Tunneling VNC over SSH with PuTTY

This page will show you how to tunnel VNC over a secure SSH connection using PuTTY, so you can securely administer computers which are behind your Smoothwall server via the internet.

Information on tunnelling other types of TCP traffic SSH is also provided.

For more information on tunnelling VNC over SSH, or if you're not using PuTTY, have a look at my Tunnelling VNC Over SSH page.

Rather than using the root account for tunnelling traffic over SSH, you can create additional shell user accounts.

VNC:
VNC stands for Virtual Network Computing. It allows you to remotely view and control a PC desktop, and will run on a wide variety of operating systems.

Visit the VNC website for more information, or to download it.

VNC and Security:
Because access to a VNC desktop generally allows access to your whole computer, security is very important.

VNC uses encryption when making an initial connection, and when you login. Once connected, all VNC data is unencrypted, and a malicious user could snoop your VNC session.

There are also a number of VNC scanning programs available, which will scan a subnet looking for PCs which are listening on one of the ports which VNC uses.

Tunnelling VNC over a SSH connection allows you to use VNC to access your computer(s) which are behind your Smoothwall server, with all traffic strongly encrypted, and optionally compressed.

Additionally, no VNC port is ever open to the internet, so anyone scanning for open VNC ports will not be able to find your computers.
When tunnelling VNC over a SSH connection, the only port which you're opening on your Smoothwall server is it's SSH port, 222.

Requirements:
You'll need:

• A Smoothwall installation (obviously...).
• PuTTY 0.52 or later.
• VNC installed on the PC on your green network.
• TCP port 222 opened on your Smoothwall server.
• The red IP address of your Smoothwall server (or a dynamic dns account).

Setting up the Tunnel:
To allow incoming SSH connections via the red interface to your Smoothwall server, you'll have to open TCP port 222 on the "external access" page of your Smoothwall GUI.

You'll also need to have VNC installed on the computer(s) on your green network (ie, behind your Smoothwall) which you want to remotely administer.

The diagram below shows the configuration I'll use to describe the process of tunnelling VNC over SSH.


PC 1 is a Windows PC, with VNC Viewer and PuTTY installed on it.
PC 2 is your Smoothwall server.
PC 3 is a PC behind your Smoothwall server, running VNC Server.

From PC 1, you need to establish a SSH connection with PuTTY, and get PuTTY to forward the VNC port over this SSH connection.
To do this, you need to configure PuTTY as follows:

For the hostname, specify the hostname or red IP address of your Smoothwall server.
Select the SSH protocol, and specify the port as 222.


Then go to the Tunnels configuration, and add a new forwarded port, specifying the source port as 5901, and the destination as :5900, where is the name or IP address of the PC on your green network which you want to remotely connect to, 5901 is the port number on local PC which you will be forwarding, and 5900 is the VNC port on your PC on your green network.

Click the Add button to add this forwarded port.


Note that the destination port numbers may need to be modified for your particular configuration. A VNC Server on a Windows PC will listen on port 5900, while the first VNC instance on a Linux server will listen on port 5901, the second on port 5902, etc.

Also note that if you specify a destination hostname instead of an ip address, your Smoothwall server must be able to resolve this hostname.

If you want to save the configuration settings before proceeding, go back to the Session configuration, specify a saved session name, and click the save button.

To connect to your Smoothwall server, click the Open button


When the connection is established, you'll be prompted for a username (specify root) and the root password of your Smoothwall server. Login, and you'll have a ssh prompt on your Smoothwall server.

You now have a secure SSH connection between your Windows PC and your Smoothwall server, and are forwarding port 5901 to port 5900 on your PC on your green network.

Connecting with VNC:
To establish the VNC connection to the PC on your green network, start VNC Viewer on your PC, and connect to port 5901 on localhost (ie, connect to localhost:1), and PuTTY will forward the traffic on port 5901 over the secure SSH link to your Smoothwall server.


You can then safely administer the PCs on your green network over this secure channel.

Tunnelling Other Traffic:
Note that SSH can be used to tunnel most types of TCP traffic, and is certainly not limited to tunnelling VNC.
For example, it's possible to tunnel Terminal Services traffic (aka Remote Desktop in Windows XP) in the same way, by tunnelling TCP port 3389.

Similarly, telnet (TCP port 23), SMTP (TCP port 25), POP3 (TCP port 110), HTTP (TCP port 80), HTTPS (TCP port 443), IRC (typically TCP port 6667), and most other types of TCP traffic can be tunnelled over SSH in the same way.

For most of these, you'll need to keep the source and destination port in the tunnel configuration the same, and then configure the client application to just connect to localhost.

You can also tunnel Smoothwall's HTTPS web interface over SSH, allowing you full remote access to your Smoothwall, but with only the SSH port open.
To do so, you'll need to configure PuTTY to tunnel TCP port 441 to localhost:441, and then use your web browser to go to https://localhost:441.

Some Notes on Tunnelling Remote Desktop
When tunning Windows XP's Remote Desktop (RDP) over SSH, you cannot use the Remote Desktop client on a Windows XP desktop to connect to localhost, as the client on Windows XP prevents loopback connections.

The solution to this is to use an alternative IP address for the source port. Instead of specifying 3389 as the source port in PuTTY, specify 127.0.0.2:3389, and specify the destination as described above.

Once you have an SSH tunnel established, use the RDP client to connect to 127.0.0.2, and you should connect to the specified target PC.

Dynamic DNS:
If you want to connect to your Smoothwall server via the internet, you'll need to know its red IP address.

The easiest way to do this is to sign up for a (free) dynamic DNS account, such as no-ip.com.
Refer to the services->dynamic dns page of your Smoothwall GUI to see which ones are supported natively by Smoothwall GPL.

Once you've signed up with a dynamic DNS provider, you'll have to configure your Smoothwall server to register with this provider whenever it establishes an internet connection. This configuration can all be done through the Smoothwall GUI.

Once configured, you'll then be able to connect to the red interface of your Smoothwall server via the internet, using the domain name you signed up with.

References:
Making VNC more secure using SSH
Real VNC
PuTTY User Manual
SSH Tunnelling

Class Notes

1- LDAP - API - X.500

2- FTP and S/FTP } SSH (port 22)
Client FTP ----> SVR FTP (port 21 control)
<---- (port 20 data)

3- windows File shares

4- Exercises

Web Security

Look for these

1. What is SQL injection

• Web attack mechanisms used by hackers to steal data from organizations.

• Application layer attack techniques.

• Takes advantage of improper coding of your web applications that allows hacker to inject SQL commands into say a login form to allow them to gain access to the data held within your database. (Fields available for user input allow SQL statements to pass through and query the database directly).

1. What is cross site scripting (also known as XSS or CSS).

• One of the most common application layer hacking techniques.
• Technique that leverages vulnerabilities in the code of a web application to allow an attacker to send malicious content from an end-user and collect some type of data from the victim.
• Dynamic websites suffer from serious vulnerabilities to cross site scripting attacks on their data.
• Mistrusted content can be introduced into a dynamic page.
• Cross Site Scripting allows an attacker to embed malicious JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable dynamic page to fool the user, executing the script on his machine in order to gather data.
• Will occur anywhere a web application uses input from a user in the output it generates without validating it.

Resource: www.acunetix.com

www.ihackstuff.com
looked at it and download some interesting stuff (security lectures and seminars)

Google:

• IE buffer overflow
• The bug takes advantage of the way some versions of the IE browser handle long strings of JScript code.
• The bug allows a malicious programmer to take advantage of the way the browser reads a long URL, or, in this case, a long string of JScript code. After the maximum number of characters expected on a string is exceeded, the browser crashes, and the remaining characters--potentially comprising malicious code--go into memory, where they may be executed.

• IE vulnerabilities

o Much criticism of Internet Explorer is related to concerns about security: Much of the spyware, adware, and computer viruses across the Internet are made possible by exploitable bugs and flaws in the security architecture of Internet Explorer, sometimes requiring nothing more than viewing of a malicious web page in order to install themselves. This is known as a "drive-by download": an attempt to trick the user into installing malicious software by misrepresenting the software's true purpose in the description section of an ActiveX security alert.

o While Internet Explorer is not alone in having exploitable vulnerabilities, its ubiquity has resulted in many more affected computers when vulnerabilities are found. Microsoft has not responded as quickly as competitors in fixing security holes and making patches available. Not only are there more security holes discovered in Internet Explorer, but these vulnerabilities tend to remain unpatched for a much longer time, in some cases giving malicious web site operators months to exploit them before Microsoft releases a patch.

o Internet Explorer was known to have exploit code for unpatched critical flaws for 284 days of 2006. compare this with 9 days for Mozilla Firefox.!!!

• Porn sites exploit new IE flaw

Hackers are taking advantage of a newly discovered vulnerability in Internet Explorer to install spyware on PCs that visit a number of Russian porn sites.

The malware, first reported Monday by researchers at Sunbelt Software Inc., takes advantage of an unpatched flaw in the way IE processes Vector Markup Language (VML) code. VML is a language used to display graphic information on the Web.

Porn site and a couple of others use an exploit kit called Web Attacker, and it looks like the Web Attacker kit has been upgraded to include this new exploit.

Class Notes

Answers up to 64 from the review questions
look for these
www.acunetix.com

• what is SQL injectiion
• what is cross site scripting

www.ihackstuff.com

google:
ie buffer overflow
ie vulnerabilities
porn sites exploit new ie flaw


proccess explorer

Class Notes

Use ethereal to trace your messaging

1. what ports are being used
2. what server addresses are being used
3. is any of your message clear text -- username / password -- message data
   

A brief report

• IM name prot used
• server used
• how to manage through linux and microsoft

what are the differences between MSN , Yahoo, Google talk etc and Exchange IM server or Lotus sametime

Class Work

next class time 23/5/07-- Unit 3 Q 1---> 83

• Check OPENSSL on ftp server and install in the systems:

Install the OpenSSL library
If you are installing from the RPM, run the commands :
rpm -i openssl-0.x.y.rpm
rpm -i openssl-devel-0.x.y.rpm

If installing from the source, you will need to compile and install it with the commands :
tar xvzf openssl-0.x.y.tar.gz
cd openssl-0.x.y
./Configure (or ./config in new OpenSSL versions)
make ( we have problem in this stage because of the C compiler not installed as part of OS)
make install

• Install SSL under LINUX (use Net_SSLeay.pm-1.23)
  

Install the Net::SSLeay module
To install the module, use the commands :
tar xvzf Net_SSLeay.pm-x.yy.tar.gz
cd Net_SSLeay.pm-x.yy
perl Makefile.PL
make install
If you have installed OpenSSL from the RPM, you may need to run perl Makefile.PL /usr in order to find the OpenSSL library properly.

• Then open WEBMIN using SSL
  

class notes

doning the projects:
1--> 11 and then 65 --> 67

Lab1: Navigating in Linux:
mkdir - cd - touch (creating file) - ls -l (view detailed contents) - cp (copy) - mv (move) -

Lab2:Creating and modifiynig users & group
useradd -g users student1 (add an a user account name student1)
passwd student1 (password)
usermod -u 507 student1 (change the UID)
groupadd -g 510 Testers (creating a group named Testers)

Lab3:viewing file details

Lab4:Installing Webmin
from sourceforge.org
webmin-1.340-1.noarch.rpm
install
https://localhost:10000/
authentication root - password (similar to credential)

What is Webmin?
Webmin is a web-based interface for system administration for Unix. Using any browser that supports tables and forms (and Java for the File Manager module), you can setup user accounts, Apache, DNS, file sharing and so on.

Webmin consists of a simple web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The web server and all CGI programs are written in Perl version 5, and use no non-standard Perl modules.
Webmin is a lifesaver for me, while I do know how to use the command line, the webmin interface is just quicker to use. Almost anything can be accomplished using webmin ..... from adding new users, to deleting databases, to editing the apache config file.... it's all there to be accessed from a gui web based interface.

Keeping webmin up to date with the most current version is a MUST. As with anything, having things open to the net, does create some security issues. One of the nice things about webmin is that it will automatically update itself every night and send you an email of the actions taken.