HowTo Limit Remote Access To "ssh" Connections

From MediaWiki
Revision as of 07:24, 28 February 2010 by Paul Blankenbaker (talk | contribs) (Created page with '= Overview = In order to increase operational security, it is desirable to limit the remote access points into a system, and to either disable the use of insecure protocols (suc…')
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Overview

In order to increase operational security, it is desirable to limit the remote access points into a system, and to either disable the use of insecure protocols (such as X or VNC), or to wrap these insecure protocols within a secure networking layer such as a ssh tunnel or VPN.

The goal of this "HowTo" is to:

  • Demonstrate how to disable port 443 (https) thus limiting access to the NST system to port 22 (ssh).
  • Securely access the NST WUI using a ssh tunnel through port 22.
  • Securely run X applications across a ssh tunnel through port 22.
  • Securely run a VNC session across a ssh tunnel through port 22.


Disabling Remote HTTPS Access

Using "ssh" To Access The System

The command shown below will establish a ssh connection (through port 20) to the NST system having the IP address of 192.168.20.201:

ssh -X -L 8000:127.0.0.1:80 -L 5806:127.0.0.1:5806 -L 5906:127.0.0.1:5906 root@192.168.20.201

The command line shown enables secure access to the following:

  • Launching X based applications (such as firefox) on the NST system and having them display on your system (your system must be running a X server).
  • Access to the NST WUI via: http://127.0.0.1:8000.
  • Access to a NST VNC session via: http://127.0.0.1:5806 (you'll need to setup the VNC session first).
  • Access to a NST VNC session via: vncviewer 127.0.0.1:6

In order to avoid a lot of typing, the information about can be added to your ~/.ssh/config file as a host entry.

HOST nst
HostName=192.168.20.201  # Change to IP address of your NST system
User=root
ForwardX11=yes
LocalForward=8000 127.0.0.1:80    # Tunnel access to NST WUI
LocalForward=5806 127.0.0.1:5806  # Tunnel access to VNC web server for display :6
LocalForward=5906 127.0.0.1:5906  # Tunnel access to VNC for display :6

Once the configuration has been created, you can simply run:

ssh nst


Setting Up Tunnels

Accessing The NST WUI Through The Tunnel

Running X Applications Through The Tunnel

Connecting To A VNC Desktop Through The Tunnel