VNC, SSH, PUTTY--Remote connections to LINUX

Download Report

Transcript VNC, SSH, PUTTY--Remote connections to LINUX 

Remote connections to LINUX
Virtual Network Computing
SSH – puTTY
Not a security talk
8/28/2001
Presented by Robert Searle
from PlatinumJava.com
1
Ask Question NOW
 Just Yell it out
 This is really informal
8/28/2001
Presented by Robert Searle from
PlatinumJava.com
2
Who is Robert Searle
Software (JAVA) developer for 6+ years
Not a Linux GURU, Security Expert or Consultant
The information is offered ‘as-is’
There is no implied or expressed warranty of any kind
Hopefully accurate but please verify it with a professional
Security issues are always changing keep up-to-date

No system is hacker proof!
8/28/2001
Presented by Robert Searle
from PlatinumJava.com
3
Study: IT Budgets Opening
Up to Linux
 http://www.newsfactor.
com/perl/story/12808.h
tml
 Just a really cool
picture
8/28/2001
Presented by Robert Searle from
PlatinumJava.com
4
What is VNC
a remote display system which allows
you to view a computing 'desktop'
environment not only on the machine
where it is running, but from anywhere
on the Internet and from a wide variety
of machine architectures
8/28/2001
Presented by Robert Searle
from PlatinumJava.com
5
Virtual Network Computing
 http://www.uk.research
.att.com/vnc/
 The GNU General
Public License

http://www.uk.research.
att.com/vnc/gpl.html
 ‘Remote Desktop’
8/28/2001
Presented by Robert Searle from
PlatinumJava.com
6
Getting Started with VNC
vncserver :2




vncpasswd
xterm -display snoopy:2 &
vncserver -kill :2
http://snoopy:5800+display number/

8/28/2001
Java-capable browser! - unless a proxy to connect
Presented by Robert Searle from
PlatinumJava.com
7
How to make VNC faster?
 http://www.uk.research.att.com/vnc/faq.html#q50
 Don't use 24-bit color if you can use 16 or 8
 On Unix you can run multiple servers, so a big 16bit desktop for work and a small 8-bit for home.

run happily at lower resolution.



8/28/2001
A 1280x1024 screen has more then 4 times as many pixels as a
640x480 one,
if all you are doing is checking a printer queue you probably
don't need them all!
Note, though, that on WinVNC, 16-bit colour is usually the best
to use. See below…
Presented by Robert Searle from
PlatinumJava.com
8
How does it work
 http://www.uk.research
.att.com/vnc/docs.html
8/28/2001
Presented by Robert Searle from
PlatinumJava.com
9
DEMO of VNC
 Go to WEB Site
 Read “Getting Started”




8/28/2001
Download
Install
Run
Use
Presented by Robert Searle from
PlatinumJava.com
10
Security and VNC
Access to your VNC desktop generally
allows access to your whole
environment, so security is obviously
very important for internet users.
8/28/2001
Presented by Robert Searle
from PlatinumJava.com
11
How secure is VNC?
 VNC uses a challenge-response password scheme
to make the initial connection:

the server sends a random series of bytes, which are
encrypted using the password typed in, and then returned
to the server, which checks them against the 'right'
answer.
 After that the data is unencrypted and could, in
theory, be watched by other malicious users
8/28/2001
Presented by Robert Searle from
PlatinumJava.com
12
Will VNC work through a
firewall
 Many modern firewalls will allow outgoing connections
initiated from inside, so you can often access servers on
outside machines.
 If your internet access is through a router which does
Network Address Translation, you may be able to
configure the router to redirect particular incoming ports
to particular machines.
 WinVNC with a display number of 0 on machine snoopy, and
with display 1 on machine woodstock
 Set your router to send port 5900 to snoopy and 5901 to
woodstock.
8/28/2001
Presented by Robert Searle from
PlatinumJava.com
13
TCP/IP ports uses VNC
 The most important one is 59xx, where xx is the display
number. The VNC protocol itself runs over this port.
 So for most PC servers, the port will be 5900, because
they use display 0 by default.
 If given a display number larger than 99, will interpret it
as a direct port number and will not add 5900.
 If you are running a viewer in ‘listening’ mode, where it
accepts connections initiated by the server, it will listen
for incoming VNC on port 5500.
8/28/2001
Presented by Robert Searle from
PlatinumJava.com
14
Securing VNC
 Since VNC runs over a simple single
TCP/IP socket, it is easy to add support for
SSL



8/28/2001
or some other encryption scheme if this is
important to you,
or to tunnel it through something like SSH or
Zebedee.
Block ports 5900 – 5999
Presented by Robert Searle from
PlatinumJava.com
15
Secure SHell
Login window to a remote machine.
traffic is encrypted between the two
machines using public key encryption.
ssh snoopy
just like a telnet session, but safer
8/28/2001
Presented by Robert Searle
from PlatinumJava.com
16
PuTTY: A Free Win32
Telnet/SSH Client
 http://www.chiark.gree
nend.org.uk/~sgtatham/
putty/
 A better telnet



8/28/2001
color support
Tab support
Encryption
Presented by Robert Searle from
PlatinumJava.com
17
Demo of puTTY
 Use root

It safer than telnet
 Login
 I do not know how to
allow any IP address to
login through SSH

8/28/2001
Does the audience?
Presented by Robert Searle from
PlatinumJava.com
18
15 min Break
8/28/2001
Presented by Robert Searle from
PlatinumJava.com
19
Making VNC more secure
using SSH
http://www.uk.research.att.com/vnc/sshvnc.h
tml
This is reasonably secure; the password is
not sent over the network.
Connected however, traffic between the
viewer and the server is unencrypted, and
could be snooped by someone with access.
8/28/2001
Presented by Robert Searle
from PlatinumJava.com
20
SSHd has tricks up its sleeve
 You can also request that it listens on a particular
port on your local machine, and forwards that down
the secure connection to a port on a machine at the
other end. For example,

ssh -L x:snoopy:y snoopy
 means “Start an SSH connection to snoopy, and
also listen on port x on my machine, and forward
any connections there to port y on snoopy.”
8/28/2001
Presented by Robert Searle from
PlatinumJava.com
21
Piping VNC
 Now, the VNC protocol normally uses TCP port
59xx, where xx is the display number of the server.
 If you forward these ports to a remote machine, you
can make the remote VNC server appear to be a
server running on your local machine (fw to win)
 Imagine you had a VNC server running as display
:1 on machine snoopy, and you wanted a secure
connection to it from your local machine
8/28/2001
Presented by Robert Searle from
PlatinumJava.com
22
SSL-ish—VNC via SSH
 You could start the ssh session using:

ssh -L 6902:snoopy:5901 snoopy
 any references to display :2 on your local machine
would actually connect to display :1 on snoopy, so
instead of running a vncviewer:

vncviewer snoopy:1 (unsecure!!)
 you could run:

8/28/2001
vncviewer localhost:2 (going through SSH encryption)
Presented by Robert Searle from
PlatinumJava.com
23
DEMO of VNC-SSH
 DEMO of vnc with ssh
 Ipchains or iptables

8/28/2001
Show it’s logs
Presented by Robert Searle from
PlatinumJava.com
24
How safe is it now?
How safe is
your firewall?
your physical machine?
The password system?

How up-to-date is
Your firewall?
Your packages?

bind
sshd
vnc
ssl
Seek a professional!

8/28/2001
Risk Vs Benefits
Presented by Robert Searle
from PlatinumJava.com
25
Well, did I kill anyone?
 Read the VNC website
 Slides will be available
later…
 http://www.platinumjava.c
om


I am still redesigning the
site, so any comments are
welcome!
How could this presentation
be better?


8/28/2001
Presented by Robert Searle from
PlatinumJava.com
Voting on web site…
E-mail me
26
Bye
Thanks for coming to the TLUG
presentation and remember to give
your feedback to me about the VNC
presentation!
8/28/2001
Presented by Robert Searle
from PlatinumJava.com
27