |
|||
Line 15: | Line 15: | ||
= Disabling Remote HTTPS Access = | = Disabling Remote HTTPS Access = | ||
The following commands will disable the ''httpd'' service from listening on port 443 for remote connections: | |||
cd /etc/httpd/conf.d | |||
mv ssl.conf ssl.conf.disable | |||
service httpd restart | |||
After running the above command, you should be able to use the '''netstat''' command to verify that port 443 is no longer open. | |||
[root@dhcp150 conf.d]# netstat -tunap | |||
Active Internet connections (servers and established) | |||
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name | |||
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 2758/httpd | |||
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1451/sshd | |||
tcp 0 0 192.168.20.201:22 192.168.20.2:49514 ESTABLISHED 2710/0 | |||
tcp 0 0 :::22 :::* LISTEN 1451/sshd | |||
udp 0 0 0.0.0.0:68 0.0.0.0:* 1222/dhclient | |||
The above output indicates that port 22 is the only IP4 TCP port that is listening for outside connections (''0.0.0.0:22'' in the ''Local Address'' column). | |||
You can verify that the NST system is no longer allowing remote access to the web server by trying to connect to ''https://192.168.20.201/'' (change the IP address to match the address of your NST system). The connection should be refused. | |||
= Using "ssh" To Access The System = | = Using "ssh" To Access The System = |
Revision as of 10:09, 28 February 2010
Overview
In order to increase operational security, it is desirable to limit the remote access points into a system, and to either disable the use of insecure protocols (such as X or VNC), or to wrap these insecure protocols within a secure networking layer such as a ssh tunnel or VPN.
The goal of this "HowTo" is to:
- Demonstrate how to disable port 443 (https) thus limiting access to the NST system to port 22 (ssh).
- Securely access the NST WUI using a ssh tunnel through port 22.
- Securely run X applications across a ssh tunnel through port 22.
- Securely run a VNC session across a ssh tunnel through port 22.
Disabling Remote HTTPS Access
The following commands will disable the httpd service from listening on port 443 for remote connections:
cd /etc/httpd/conf.d mv ssl.conf ssl.conf.disable service httpd restart
After running the above command, you should be able to use the netstat command to verify that port 443 is no longer open.
[root@dhcp150 conf.d]# netstat -tunap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 2758/httpd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1451/sshd tcp 0 0 192.168.20.201:22 192.168.20.2:49514 ESTABLISHED 2710/0 tcp 0 0 :::22 :::* LISTEN 1451/sshd udp 0 0 0.0.0.0:68 0.0.0.0:* 1222/dhclient
The above output indicates that port 22 is the only IP4 TCP port that is listening for outside connections (0.0.0.0:22 in the Local Address column).
You can verify that the NST system is no longer allowing remote access to the web server by trying to connect to https://192.168.20.201/ (change the IP address to match the address of your NST system). The connection should be refused.
Using "ssh" To Access The System
The command shown below will establish a ssh connection (through port 20) to the NST system having the IP address of 192.168.20.201:
ssh -X -L 8000:127.0.0.1:80 -L 5806:127.0.0.1:5806 -L 5906:127.0.0.1:5906 root@192.168.20.201
The command line shown enables secure access to the following:
- Launching X based applications (such as firefox) on the NST system and having them display on your system (your system must be running a X server).
- Access to the NST WUI via: http://127.0.0.1:8000.
- Access to a NST VNC session via: http://127.0.0.1:5806 (you'll need to setup the VNC session first).
- Access to a NST VNC session via: vncviewer 127.0.0.1:6
In order to avoid a lot of typing, the information about can be added to your ~/.ssh/config file as a host entry.
HOST nst HostName=192.168.20.201 # Change to IP address of your NST system User=root ForwardX11=yes LocalForward=8000 127.0.0.1:80 # Tunnel access to NST WUI LocalForward=5806 127.0.0.1:5806 # Tunnel access to VNC web server for display :6 LocalForward=5906 127.0.0.1:5906 # Tunnel access to VNC for display :6
Once the configuration has been created, you can simply run:
ssh nst