remote connections to linux

8/28/2001 Presented by Robert Searle from PlatinumJava.com

1

Remote connections to LINUX

Virtual Network Computing

SSH – puTTY

Not a security talk


2

Ask Question NOW

Just Yell it out This is really informal


3

Who is Robert Searle

Software (JAVA) developer for 6+ yearsNot a Linux GURU, Security Expert or ConsultantThe information is offered ‘as-is’

There is no implied or expressed warranty of any kindHopefully accurate but please verify it with a professionalSecurity issues are always changing keep up-to-date

No system is hacker proof!


4

Study: IT Budgets Opening Up to Linux

http://www.newsfactor.com/perl/story/12808.html

Just a really cool picture


5

What is VNC

a remote display system which allows you to view a computing 'desktop'

environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety

of machine architectures


6

Virtual Network Computing

http://www.uk.research.att.com/vnc/

The GNU General Public License http://www.uk.research.

att.com/vnc/gpl.html

‘Remote Desktop’


7

Getting Started with VNC

vncserver :2 vncpasswd xterm -display snoopy:2 & vncserver -kill :2 http://snoopy:5800+display number/

Java-capable browser! - unless a proxy to connect


8

How to make VNC faster?

http://www.uk.research.att.com/vnc/faq.html#q50 Don't use 24-bit color if you can use 16 or 8 On Unix you can run multiple servers, so a big 16-bit

desktop for work and a small 8-bit for home. run happily at lower resolution.

A 1280x1024 screen has more then 4 times as many pixels as a 640x480 one,

if all you are doing is checking a printer queue you probably don't need them all!

Note, though, that on WinVNC, 16-bit colour is usually the best to use. See below…


9

How does it work

http://www.uk.research.att.com/vnc/docs.html


10

DEMO of VNC

Go to WEB Site Read “Getting Started”

Download Install Run Use


11

Security and VNC

Access to your VNC desktop generally allows access to your whole

environment, so security is obviously very important for internet users.


12

How secure is VNC?

VNC uses a challenge-response password scheme to make the initial connection: the server sends a random series of bytes, which are

encrypted using the password typed in, and then returned to the server, which checks them against the 'right' answer.

After that the data is unencrypted and could, in theory, be watched by other malicious users


13

Will VNC work through a firewall

Many modern firewalls will allow outgoing connections initiated from inside, so you can often access servers on outside machines.

If your internet access is through a router which does Network Address Translation, you may be able to configure the router to redirect particular incoming ports to particular machines. WinVNC with a display number of 0 on machine snoopy, and

with display 1 on machine woodstock Set your router to send port 5900 to snoopy and 5901 to

woodstock.


14

TCP/IP ports uses VNC

The most important one is 59xx, where xx is the display number. The VNC protocol itself runs over this port.

So for most PC servers, the port will be 5900, because they use display 0 by default.

If given a display number larger than 99, will interpret it as a direct port number and will not add 5900.

If you are running a viewer in ‘listening’ mode, where it accepts connections initiated by the server, it will listen for incoming VNC on port 5500.


15

Securing VNC

Since VNC runs over a simple single TCP/IP socket, it is easy to add support for SSL or some other encryption scheme if this is

important to you, or to tunnel it through something like SSH or

Zebedee. Block ports 5900 – 5999


16

Secure SHell

Login window to a remote machine.traffic is encrypted between the two

machines using public key encryption. ssh snoopy

just like a telnet session, but safer


17

PuTTY: A Free Win32 Telnet/SSH Client

Putty.ico

http://www.chiark.greenend.org.uk/~sgtatham/putty/

A better telnet color support Tab support Encryption


18

Demo of puTTY

Use root It safer than telnet

Login I do not know how to

allow any IP address to login through SSH Does the audience?Does the audience?


19

15 min Break


20

Making VNC more secure using SSH

http://www.uk.research.att.com/vnc/sshvnc.html

This is reasonably secure; the password is not sent over the network.

Connected however, traffic between the viewer and the server is unencrypted, and could be snooped by someone with access.


21

SSHd has tricks up its sleeve

You can also request that it listens on a particular port on your local machine, and forwards that down the secure connection to a port on a machine at the other end. For example, ssh -L x:snoopy:y snoopy

means “Start an SSH connection to snoopy, and also listen on port x on my machine, and forward any connections there to port y on snoopy.”


22

Piping VNC

Now, the VNC protocol normally uses TCP port 59xx, where xx is the display number of the server.

If you forward these ports to a remote machine, you can make the remote VNC server appear to be a server running on your local machine (fw to win)

Imagine you had a VNC server running as display :1 on machine snoopy, and you wanted a secure connection to it from your local machine


23

SSL-ish—VNC via SSH

You could start the ssh session using: ssh -L 6902:snoopy:5901 snoopy

any references to display :2 on your local machine would actually connect to display :1 on snoopy, so instead of running a vncviewer: vncviewer snoopy:1 (unsecure!!)

you could run: vncviewer localhost:2 (going through SSH encryption)


24

DEMO of VNC-SSH

DEMO of vnc with ssh Ipchains or iptables

Show it’s logs


25

How safe is it now?

How safe is your firewall?your physical machine?The password system?

How up-to-date isYour firewall?Your packages?

bindsshdvncssl

Seek a professional!Risk Vs Benefits


26

Well, did I kill anyone?

Read the VNC website Slides will be available

later… http://www.platinumjava.c

om I am still redesigning the

site, so any comments are welcome!

How could this presentation be better?

Voting on web site… E-mail me


27

Bye

Thanks for coming to the TLUG presentation and remember to give

your feedback to me about the VNC presentation!

remote connections to linux

Documents