SSH and VNC
I am brand new to linux. Week 2. I am running Red Hat 9.0 with IceWM.
I have successfully installed VNC and can connect from my Windows PC at work. Someone suggested that I use SSH, So I downloaded the Putty client and followed the instructions. I can now ssh to my linux box, login, start VNC and launch a localhost VNC session on the forwarded port from my Windows PC at work The only problem is I can still connect with VNC on the port that I was originally connecting to without SSH This is the content of my /etc/sysconfig/iptables :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :RH-Lokkit-0-50-INPUT - [0:0] -A INPUT -j RH-Lokkit-0-50-INPUT -A FORWARD -j RH-Lokkit-0-50-INPUT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth0 -j ACCEPT -A RH-Lokkit-0-50-INPUT -p udp -m udp -s 0/0 --sport 67:68 -d 0/0 --dport 67:68 -i eth1 -j ACCEPT -A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 22 --syn -j ACCEPT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:20 -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 22:1023 -j REJECT -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT What am I missing? What do I need to do on my Linux machine to block non tunnel access to VNC ? thanks |
anyone?
|
There isn't much point blocking direct access to the vnc service, the ssh tunnel can only protest against "man in the middle" attacks.
|
I don't understand what that means. Can you explain?
|
Hmm, I remember reading something about this in the TightVNC documentation I have bookmarked. I'll point you to the website:
http://freesco.no-ip.org/VNC/ Personally I do it through cygwin on my computer. I use the following lines in my cygwin xterm. ssh -CL 5902:localhost:5901 <mylinuxbox> Then at my bash prompt I start the vncserver (figure it's safer to only run this when I actually use it). I open the TightVNC viewer connecting to. localhost:2 Bam, I'm tunneling through ssh. I finish playing in my xfce environment, and then shutdown the vncserver, and close the ssh connection. I hope this helps. |
ok, thanks statmobile. That's what I am doing. I guess I thought I could always leave it running and say, in your example, not be able to connect via 5901
|
All times are GMT -5. The time now is 04:07 PM. |