remote connections to linux
DESCRIPTION
Remote connections to LINUX. Virtual Network Computing SSH – puTTY Not a security talk. Ask Question NOW. Just Yell it out This is really informal. Who is Robert Searle. Software (JAVA) developer for 6 + years Not a Linux GURU, Security Expert or Consultant - PowerPoint PPT PresentationTRANSCRIPT
8/28/2001 Presented by Robert Searle from PlatinumJava.com
1
Remote connections to LINUX
Virtual Network Computing
SSH – puTTY
Not a security talk
8/28/2001 Presented by Robert Searle from PlatinumJava.com
2
Ask Question NOW
Just Yell it out This is really informal
8/28/2001 Presented by Robert Searle from PlatinumJava.com
3
Who is Robert Searle
Software (JAVA) developer for 6+ yearsNot a Linux GURU, Security Expert or ConsultantThe information is offered ‘as-is’
There is no implied or expressed warranty of any kindHopefully accurate but please verify it with a professionalSecurity issues are always changing keep up-to-date
No system is hacker proof!
8/28/2001 Presented by Robert Searle from PlatinumJava.com
4
Study: IT Budgets Opening Up to Linux
http://www.newsfactor.com/perl/story/12808.html
Just a really cool picture
8/28/2001 Presented by Robert Searle from PlatinumJava.com
5
What is VNC
a remote display system which allows you to view a computing 'desktop'
environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety
of machine architectures
8/28/2001 Presented by Robert Searle from PlatinumJava.com
6
Virtual Network Computing
http://www.uk.research.att.com/vnc/
The GNU General Public License http://www.uk.research.
att.com/vnc/gpl.html
‘Remote Desktop’
8/28/2001 Presented by Robert Searle from PlatinumJava.com
7
Getting Started with VNC
vncserver :2 vncpasswd xterm -display snoopy:2 & vncserver -kill :2 http://snoopy:5800+display number/
Java-capable browser! - unless a proxy to connect
8/28/2001 Presented by Robert Searle from PlatinumJava.com
8
How to make VNC faster?
http://www.uk.research.att.com/vnc/faq.html#q50 Don't use 24-bit color if you can use 16 or 8 On Unix you can run multiple servers, so a big 16-bit
desktop for work and a small 8-bit for home. run happily at lower resolution.
A 1280x1024 screen has more then 4 times as many pixels as a 640x480 one,
if all you are doing is checking a printer queue you probably don't need them all!
Note, though, that on WinVNC, 16-bit colour is usually the best to use. See below…
8/28/2001 Presented by Robert Searle from PlatinumJava.com
9
How does it work
http://www.uk.research.att.com/vnc/docs.html
8/28/2001 Presented by Robert Searle from PlatinumJava.com
10
DEMO of VNC
Go to WEB Site Read “Getting Started”
Download Install Run Use
8/28/2001 Presented by Robert Searle from PlatinumJava.com
11
Security and VNC
Access to your VNC desktop generally allows access to your whole
environment, so security is obviously very important for internet users.
8/28/2001 Presented by Robert Searle from PlatinumJava.com
12
How secure is VNC?
VNC uses a challenge-response password scheme to make the initial connection: the server sends a random series of bytes, which are
encrypted using the password typed in, and then returned to the server, which checks them against the 'right' answer.
After that the data is unencrypted and could, in theory, be watched by other malicious users
8/28/2001 Presented by Robert Searle from PlatinumJava.com
13
Will VNC work through a firewall
Many modern firewalls will allow outgoing connections initiated from inside, so you can often access servers on outside machines.
If your internet access is through a router which does Network Address Translation, you may be able to configure the router to redirect particular incoming ports to particular machines. WinVNC with a display number of 0 on machine snoopy, and
with display 1 on machine woodstock Set your router to send port 5900 to snoopy and 5901 to
woodstock.
8/28/2001 Presented by Robert Searle from PlatinumJava.com
14
TCP/IP ports uses VNC
The most important one is 59xx, where xx is the display number. The VNC protocol itself runs over this port.
So for most PC servers, the port will be 5900, because they use display 0 by default.
If given a display number larger than 99, will interpret it as a direct port number and will not add 5900.
If you are running a viewer in ‘listening’ mode, where it accepts connections initiated by the server, it will listen for incoming VNC on port 5500.
8/28/2001 Presented by Robert Searle from PlatinumJava.com
15
Securing VNC
Since VNC runs over a simple single TCP/IP socket, it is easy to add support for SSL or some other encryption scheme if this is
important to you, or to tunnel it through something like SSH or
Zebedee. Block ports 5900 – 5999
8/28/2001 Presented by Robert Searle from PlatinumJava.com
16
Secure SHell
Login window to a remote machine.traffic is encrypted between the two
machines using public key encryption. ssh snoopy
just like a telnet session, but safer
8/28/2001 Presented by Robert Searle from PlatinumJava.com
17
PuTTY: A Free Win32 Telnet/SSH Client
Putty.ico
http://www.chiark.greenend.org.uk/~sgtatham/putty/
A better telnet color support Tab support Encryption
8/28/2001 Presented by Robert Searle from PlatinumJava.com
18
Demo of puTTY
Use root It safer than telnet
Login I do not know how to
allow any IP address to login through SSH Does the audience?Does the audience?
8/28/2001 Presented by Robert Searle from PlatinumJava.com
19
15 min Break
8/28/2001 Presented by Robert Searle from PlatinumJava.com
20
Making VNC more secure using SSH
http://www.uk.research.att.com/vnc/sshvnc.html
This is reasonably secure; the password is not sent over the network.
Connected however, traffic between the viewer and the server is unencrypted, and could be snooped by someone with access.
8/28/2001 Presented by Robert Searle from PlatinumJava.com
21
SSHd has tricks up its sleeve
You can also request that it listens on a particular port on your local machine, and forwards that down the secure connection to a port on a machine at the other end. For example, ssh -L x:snoopy:y snoopy
means “Start an SSH connection to snoopy, and also listen on port x on my machine, and forward any connections there to port y on snoopy.”
8/28/2001 Presented by Robert Searle from PlatinumJava.com
22
Piping VNC
Now, the VNC protocol normally uses TCP port 59xx, where xx is the display number of the server.
If you forward these ports to a remote machine, you can make the remote VNC server appear to be a server running on your local machine (fw to win)
Imagine you had a VNC server running as display :1 on machine snoopy, and you wanted a secure connection to it from your local machine
8/28/2001 Presented by Robert Searle from PlatinumJava.com
23
SSL-ish—VNC via SSH
You could start the ssh session using: ssh -L 6902:snoopy:5901 snoopy
any references to display :2 on your local machine would actually connect to display :1 on snoopy, so instead of running a vncviewer: vncviewer snoopy:1 (unsecure!!)
you could run: vncviewer localhost:2 (going through SSH encryption)
8/28/2001 Presented by Robert Searle from PlatinumJava.com
24
DEMO of VNC-SSH
DEMO of vnc with ssh Ipchains or iptables
Show it’s logs
8/28/2001 Presented by Robert Searle from PlatinumJava.com
25
How safe is it now?
How safe is your firewall?your physical machine?The password system?
How up-to-date isYour firewall?Your packages?
bindsshdvncssl
Seek a professional!Risk Vs Benefits
8/28/2001 Presented by Robert Searle from PlatinumJava.com
26
Well, did I kill anyone?
Read the VNC website Slides will be available
later… http://www.platinumjava.c
om I am still redesigning the
site, so any comments are welcome!
How could this presentation be better?
Voting on web site… E-mail me
8/28/2001 Presented by Robert Searle from PlatinumJava.com
27
Bye
Thanks for coming to the TLUG presentation and remember to give
your feedback to me about the VNC presentation!