270 likes | 348 Views
Remote connections to LINUX. Virtual Network Computing SSH – puTTY Not a security talk. Ask Question NOW. Just Yell it out This is really informal. Who is Robert Searle. Software (JAVA) developer for 6 + years Not a Linux GURU, Security Expert or Consultant
E N D
Remote connections to LINUX Virtual Network Computing SSH – puTTY Not a security talk Presented by Robert Searle from PlatinumJava.com
Ask Question NOW • Just Yell it out • This is really informal Presented by Robert Searle from PlatinumJava.com
Who is Robert Searle Software (JAVA) developer for 6+ years Not a Linux GURU, Security Expert or Consultant The information is offered ‘as-is’ There is no implied or expressed warranty of any kind Hopefully accurate but please verify it with a professional Security issues are always changing keep up-to-date No system is hacker proof! Presented by Robert Searle from PlatinumJava.com
Study: IT Budgets Opening Up to Linux • http://www.newsfactor.com/perl/story/12808.html • Just a really cool picture Presented by Robert Searle from PlatinumJava.com
What is VNC a remote display system which allows you to view a computing 'desktop' environment not only on the machine where it is running, but from anywhere on the Internet and from a wide variety of machine architectures Presented by Robert Searle from PlatinumJava.com
Virtual Network Computing • http://www.uk.research.att.com/vnc/ • The GNU General Public License • http://www.uk.research.att.com/vnc/gpl.html • ‘Remote Desktop’ Presented by Robert Searle from PlatinumJava.com
Getting Started with VNC • vncserver :2 • vncpasswd • xterm -display snoopy:2 & • vncserver -kill :2 • http://snoopy:5800+display number/ • Java-capable browser! - unless a proxy to connect Presented by Robert Searle from PlatinumJava.com
How to make VNC faster? • http://www.uk.research.att.com/vnc/faq.html#q50 • Don't use 24-bit color if you can use 16 or 8 • On Unix you can run multiple servers, so a big 16-bit desktop for work and a small 8-bit for home. • run happily at lower resolution. • A 1280x1024 screen has more then 4 times as many pixels as a 640x480 one, • if all you are doing is checking a printer queue you probably don't need them all! • Note, though, that on WinVNC, 16-bit colour is usually the best to use. See below… Presented by Robert Searle from PlatinumJava.com
How does it work • http://www.uk.research.att.com/vnc/docs.html Presented by Robert Searle from PlatinumJava.com
DEMO of VNC • Go to WEB Site • Read “Getting Started” • Download • Install • Run • Use Presented by Robert Searle from PlatinumJava.com
Security and VNC Access to your VNC desktop generally allows access to your whole environment, so security is obviously very important for internet users. Presented by Robert Searle from PlatinumJava.com
How secure is VNC? • VNC uses a challenge-response password scheme to make the initial connection: • the server sends a random series of bytes, which are encrypted using the password typed in, and then returned to the server, which checks them against the 'right' answer. • After that the data is unencrypted and could, in theory, be watched by other malicious users Presented by Robert Searle from PlatinumJava.com
Will VNC work through a firewall • Many modern firewalls will allow outgoing connections initiated from inside, so you can often access servers on outside machines. • If your internet access is through a router which does Network Address Translation, you may be able to configure the router to redirect particular incoming ports to particular machines. • WinVNC with a display number of 0 on machine snoopy, and with display 1 on machine woodstock • Set your router to send port 5900 to snoopy and 5901 to woodstock. Presented by Robert Searle from PlatinumJava.com
TCP/IP ports uses VNC • The most important one is 59xx, where xx is the display number. The VNC protocol itself runs over this port. • So for most PC servers, the port will be 5900, because they use display 0 by default. • If given a display number larger than 99, will interpret it as a direct port number and will not add 5900. • If you are running a viewer in ‘listening’ mode, where it accepts connections initiated by the server, it will listen for incoming VNC on port 5500. Presented by Robert Searle from PlatinumJava.com
Securing VNC • Since VNC runs over a simple single TCP/IP socket, it is easy to add support for SSL • or some other encryption scheme if this is important to you, • or to tunnel it through something like SSH or Zebedee. • Block ports 5900 – 5999 Presented by Robert Searle from PlatinumJava.com
Secure SHell Login window to a remote machine. traffic is encrypted between the two machines using public key encryption. ssh snoopy just like a telnet session, but safer Presented by Robert Searle from PlatinumJava.com
PuTTY: A Free Win32 Telnet/SSH Client • http://www.chiark.greenend.org.uk/~sgtatham/putty/ • A better telnet • color support • Tab support • Encryption Presented by Robert Searle from PlatinumJava.com
Demo of puTTY • Use root • It safer than telnet • Login • I do not know how to allow any IP address to login through SSH • Does the audience? Presented by Robert Searle from PlatinumJava.com
15 min Break Presented by Robert Searle from PlatinumJava.com
Making VNC more secure using SSH http://www.uk.research.att.com/vnc/sshvnc.html This is reasonably secure; the password is not sent over the network. Connected however, traffic between the viewer and the server is unencrypted, and could be snooped by someone with access. Presented by Robert Searle from PlatinumJava.com
SSHd has tricks up its sleeve • You can also request that it listens on a particular port on your local machine, and forwards that down the secure connection to a port on a machine at the other end. For example, • ssh -L x:snoopy:y snoopy • means “Start an SSH connection to snoopy, and also listen on port x on my machine, and forward any connections there to port y on snoopy.” Presented by Robert Searle from PlatinumJava.com
Piping VNC • Now, the VNC protocol normally uses TCP port 59xx, where xx is the display number of the server. • If you forward these ports to a remote machine, you can make the remote VNC server appear to be a server running on your local machine (fw to win) • Imagine you had a VNC server running as display :1 on machine snoopy, and you wanted a secure connection to it from your local machine Presented by Robert Searle from PlatinumJava.com
SSL-ish—VNC via SSH • You could start the ssh session using: • ssh -L 6902:snoopy:5901 snoopy • any references to display :2 on your local machine would actually connect to display :1 on snoopy, so instead of running a vncviewer: • vncviewer snoopy:1 (unsecure!!) • you could run: • vncviewer localhost:2 (going through SSH encryption) Presented by Robert Searle from PlatinumJava.com
DEMO of VNC-SSH • DEMO of vnc with ssh • Ipchains or iptables • Show it’s logs Presented by Robert Searle from PlatinumJava.com
How safe is it now? How safe is your firewall? your physical machine? The password system? How up-to-date is Your firewall? Your packages? bind sshd vnc ssl Seek a professional! Risk Vs Benefits Presented by Robert Searle from PlatinumJava.com
Well, did I kill anyone? • Read the VNC website • Slides will be available later… • http://www.platinumjava.com • I am still redesigning the site, so any comments are welcome! • How could this presentation be better? • Voting on web site… • E-mail me Presented by Robert Searle from PlatinumJava.com
Bye Thanks for coming to the TLUG presentation and remember to give your feedback to me about the VNC presentation! Presented by Robert Searle from PlatinumJava.com