Re: ssh and vnc problem

From: Carlo Luciano Bianco (clbianco@tiscalinet.it)
Date: 11/09/02 

From: Carlo Luciano Bianco <clbianco@tiscalinet.it>
Date: 8 Nov 2002 23:58:08 GMT

MistaLovaLova <not.available@this.time> wrote in
news:MPG.18347fdeca78d1e1989683@news.fhcrc.org:

> Hello,

Hello to you and hello to all the NG, because this is my first post
here...

> I currently have a linux box that I am trying to lock down with
> iptables and still be able to use vnc over ssh to update it via GUI /
> RedHat Network. Currently, I have two RedHat Linux 8 machines running
> openssh 3.4p1-2. I have iptables set up on one machine to allow
> connections to port 22(ssh), but nothing over port 1024 (basically
> anything that is incoming and has a source port over 1024 is dropped).

Ok, but also SSH connections have a source port > 1024. The destination
post is 22, where the server is listening, but the source port opened by
the client can be any port > 1024. I hope your firewall does not block
*any* incoming connection with source port > 1024, because in this case
SSH cannot work at all.
  
> I have looked at a couple of sites that talk about using ssh and vnc,
> but for some reason, they do not make sense.

Well... I could suggest you to look at my webpage about SSH & VNC,
but it is written in italian and it is also under construction,
so let's go on... ;-)

> Objective:
> Connect to RH-2 vncserver from RH-1 via ssh without opening additional
> ports on the firewall.

OK, it can be done.

> I read about using the command for ssh forwarding:
> ssh -L 5801:somehost:5801 somehost

To be more precise:

ssh -L 5901:somehost1:5901 somehost2

The port used by VNC is 5900 plus the display number, then it is 5901 in
your case. Somehost1 and somehost2 does not need to be the same.

> From what I can tell, this is supposed to be executed on the host that I
> am going to run the vncviewer on (192.168.0.219),

Yes...

> and that any
> connections to 192.168.0.219:5801 should be forwarded to 192.168.0.22
> through the firewall via port 22.

Yes, but remember: the port number is 5901...

> (My firewall should see [source
> address:port] to be 192.168.0.219:22 and [dest addr:port]
> 192.168.0.22:22, right?)

Well, not exactly. Your firewall sees two different connections. The first
is from 192.168.0.219:XXXX (any port > 1024) to 192.168.0.22:22 and is
made by the SSH client on RH-1 to the SSH server on RH-2. The second
connection is from 192.168.0.22:XXXX (any port > 1024) to
192.168.0.22:5901 and is made by the SSH server to forward the tunnelled
connection to VNCserver.

> Then once recieved by the destination host,
> the address becomes 192.168.0.22:5801 and I should be able to access the
> vncserver.

See above.

> Well, the command executes fine, and asks me for the
> password to 192.168.0.22, and accepts the password.

So your firewall allows at least the first of the above two connections.

> But when i type
> vncviewer 192.168.0.219:1 OR localhost:1, I get a reply that 'Couldnt
> connect to VNC Server'.

So the second connection goes wrong.

> Please let me know what I need to change or check. Thanks

First of all you should check the port: it is 5901 and not 5801. The 5801
port is for the HTTP server used by the Java client (as also Steven Wilmot
is suggesting).

Second, you have to check that the second of the above connections is
allowed by the firewall.

Third, you have to check that in your /etc/sshd_config on RH-2 is present
the setting "AllowTcpForwarding yes". If it is not present, the tunnel
cannot be established.

Fourth, if is possible in your case, I suggest you to bind VNCserver to
localhost only. In this way you are forced to connect trough the SSH
tunnel. You should start VNCserver with the command "vncserver -localhost"
(but check on the documentation of your VNC distribution). Then the SSH
command to use on RH-1 is "ssh -L5901:localhost:5901 192.168.0.22".
Finally, you can start "vncviewer localhost:1" on RH-1. Of course, the
firewall on RH-2 must allow loopback connections on 127.0.0.1, but I think
it already allows them. 

-- 
Carlo Luciano

GPG ElG/DSA 4096/1024 Key: http://web.tiscali.it/clbianco/clbianco.asc
ID: 0x5324A0DA - Fingerprint: 8B00C61034120506111B143DEDBF71B45324A0DA

Relevant Pages

  • Re: Looking for program that emails me when dhcp addr changes
    ... For SSH all you need forwarded is TCP Port 22... ... >>participate in TCP connections or UDP conversations it initiates but ...
    (comp.security.ssh)
  • RE: FTP Window of opportunity?
    ... does it seemingly accept the connections and drop them once the response ... Subject: FTP Window of opportunity? ... blocked by the firewall. ... the FTP port shows up. ...
    (Pen-Test)
  • RE: an error in the NMAP docs?
    ... normal "non-passive" FTP connections create a connection FROM the server ... FROM port 20 back to an ephemeral port on the client for data transfers. ... "Many naive firewall and packet filter installations make an exception ... Earn your MS in Information Security ONLINE ...
    (Security-Basics)
  • Re: Mac `owned in hacking competition
    ... the router's port forwarding rules. ... The firewall or a NAT router only stops connections initiated from ... ssh will let you set up forwarded ports in both ... You start an ssh session from the target machine (this is ...
    (uk.comp.sys.mac)
  • RE: ssh attempts
    ... Change the port to something different than port 22. ... Subject: Re: ssh attempts ... > forget the excellent iptables firewall you probably already have on ... >>> Computer Emergency Response Teams, ...
    (Security-Basics)