LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SSH and VNC (https://www.linuxquestions.org/questions/linux-newbie-8/ssh-and-vnc-161876/)

bandersen 03-24-2004 01:07 PM
SSH and VNC
 
I am brand new to linux. Week 2. I am running Red Hat 9.0 with IceWM.

I have successfully installed VNC and can connect from my Windows PC at work.

Someone suggested that I use SSH, So I downloaded the Putty client and followed the instructions.

I can now ssh to my linux box, login, start VNC and launch a localhost VNC session on the forwarded port from my Windows PC at work

The only problem is I can still connect with VNC on the port that I was originally connecting to without SSH

This is the content of my /etc/sysconfig/iptables



:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A FORWARD -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:20 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 22:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT

What am I missing? What do I need to do on my Linux machine to block non tunnel access to VNC ?

thanks

bandersen 03-27-2004 10:27 AM
anyone?

Demonbane 03-27-2004 10:49 AM
There isn't much point blocking direct access to the vnc service, the ssh tunnel can only protest against "man in the middle" attacks.

bandersen 03-28-2004 08:30 PM
I don't understand what that means. Can you explain?

statmobile 03-28-2004 09:13 PM
Hmm, I remember reading something about this in the TightVNC documentation I have bookmarked. I'll point you to the website:

http://freesco.no-ip.org/VNC/

Personally I do it through cygwin on my computer. I use the following lines in my cygwin xterm.
ssh -CL 5902:localhost:5901 <mylinuxbox>
Then at my bash prompt I start the vncserver (figure it's safer to only run this when I actually use it). I open the TightVNC viewer connecting to.
localhost:2
Bam, I'm tunneling through ssh. I finish playing in my xfce environment, and then shutdown the vncserver, and close the ssh connection.

I hope this helps.

bandersen 03-29-2004 05:53 AM
ok, thanks statmobile. That's what I am doing. I guess I thought I could always leave it running and say, in your example, not be able to connect via 5901


All times are GMT -5. The time now is 04:07 PM.