HowTo Limit Remote Access To "ssh" Connections
Overview
In order to increase operational security, it is desirable to limit the remote access points into a system, and to either disable the use of insecure protocols (such as X or VNC), or to wrap these insecure protocols within a secure networking layer such as a ssh tunnel or VPN.
The goal of this "HowTo" is to:
- Demonstrate how to disable port 443 (https) thus limiting access to the NST system to port 22 (ssh).
- Securely access the NST WUI using a ssh tunnel through port 22.
- Securely run X applications across a ssh tunnel through port 22.
- Securely run a VNC session across a ssh tunnel through port 22.
Disabling Remote HTTPS Access
The following commands will disable the httpd service from listening on port 443 for remote connections:
cd /etc/httpd/conf.d mv ssl.conf ssl.conf.disable service httpd restart
After running the above command, you should be able to use the netstat command to verify that port 443 is no longer open.
[root@dhcp150 conf.d]# netstat -tunap Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN 2758/httpd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1451/sshd tcp 0 0 192.168.20.201:22 192.168.20.2:49514 ESTABLISHED 2710/0 tcp 0 0 :::22 :::* LISTEN 1451/sshd udp 0 0 0.0.0.0:68 0.0.0.0:* 1222/dhclient
The above output indicates that port 22 is the only IP4 TCP port that is listening for outside connections (0.0.0.0:22 in the Local Address column).
You can verify that the NST system is no longer allowing remote access to the web server by trying to connect to https://192.168.20.201/ (change the IP address to match the address of your NST system). The connection should be refused.
Using "ssh" To Access The System
The command shown below will establish a ssh connection (through port 20) to the NST system having the IP address of 192.168.20.201:
ssh -X -L 8000:127.0.0.1:80 -L 5806:127.0.0.1:5806 -L 5906:127.0.0.1:5906 root@192.168.20.201
The command line shown enables secure access to the following:
- Launching X based applications (such as firefox) on the NST system and having them display on your system (your system must be running a X server).
- Access to the NST WUI via: http://127.0.0.1:8000.
- Access to a NST VNC session via: http://127.0.0.1:5806 (you'll need to setup the VNC session first).
- Access to a NST VNC session via: vncviewer 127.0.0.1:6
In order to avoid a lot of typing, the information about can be added to your ~/.ssh/config file as a host entry.
HOST nst-tunnels # Change to IP address of your NST system HostName=192.168.20.201 User=root ForwardX11=yes # Tunnel access to NST WUI LocalForward=8000 127.0.0.1:80 # Tunnel access to VNC web server for display :6 (optional) LocalForward=5806 127.0.0.1:5806 # Tunnel access to VNC for display :6 LocalForward=5906 127.0.0.1:5906 # Add following if you will be running a VNC listener on your client system # NOTE: Only one client connection will be able to claim port 5500 on the NST system RemoteForward=5500 127.0.0.1:5500
Once the configuration has been created, you can simply run:
ssh nst-tunnels