LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 12-01-2005, 12:09 PM   #1
OverrRyde
Member
 
Registered: May 2004
Posts: 51

Rep: Reputation: 15
TightVNC not working anymore...


Hey guys, im having this problem where VNCSERVER used to work from the office fine, also in my local lan at home, but now, i can only access it via localhost only, and not the office. I did configure my router to work with it, but nuthing goes. SSH does work.

Is there any reason why this happened, and how to fix it? Does it have anything to do with host.allow or host.deny?

Thanks guys!
 
Old 12-01-2005, 12:16 PM   #2
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
The only way it would have to do with the hosts.X files is if you changed them. Were you connecting to tightVNC directly or through an SSH tunnel? If you were doing it directly I'd suggest that maybe your office IT people closed off the ports on their firewall.
 
Old 12-01-2005, 12:25 PM   #3
OverrRyde
Member
 
Registered: May 2004
Posts: 51

Original Poster
Rep: Reputation: 15
I was using the viewver.exe and i would doubt it was the it guys, they just past by me and saw what i was doing and even offered help! hehe but didnt figure out why...

As of the host.x files i did not change them, but if i go into them,, there is no value there, only the comments...

Another thing, lets say im at home from windows, and do it via IP it doesnt work, only localhost:1 would or 192.168.1.100:1 aswell...

Oh another thing i noticed is that before when i started VNCSERVER, i user to read my name in the log file (i think not sure) But now it is:

[andres@localhost andres]$ vncserver

New 'X' desktop is localhost:1

Starting applications specified in /home/andres/.vnc/xstartup
Log file is /home/andres/.vnc/localhost:1.log


Thanks!

Last edited by OverrRyde; 12-01-2005 at 12:27 PM.
 
Old 12-01-2005, 01:06 PM   #4
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Quote:
Oh another thing i noticed is that before when i started VNCSERVER, i user to read my name in the log file (i think not sure) But now it is:

[andres@localhost andres]$ vncserver

New 'X' desktop is localhost:1

Starting applications specified in /home/andres/.vnc/xstartup
Log file is /home/andres/.vnc/localhost:1.log
Well, that looks like a perfectly normal vncserver startup to me. You could verify that it is running by running lsof -i in a console. You should see Xvnc is running and listening.

Quote:
Another thing, lets say im at home from windows, and do it via IP it doesnt work, only localhost:1 would or 192.168.1.100:1 aswell...
Now this suggests to me that you are connecting to the vncserver over an SSH tunnel as this is EXACTLY what you do if you do have an SSH tunnel established for VNC. Do you have to establish an SSH connection in order for you to see any desktop with a VNC client? And I'm guess I'm not clear about one thing; When you do connect to localhost:1, are you seeing your office system or are you running a VNC server on your home Windows box?

Which actually brings me back to your IT guys. If they are worth their weight in warm spit, they should know that allowing direct VNC access outside of a VPN connection or an SSH tunnel is a HUGE security hole. And if they are allowing directy VNC access, then you seriously need some new IT guys. VNC transmits everything in clear text, so anyone listening would be able to pick up a username and password to your corporate system pretty easily. So it wouldn't be at all surprising if they forced an VNC connections through something secure like an SSH tunnel.
 
Old 12-01-2005, 02:03 PM   #5
OverrRyde
Member
 
Registered: May 2004
Posts: 51

Original Poster
Rep: Reputation: 15
Ok, thanks for the reply!

I dont really understand all the terms you used exactly in ur post since im fairly new still to all this!

Basicly, i use vncviewer.exe from windows. At work, i use my external IP, which in return gives me a connection error. From my windows box at home, i either use localhost:1 or 192.168.1.100:1 which works fine.
 
Old 12-01-2005, 02:41 PM   #6
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
OK, now it is my turn to be confused...... You say you can't connect from your work computer to what server? Is it a work server? A home server? I guess I'm not sure of what players are involved here and what you're actually trying to do.


Quote:
I dont really understand all the terms you used exactly in ur post since im fairly new still to all this!
If you have some specific questions, I'd be glad to answer them as best I can. Maybe point out the bits you don't understand?
 
Old 12-01-2005, 02:55 PM   #7
OverrRyde
Member
 
Registered: May 2004
Posts: 51

Original Poster
Rep: Reputation: 15
hehe ok here we go! At home, i have my linux box, and windows xp box (separate).

I want to access the linux box via vncviewer from work using the external ip.

When im at home using windows, i can access the linux box via vnc using either localhost:1 or 192.168.1.100:1. But from work, using my-external-ip:1 does not work.

It use to work for un to a month ago (from work) but now it just doesnt, i get a connection error.

What i wasnt undetstanding from your post was about the tunneling SSH. Yes i do use ssh from work to do some stuff like installing some software or setting up users and permission etc. I dont know if that answer your question though!

Thanks for your help by the way Hangdog42! really apreciate it!

Last edited by OverrRyde; 12-01-2005 at 02:56 PM.
 
Old 12-01-2005, 03:34 PM   #8
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
OK, now I get it. Well, mostly anyway......

There are a couple of things that come to mind. First off, does the Linux box have a static IP address? If it doesn't that would be real trouble.

Quote:
But from work, using my-external-ip:1 does not work.
I'm also assuming that you have a router of some sort between your home computers and the Internet. If that is true, you have to set up port forwarding on the router to forward port 5901 to the Linux box. This is also why I asked about the static IP address. If you had port forwarding set up, but didn't have a static IP on the linux box, this could be a problem.

What is more of an issue however, is that by using the external-ip:1, you are essentially running VNC in the clear. This is a huge security risk and I would strongly suggest you do some reading on how to run VNC over and SSH tunnel.



Quote:
What i wasnt undetstanding from your post was about the tunneling SSH.
SSH has the capability of grabbing ports on both ends of the connection and tunneling them through the SSH connection on port 22. Essentially this means that you can access any port on a remote machine by opening only port 22. It also means any traffic going across this tunnel is encrypted.

The reason I'm asking is that it is a good idea to tunnel port 5901 through SSH so you can use this tunnel to access VNC. Essentially this means that SSH would grab port 5901 on your windows box and any traffic sent to that port would be routed to port 5901 on the Linux box. I do this all the time so I can access my Linux server from anywhere on the internet and still be certain it is a secure connection.



Quote:
When im at home using windows, i can access the linux box via vnc using either localhost:1 or 192.168.1.100:1.
OK, this is the bit that still confuses me. If the IP address of the linux box is 192.168.1.100, then that command should work. However, the localhost:1 should NEVER connect you to the Linux vncserver unless you have established an SSH tunnel first.
 
Old 12-01-2005, 03:46 PM   #9
OverrRyde
Member
 
Registered: May 2004
Posts: 51

Original Poster
Rep: Reputation: 15
Oh ok i see now! Well come to think of it now, im not sure anymore if ive used locahost:1 ! hehe...

What can i do to see if i am actually tunneling or not? Or just the fact that i cant connect from the internet mean that im not?

Thanks!
 
Old 12-01-2005, 04:09 PM   #10
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Tunneling is one of those things that if you don't know for a fact you're doing it, odds are you aren't. Anyway, I'm going to assume that you are using Putty on your Windows box, so here is a site that has a few screen shots (about half way down) that show how to set up a tunnel with Putty.

Now you do have to do the VNC port math right. Vncserver runs on port 5900 + screen number. So when you have vncserver telling you it is starting on screen :1, that would be 5901 (and screen :2 would be 5902, etc.). So basically you need to forward local port 5901 (the "Source port" in Putty) to port 5901 of the Linux box (the "Destination" in Putty). Note that the Destination box needs an IP address. This MUST be the LAN IP address of your Linux box (192.168.1.100). So it would look something like this: 192.168.1.100:5901.

For connections coming from the Internet (like when you are at work), you need to set up your router to forward port 22 to your Linux box. So from work, you would use Putty to connect to your external (WAN) IP address. Once that connection is made, the tunnel will be enabled and you would connect the VNC client to localhost:1.


Now, if you are going to expose your SSH server to the Internet, be sure to do some reading around here on securing SSH. There are a lot of threads, so a search should bring up loads of info. But basically be sure to use the AllowUsers directive in your /etc/sshd_config file to limit which usernames have SSH access and do NOT allow root to use SSH. People ARE going to take a rip at cracking your SSH with a dictionary attack so make sure your usernames and passwords are not easily guessed.
 
Old 12-01-2005, 04:57 PM   #11
OverrRyde
Member
 
Registered: May 2004
Posts: 51

Original Poster
Rep: Reputation: 15
Hey thanks alot Hangdog! That worked great! Tunneling now works perfectly!

As for people try to log into ssh with root, i tried for the sake of testing with the root password and it was denied, so i guess i may be safe on this part!

Besides that, evrything works perfectly!

Thanks alot again!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
ip_conntrack_irc not working anymore alienDog Linux - Security 1 11-13-2005 04:31 PM
mplayer was working but doesn't anymore allelopath Linux - Software 1 09-04-2005 04:31 PM
i've got tightvnc working but i dont have the full remote screen p.gaic SUSE / openSUSE 5 08-15-2005 03:58 PM
apache not working anymore :( Jestrik Linux - Networking 5 03-28-2004 11:49 AM
Squirrelmail not working anymore nuzzy Linux - Software 3 08-28-2003 03:10 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 05:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration