On Wednesday 13 December 2006 20:46, Stephen H. Dawson wrote: > Hi, > > I have looked over the stuff on the mailing list for this and some of the > sites for SSH and what not. I am not very trusting of some of these > things, so I am going to ask for the latest and greatest answer. > > 1. Is using SSH the best way to use Real VNC over the Internet?
In my view, yes. It is the most secure way. So would be any VPN tunnelling method which encrypted the communication between server and host. ssh happens to be open source and therefore I prefer it. > 2. What software is recommended to set up this securing? I have been using CopSSH on a WinXP box and ssh client on a Linux box to setup an encrypted tunnel with port forwarding, through which I run VNC for some months now. The VNC server is running on the WinXP box. I have tried OpenSSH running on a stripped down Cygwin, but found it very difficult to set up and the default settings are not the most secure they could be. CopSSH which comes with a more substantial Cygwin installation is in every respect an improvement over the bare bones OpenSSH alternative. I have chosen the following configuration settings for additional security: a)Setting the VNC server to listen *only* to local ports - not to the whole internet. netstat shows that VNC is not opening any ports to the internet, but only to localhost. b)Changing the default sshd port from port 22 which is scanned by all the script kiddies' and bots, to another number (e.g. 244, or which-ever other unassigned port is not being used by other services on either OS; see http://www.sockets.com/services.htm for a choice). You'll have to change the ssh clients port number accordingly using the ssh_config file, or specifying the port number on the command line, or if your client is also running WinXP you set it up in the corresponding Putty configuration tab. The port number change alone should get rid of 90-95% of attempts to compromise the server. c)Disabling ssh password authentication and enabling *only* secure key authentication. Create a DSA or RSA key pair on the client (using ssh-keygen, or putty), set a difficult, strong and long passphrase and copy the public key to the server. Now any cracker will need your private ssh key from your client *and* your passphrase to be able to authenticate on the server. Any brute force passwd crackers that the script kiddies try to run at your chosen server port will be dropped dead by CopSSH. Furthermore, due to the ssh secure key authentication mechanism no passwords travel between the two machines. The passphrase authentication takes place locally within the client and all transactions with the host are encrypted. That should deal with the remaining 9-4% of attempts to compromise the server, leaving probably significantly less than 1% of determined 'professional grade' crackers who I am sure have more interesting machines to turn their attention to. ;-) d)Setting the WinXP firewall to allow *only* my Linux computer's internet IP address to connect to CopSSH on the particular port number and no other (IP address, or port No). Of course this is easy when the IP address of the client is fixed, otherwise DynDNS may be needed (didn't need to look into this yet). Scanning the server machine from the client machine with nmap identifies sshd running on e.g. port 244, but scanning the server from any other IP address or using e.g. http://www.grc.com, http://www.pcflank.com/, etc. does not reveal any exposed ports. Of course if the WinXP box sits behind an ADSL router you'll need to forward the respective port from the router to the WinXP LAN IP address and rely on the WinXP firewall configured as above to block any enthusiastic visitors. > 3. Since transferring files is a preferred way, is an FTP process or > something within Real VNC the preferred way to move files? Since the WinXP box now has CopSSH and the Cygwin Linux scp and sftp commands I would probably use scp to transfer individual files with say blowfish encryption, or sftp for batch jobs. Fast enough and encrypted end to end file transmission. You could use Filezilla or any other sftp enabled client if you would rather use a gui. Others may prefer to use VNC's file transfer facility. I hope this helps. -- Regards, Mick [demime 1.01d removed an attachment of type application/pgp-signature] _______________________________________________ VNC-List mailing list VNC-List@realvnc.com To remove yourself from the list visit: http://www.realvnc.com/mailman/listinfo/vnc-list
