HowTo Limit Remote Access To "ssh" Connections

From MediaWiki
Jump to navigationJump to search

Overview

In order to increase operational security, it is desirable to limit the remote access points into a system, and to either disable the use of insecure protocols (such as X or VNC), or to wrap these insecure protocols within a secure networking layer such as a ssh tunnel or VPN.

The goal of this "HowTo" is to:

  • Demonstrate how to disable port 443 (https) thus limiting access to the NST system to port 22 (ssh).
  • Securely access the NST WUI using a ssh tunnel through port 22.
  • Securely run X applications across a ssh tunnel through port 22.
  • Securely run a VNC session across a ssh tunnel through port 22.


Disabling Remote HTTPS Access

The following commands will disable the httpd service from listening on port 443 for remote connections:

cd /etc/httpd/conf.d
mv ssl.conf ssl.conf.disable
service httpd restart

After running the above command, you should be able to use the netstat command to verify that port 443 is no longer open.

[root@dhcp150 conf.d]# netstat -tunap
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name   
tcp        0      0 127.0.0.1:80                0.0.0.0:*                   LISTEN      2758/httpd          
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1451/sshd           
tcp        0      0 192.168.20.201:22           192.168.20.2:49514          ESTABLISHED 2710/0              
tcp        0      0 :::22                       :::*                        LISTEN      1451/sshd           
udp        0      0 0.0.0.0:68                  0.0.0.0:*                               1222/dhclient       

The above output indicates that port 22 is the only IP4 TCP port that is listening for outside connections (0.0.0.0:22 in the Local Address column).

You can verify that the NST system is no longer allowing remote access to the web server by trying to connect to https://192.168.20.201/ (change the IP address to match the address of your NST system). The connection should be refused.

Using "ssh" To Access The System

The command shown below will establish a ssh connection (through port 20) to the NST system having the IP address of 192.168.20.201:

ssh -X -L 8000:127.0.0.1:80 -L 5806:127.0.0.1:5806 -L 5906:127.0.0.1:5906 root@192.168.20.201

The command line shown enables secure access to the following:

  • Launching X based applications (such as firefox) on the NST system and having them display on your system (your system must be running a X server).
  • Access to the NST WUI via: http://127.0.0.1:8000.
  • Access to a NST VNC session via: http://127.0.0.1:5806 (you'll need to setup the VNC session first).
  • Access to a NST VNC session via: vncviewer 127.0.0.1:6

In order to avoid a lot of typing, the information about can be added to your ~/.ssh/config file as a host entry.

HOST nst-tunnels
# Change to IP address of your NST system
HostName=192.168.20.201
User=root
ForwardX11=yes
# Tunnel access to NST WUI
LocalForward=8000 127.0.0.1:80
# Tunnel access to VNC web server for display :6 (optional)
LocalForward=5806 127.0.0.1:5806
# Tunnel access to VNC for display :6 
LocalForward=5906 127.0.0.1:5906
# Add following if you will be running a VNC listener on your client system
# NOTE: Only one client connection will be able to claim port 5500 on the NST system
RemoteForward=5500 127.0.0.1:5500

Once the configuration has been created, you can simply run:

ssh nst-tunnels


Setting Up Tunnels

Accessing The NST WUI Through The Tunnel

Running X Applications Through The Tunnel

Connecting To A VNC Desktop Through The Tunnel