This is a continuation of Is It Safe - Part 2. Today we continue in the YaST control center with a look at the 'Security and Users' page.
Each of those interfaces which is used to bridge across your Firewall to the internet WAN should show as assigned to the External Zone. The Firewall actively monitors packets which come across (both inbound and outbound) the External Zone and will drop inbound packets (filter) which are unsolicited.
Here's a couple of things you can do that will make support of or access to your PC or a company's PCs a bit easier.
I am going to 'backpedal' here and go back to the YaST control center by pressing abort, saying 'Yes' to the 'Really Abort' message.
First, we want to make sure that Secure Shell service is running on your system.
On the 'System' page, click on 'System Services (Runlevel)' icon.
This shows which services are installed and running. The presentation of information has two modes: Simple Mode (default) and Expert Mode (for experts). In the window services are listed alphabetically. Scroll down to the letter 's' and you should see an entry for 'sshd'. The column heading 'Enabled' needs to be a 'Yes'. If it is not, click on the sshd service to give it focus, and then click the 'Enable' button below. A window with an OK button should appear with: "/etc/init.d/sshd start returned 0 (success):" and the column for Enabled should now show as 'Yes'. Click the 'Finish' button in the lower right corner and 'Yes' to commit this change to the runlevels. Otherwise, if sshd is already running, just press 'Abort'.
Next, we are going to turn on VNC Remote Administration. Click on Network Services', Remote Administration icon.
For the Remote desktop to connect to, type in localhost:1 and click Connect.
Select the connection type that matches your situation and vncviewer will optimize the screen to that preference.
Let's look at the Firewall page.
For the most part, it probably won't be necessary to make any changes to the default configuration, but if and when you do, you'll appreciate how openSUSE provides a nice GUI for addressing some of the most common situations. I have not found the need to make any changes other than to open just a few ports. When it comes to security, the fewer ports left open, the better, as it reduces the PC's attack surface area.
Your Firewall, iptables, should already know about your computer's interfaces. If you have your PC connected via an ethernet port, the device assigned is usually, /dev/eth0. Similarly, if you are connected to a wireless router, the device might show /dev/wlan0 on the Interfaces page.
For the most part, it probably won't be necessary to make any changes to the default configuration, but if and when you do, you'll appreciate how openSUSE provides a nice GUI for addressing some of the most common situations. I have not found the need to make any changes other than to open just a few ports. When it comes to security, the fewer ports left open, the better, as it reduces the PC's attack surface area. Your Firewall, iptables, should already know about your computer's interfaces. If you have your PC connected via an ethernet port, the device assigned is usually, /dev/eth0. Similarly, if you are connected to a wireless router, the device might show /dev/wlan0 on the Interfaces page.
Each of those interfaces which is used to bridge across your Firewall to the internet WAN should show as assigned to the External Zone. The Firewall actively monitors packets which come across (both inbound and outbound) the External Zone and will drop inbound packets (filter) which are unsolicited.
Here's a couple of things you can do that will make support of or access to your PC or a company's PCs a bit easier.
I am going to 'backpedal' here and go back to the YaST control center by pressing abort, saying 'Yes' to the 'Really Abort' message.
First, we want to make sure that Secure Shell service is running on your system.
On the 'System' page, click on 'System Services (Runlevel)' icon.This shows which services are installed and running. The presentation of information has two modes: Simple Mode (default) and Expert Mode (for experts). In the window services are listed alphabetically. Scroll down to the letter 's' and you should see an entry for 'sshd'. The column heading 'Enabled' needs to be a 'Yes'. If it is not, click on the sshd service to give it focus, and then click the 'Enable' button below. A window with an OK button should appear with: "/etc/init.d/sshd start returned 0 (success):" and the column for Enabled should now show as 'Yes'. Click the 'Finish' button in the lower right corner and 'Yes' to commit this change to the runlevels. Otherwise, if sshd is already running, just press 'Abort'.Next, we are going to turn on VNC Remote Administration. Click on Network Services', Remote Administration icon.
If you would like to allow Remote Administration of your PC, select 'Allow Remote Administration'. Also, click 'Open Port in Firewall'. Be aware that if your PC is connected directly to a WAN cable modem, then your PC's ports are directly accessible from the internet, at large, by anyone. So, you should be sure to use strong user ids and strong user passwords. Also be aware that everything that is transmitted over VNC is sent as 'clear text', even your passwords.
If your PC is connected directly to a cable modem or dial-up modem, I'd suggest you only turn on VNC when needed and turn it off when done. Furthermore, I strongly recommend that you encrypt (tunnel) VNC over Secure Shell. I'll show you how in a bit. Click on 'Finish'.
Let's go back to the 'Security and Users' page and click on 'Firewall', then 'Allowed Services'.
In my scenario, in the 'External Zone', I have allowed two services, 1) Remote Administration (ports 5801 and 5901) and 2) SSH (default port 22).
If you've been following along and you wish to have remote administration and ssh capability, these services must be allowed. You can select them from the 'drop-down' list of 'Services to Allow' and click on Add if they aren't showing.
Click the 'Next' button in the lower right corner of the window and a summary of your Firewall's settings will display. Press 'Finish'. That should suffice for allowing accessing your PC via either ssh or VNC from any PC on the same subnet or if your PC is connected directly to the internet WAN.
If your PC sits safely behind a wireless router, you need to take additional steps to open up the corresponding ports on the router to have forwarding reach your LAN ip.
My web server is running openSUSE, uses a static ip of 192.168.1.101 and sits behind a linksys WRT54GL running DD-WRT v23 firmware. Here's where I made the port forward settings.
You'll note that I have port fowarding for port 22, and the two other VNC 'provisional' port forwards for ports 5801 and 5901 are not enabled, intentionally.
So how can I reach my server behind the router's Firewall if I don't have the VNC ports open?
Very simple, I tunnel the VNC port over ssh.
From a terminal window bash shell prompt, tunneling VNC over ssh is accomplished with the following:
If your PC is connected directly to a cable modem or dial-up modem, I'd suggest you only turn on VNC when needed and turn it off when done. Furthermore, I strongly recommend that you encrypt (tunnel) VNC over Secure Shell. I'll show you how in a bit. Click on 'Finish'.
Let's go back to the 'Security and Users' page and click on 'Firewall', then 'Allowed Services'.
In my scenario, in the 'External Zone', I have allowed two services, 1) Remote Administration (ports 5801 and 5901) and 2) SSH (default port 22).
If you've been following along and you wish to have remote administration and ssh capability, these services must be allowed. You can select them from the 'drop-down' list of 'Services to Allow' and click on Add if they aren't showing.
Click the 'Next' button in the lower right corner of the window and a summary of your Firewall's settings will display. Press 'Finish'. That should suffice for allowing accessing your PC via either ssh or VNC from any PC on the same subnet or if your PC is connected directly to the internet WAN.
If your PC sits safely behind a wireless router, you need to take additional steps to open up the corresponding ports on the router to have forwarding reach your LAN ip.
My web server is running openSUSE, uses a static ip of 192.168.1.101 and sits behind a linksys WRT54GL running DD-WRT v23 firmware. Here's where I made the port forward settings.
You'll note that I have port fowarding for port 22, and the two other VNC 'provisional' port forwards for ports 5801 and 5901 are not enabled, intentionally.So how can I reach my server behind the router's Firewall if I don't have the VNC ports open?
Very simple, I tunnel the VNC port over ssh.
From a terminal window bash shell prompt, tunneling VNC over ssh is accomplished with the following:
$ssh -L 5901:localhost:5901 -f -N yourUserName@host_name_or_ipYou could also run vncviewer from KDE's Remote Desktop Connection, by typing in from the command line krdc & in place of vncviewer, or you can run it via KMenu->System->Remote Access->krdc (Remote Desktop Connection).
$vncviewer localhost:1 &
For the Remote desktop to connect to, type in localhost:1 and click Connect.Select the connection type that matches your situation and vncviewer will optimize the screen to that preference.Here we see the openSUSE login screen via a secure shell tunnel.
Another option you have which is definitely handy when you are working from a remote pc that doesn't have VNC installed is to access the system from your Java-enabled web browser by typing in the following url: http://your_ip:5801. In that case, I would have tunneled vnc over ssh with -L 5801:localhost:5801 replacing port 5901.
These are things you can do to facilitate remote administration over a secure channel.
What's more, openSUSE's YaST control center not only runs on GNOME and KDE, it also can be started from a character-based terminal screen interface with sudo /sbin/yast.
This is especially helpful in situations where you are doing remote administration over ssh on a 'headless' server (no X Windows Graphics Display Manager running of any kind).
At a minimum, one other security precaution should be taken with your sshd settings. To access your ssh server settings, select KMenu->Run Command. Type:
kdesu kate /etc/ssh/sshd_config
Then click 'Run'. When prompted, type in the root administrator's password.
This should launch kate (KDE Advanced Text Editor) and open your ssh server configuration file into the text editor.
Type Ctrl-F and search for a line that begins with: 'PermitRootLogin'
If it shows as Yes, change it to a No. Then click File->Save and Quit.
To restart your sshd server and have this change take effect go to KMenu->Run Command and type:
kdesu /sbin/service sshd restart
Click Run and when prompted type in the root password to perform the restart.
Ideally, your systems should be configured for passwordless ssh login. It's a little tricky at first to set up, but once you've done it a few times, it's not bad. But I think I'll stop here so as to not create information overload and leave that for another time.
If you have questions or comments, please let me know!
Thanks and as always, Be Safe.
--dietrich
Another option you have which is definitely handy when you are working from a remote pc that doesn't have VNC installed is to access the system from your Java-enabled web browser by typing in the following url: http://your_ip:5801. In that case, I would have tunneled vnc over ssh with -L 5801:localhost:5801 replacing port 5901.
These are things you can do to facilitate remote administration over a secure channel.
What's more, openSUSE's YaST control center not only runs on GNOME and KDE, it also can be started from a character-based terminal screen interface with sudo /sbin/yast.
This is especially helpful in situations where you are doing remote administration over ssh on a 'headless' server (no X Windows Graphics Display Manager running of any kind).At a minimum, one other security precaution should be taken with your sshd settings. To access your ssh server settings, select KMenu->Run Command. Type:
kdesu kate /etc/ssh/sshd_config
Then click 'Run'. When prompted, type in the root administrator's password.
This should launch kate (KDE Advanced Text Editor) and open your ssh server configuration file into the text editor.
Type Ctrl-F and search for a line that begins with: 'PermitRootLogin'
If it shows as Yes, change it to a No. Then click File->Save and Quit.
To restart your sshd server and have this change take effect go to KMenu->Run Command and type:
kdesu /sbin/service sshd restart
Click Run and when prompted type in the root password to perform the restart.
Ideally, your systems should be configured for passwordless ssh login. It's a little tricky at first to set up, but once you've done it a few times, it's not bad. But I think I'll stop here so as to not create information overload and leave that for another time.
If you have questions or comments, please let me know!
Thanks and as always, Be Safe.
--dietrich
Blog feed
Comments Feed
Leave a comment