running ssh problem

raskin · 10-08-2007, 02:25 AM

No, I mean make iptables accept all incoming local traffic and also allow all outgoing local traffic.

satimis · 10-16-2007, 10:36 AM

Quote:

Originally Posted by raskin

No, I mean make iptables accept all incoming local traffic and also allow all outgoing local traffic.

If /etc/rc.local on server modified as follow;

Code:

# INPUT
#

# allow all incoming traffic from the management interface NIC
# as long as it is a part of an established connection
iptables -I INPUT 1 -j ACCEPT -d MGMT_NIC_IP -m state --state RELATED,ESTABLISHED

# allow all ssh traffic to the management interface NIC
iptables -I INPUT 2 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 22

# allow all VMware MUI HTTP traffic to the management interface NIC
iptables -I INPUT 3 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8222

# allow all VMware MUI HTTPS traffic to the management interface NIC
iptables -I INPUT 4 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 8333

# allow all VMware Authorization Daemon traffic to the management interface NIC
iptables -I INPUT 5 -j ACCEPT -p TCP -d MGMT_NIC_IP --destination-port 902

# reject all other traffic to the management interface NIC
iptables -I INPUT 6 -j REJECT -d MGMT_NIC_IP --reject-with icmp-port-unreachable

#
# OUTPUT
#

# allow all outgoing traffic from the management interface NIC
# if it is a part of an established connection
iptables -A OUTPUT -j ACCEPT -s MGMT_NIC_IP -m state --state RELATED,ESTABLISHED

# allow all DNS queries from the management interface NIC
iptables -A OUTPUT -j ACCEPT -s MGMT_NIC_IP -p UDP --destination-port 53


#  to allow X forwarding, allow traffic to and from proxy X servers
#  This port range will allow up to 10 proxy servers to be running.

iptables -A OUTPUT -s 127.0.0.1 -p tcp --dport 6010:6019 -j ACCEPT
iptables -A OUTPUT -s 127.0.0.1 -p tcp --sport 6010:6019 -j ACCEPT

# reject all other traffic from localhost
iptables -A OUTPUT -j REJECT -s 127.0.0.1 --reject-with icmp-port-unreachable

# reject all other traffic from the management interface NIC
iptables -A OUTPUT -j REJECT -s MGMT_NIC_IP --reject-with icmp-port-unreachable

ssh works both ways w/o problem with X forwarded. I don't know whether such a change would weaken the security on the server?

satimis

raskin · 10-16-2007, 01:10 PM

Well, theoretically everything can somewhat reduce security. But if you already have a malicious process on server where you ssh... Well, I would say that you have lost the server and need to reinstall it anyway. There is a significant risk that they have already cracked root. Then ssh can be already compromised. Well, yes,chance to access your X server through forwarding can give enemy an advantage when trying to take over your desktop (and -X is better than -Y from that point of view), but you still don't have options better than 'ssh -X' (Though it is interesting if VNC is better).

satimis · 10-16-2007, 07:37 PM

Quote:

Originally Posted by raskin

Well, theoretically everything can somewhat reduce security. But if you already have a malicious process on server where you ssh... Well, I would say that you have lost the server and need to reinstall it anyway. There is a significant risk that they have already cracked root. Then ssh can be already compromised. Well, yes,chance to access your X server through forwarding can give enemy an advantage when trying to take over your desktop (and -X is better than -Y from that point of view), but you still don't have options better than 'ssh -X'

OK I'll stick to the iptables rules suggested by that doc. I don't need ssh-connecting the server from a workstation with X forwarding except to remote configure a headless server. Thanks for your advice.

Quote:

(Though it is interesting if VNC is better).

which of follows would you recommend?

Code:

http://www.realvnc.com/

http://www.uvnc.com/

http://www.tightvnc.com/

???

What will the difference in function between VNC and ssh? TIA

satimis

raskin · 10-17-2007, 03:08 PM

I used TightVNC. They recommend to tunnel it through SSH tunneling - to get encryption with no extra configuration. The benefit of VNC (compared to ssh) is that entire VNC session is just a window on your desktop, so sniffing your keyboard requires finding actual arbitrary-code-execution hole in TightVNC or a really obscure way to force vncviewer deivate from acceptable behavior.