HowTo Limit Remote Access To "ssh" Connections
From MediaWiki
Overview
In order to increase operational security, it is desirable to limit the remote access points into a system, and to either disable the use of insecure protocols (such as X or VNC), or to wrap these insecure protocols within a secure networking layer such as a ssh tunnel or VPN.
The goal of this "HowTo" is to:
- Demonstrate how to disable port 443 (https) thus limiting access to the NST system to port 22 (ssh).
- Securely access the NST WUI using a ssh tunnel through port 22.
- Securely run X applications across a ssh tunnel through port 22.
- Securely run a VNC session across a ssh tunnel through port 22.
Disabling Remote HTTPS Access
Using "ssh" To Access The System
The command shown below will establish a ssh connection (through port 20) to the NST system having the IP address of 192.168.20.201:
ssh -X -L 8000:127.0.0.1:80 -L 5806:127.0.0.1:5806 -L 5906:127.0.0.1:5906 root@192.168.20.201
The command line shown enables secure access to the following:
- Launching X based applications (such as firefox) on the NST system and having them display on your system (your system must be running a X server).
- Access to the NST WUI via: http://127.0.0.1:8000.
- Access to a NST VNC session via: http://127.0.0.1:5806 (you'll need to setup the VNC session first).
- Access to a NST VNC session via: vncviewer 127.0.0.1:6
In order to avoid a lot of typing, the information about can be added to your ~/.ssh/config file as a host entry.
HOST nst HostName=192.168.20.201 # Change to IP address of your NST system User=root ForwardX11=yes LocalForward=8000 127.0.0.1:80 # Tunnel access to NST WUI LocalForward=5806 127.0.0.1:5806 # Tunnel access to VNC web server for display :6 LocalForward=5906 127.0.0.1:5906 # Tunnel access to VNC for display :6
Once the configuration has been created, you can simply run:
ssh nst