I am running a small network of various computers and want to be able to configure each of them so that I can administer them remotely via remote desktop (aka VNC) The way I have been doing this is to assign each computer its own port for its server to listen on, so Comp A is listening on 5900, Comp B is listening on 5901, etc. I use the SuSE Control Center to configure the remote desktop server on each computer, and start the server via the inetd daemon. I have configured my SuSE firewall computer to route incoming requests to the appropriate computer. In the past all this has worked fine. I recently upgraded one of my computers, a laptop, to SuSE 10.0. and tried to configure it to accept incoming requests on a port other than port 0 - 5900 (for example port 1 - 5901) and have failed. The only port I can get the remote desktop to work with is port 0 - 5900. If I assign it any other port, other than 5900, and then try to connect to it with a viewer, I do not get the authentication process (i.e. the request for a password) to occur and the viewer will open up with a blank (grayed out) screen and then hangs. As I stated however, if I assign the server 5900, the base address of ports, everything works fine, I do get the request for the password and the viewer does open up correctly with a display of the desktop of the remote computer. For the moment I am able to get around this by routing through the firewall and redirecting incoming requests to port 0 - 5900 on the appropriate computer but this requires I assign every computer a static address and not use my internal DHCP server, not what I want to do in the long run.... Is anyone else having troubles with the remote desktop in SuSE 10.0, with the server configured to use a port other than 0 - 5900? Did something break? Marc.....
On Friday 02 December 2005 21:49, Marc Chamberlin wrote:
I am running a small network of various computers and want to be able to configure each of them so that I can administer them remotely via remote desktop (aka VNC) The way I have been doing this is to assign each computer its own port for its server to listen on, so Comp A is listening on 5900, Comp B is listening on 5901, etc. I use the SuSE Control Center to configure the remote desktop server on each computer, and start the server via the inetd daemon. I have configured my SuSE firewall computer to route incoming requests to the appropriate computer. In the past all this has worked fine.
<snip>
Marc.....
Yo Marc. I have several networks similar to the ones you described. I use a different method to get to the workstations though. Since I think my method is better I'll explain it to you. 1) I leave all the workstations on 5900. (Less hassle that way). 2) I allow ssh into the SUSE server/firewall 3) from the other side of the world (well from Switzerland to Houston), I Issue the following command on my linux laptop: vncviewer -via mybrothers.office.com WS01 The -via command is a tightvnc extension (tightvnc is default vnc version on SUSE). It tells vncviewer to start an ssh tunnel to mybrothers.office.com (The SUSE firewall/server), and from there to forward the connection to WS01. This method has the following advantages: - only need to open ssh on firewall. - no need to remember portno - host associations - needs no additional configuration on workstations - works for windows workstations also. Jerry
On Friday 02 December 2005 22:16, Jerry Westrick wrote: <snip>
This method has the following advantages: - only need to open ssh on firewall. - no need to remember portno - host associations - needs no additional configuration on workstations - works for windows workstations also.
did I really forget to mention vnc connections are then encrypted over the internet
Jerry
Jerry Westrick wrote:
On Friday 02 December 2005 22:16, Jerry Westrick wrote: <snip>
This method has the following advantages: - only need to open ssh on firewall. - no need to remember portno - host associations - needs no additional configuration on workstations - works for windows workstations also.
did I really forget to mention vnc connections are then encrypted over the internet
Jerry
Thanks Jerry, I followed your suggestions, works fine! Much appreciated. Marc...
On Saturday 03 December 2005 16:40, Marc Chamberlin wrote:
- only need to open ssh on firewall.
Thanks Jerry, I followed your suggestions, works fine! Much appreciated. Marc...
Please note that there is a Slow-motion "Brute force" attack being made on ssh across the internet. You will receive many attempts to guess your usernames/passwords. The method I use to defeat it is: 1 - Do not use simple passwords! 2 - change the port that sshd listens on: 3 - only allowing ssh access to user in a specific group. How to Change the ssh portno =================== Although this is not a world moving security measure, it foils the type of attacks being done offer the last couple of years. Here the method I use: 1) on the ssh-server machine: modify /etc/ssh/sshd_config Uncomment "#Port 22" line and change to an unused port, (preferably under 1024) restart sshd 2) on the ssh client machine modify /etc/ssh_config Add the following 2 lines Host mybrothers.office.com Port <your portno> After that every should work as normal. How to define a Group allowed to use ssh ======================== This one is also easy. modify /etc/ssh/sshd_config add line AllowGroups remotessh The you have to add users to the group remotessh, so that they can connect remotetly. I have very few users in that group. Jerry. P.S. You can use the free ssh client called putty on windows machines to set the same tunnels from windows machines, but as usual it's a bit more complicated!
Jerry - Thanks again for all your help... Not being familiar with ssh it took me a while to get everything set up so it would work from either inside or outside my network. This seems like a good approach/defense against the idiots of the world. Marc... Jerry Westrick wrote:
Please note that there is a Slow-motion "Brute force" attack being made on ssh across the internet.
You will receive many attempts to guess your usernames/passwords. The method I use to defeat it is: 1 - Do not use simple passwords! 2 - change the port that sshd listens on: 3 - only allowing ssh access to user in a specific group.
How to Change the ssh portno =================== Although this is not a world moving security measure, it foils the type of attacks being done offer the last couple of years.
Here the method I use:
1) on the ssh-server machine: modify /etc/ssh/sshd_config Uncomment "#Port 22" line and change to an unused port, (preferably under 1024) restart sshd
2) on the ssh client machine modify /etc/ssh_config Add the following 2 lines
Host mybrothers.office.com Port <your portno>
After that every should work as normal.
How to define a Group allowed to use ssh ========================
This one is also easy. modify /etc/ssh/sshd_config add line AllowGroups remotessh
The you have to add users to the group remotessh, so that they can connect remotetly. I have very few users in that group.
Jerry. P.S. You can use the free ssh client called putty on windows machines to set the same tunnels from windows machines, but as usual it's a bit more complicated!
participants (2)
-
Jerry Westrick -
Marc Chamberlin