Results 1 to 6 of 6

Thread: port forwarding security

  1. #1
    Join Date
    Sep 2008
    Beans
    12

    port forwarding security

    I would like to add port forwarding to my router to allow me to ssh or remote desktop into my pc. Other than having your ubuntu password and the remote desktop password to get through. How else can you beef up the security?

  2. #2
    Join Date
    Dec 2007
    Location
    The last place I look
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: port forwarding security

    do not even consider exposing remote desktop (Vino VNC) to the internet. you will be p0wned in mere hours.

    instead, forward SSH, and use FreeNX/NeatX.
    additionally, look into denyhosts and fail2ban to lock down your ssh access, and consider using keys instead of passwords. thats about as secure as you can make remote access.

    https://help.ubuntu.com/community/SSH
    Things are rarely just crazy enough to work, but they're frequently just crazy enough to fail hilariously.

  3. #3
    Join Date
    Mar 2011
    Location
    Vermont
    Beans
    147
    Distro
    Kubuntu 14.04 Trusty Tahr

    Lightbulb Re: port forwarding security

    1]fail2ban
    2]AllowUsers in sshd_config
    3]SSH keys, no password auth
    4]root login not allowed
    5]I did change the port used on the router to forward another port so 22 looks closed. But nmap will find it anyhow, so probably not too effective.
    6]Use rate limiting on port 22 via gufw or whatever you use to set up iptables/ufw....
    Last edited by CVGH; June 29th, 2011 at 10:49 PM.

  4. #4
    Join Date
    Sep 2008
    Beans
    12

    Re: port forwarding security

    Quote Originally Posted by doas777 View Post
    do not even consider exposing remote desktop (Vino VNC) to the internet. you will be p0wned in mere hours.

    instead, forward SSH, and use FreeNX/NeatX.
    additionally, look into denyhosts and fail2ban to lock down your ssh access, and consider using keys instead of passwords. thats about as secure as you can make remote access.

    https://help.ubuntu.com/community/SSH
    Ok thanks for the advice.
    In regards to security on anything requiring a port forward what are the definite no's and the acceptable port forwards?

    So remote desktop/vnc is out the picture
    I take it port forwarding 80 to allow your PC to be a web server is acceptable?
    SSH is acceptable but recommended to lock down access

    Both denyhosts and fail2ban look great utilities and keys sound like a good idea. Will have to start doing some research into this.

    Any indication why remote desktop is more insecure than SSH?

  5. #5
    Join Date
    Dec 2007
    Location
    The last place I look
    Beans
    Hidden!
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: port forwarding security

    there are a number of reasons that VNC is not a safe internetwork protocol, including weak passwords (max is 8char) [very easy to bruteforce], plain-text password exchange, no connection encryption, etc. most everyone who has ever been "hacked" on these forums got it via vino. don't get me wrong, vino/vnc is great for lan use, but is not safe for the wider internet.

    ssh however has none of these vulnerabilities, and can be hardened well beyond just fixing this list.

    FreeNX is a great remote desktop tool that runs better than VNC, but uses SSH as its transport, so you get all the advantages of both worlds. I think you would like it.

    on port-forwarding, there isn't really a lot to configure. it has a listening port, a forwarded server, and a forwarded port. the rest of it needs to be taken care of by the server/service config. unless you know the endpoint(s) that the connections will come from though, there isn't a lot more that you can do, other than hardening your service.

    I haven't worked with apache in production (we're an IIS shop) but yes, appropriately configured apache is quite web-safe.
    Things are rarely just crazy enough to work, but they're frequently just crazy enough to fail hilariously.

  6. #6
    Join Date
    Sep 2008
    Beans
    12

    Re: port forwarding security

    Quote Originally Posted by doas777 View Post
    there are a number of reasons that VNC is not a safe internetwork protocol, including weak passwords (max is 8char) [very easy to bruteforce], plain-text password exchange, no connection encryption, etc. most everyone who has ever been "hacked" on these forums got it via vino. don't get me wrong, vino/vnc is great for lan use, but is not safe for the wider internet.

    ssh however has none of these vulnerabilities, and can be hardened well beyond just fixing this list.

    FreeNX is a great remote desktop tool that runs better than VNC, but uses SSH as its transport, so you get all the advantages of both worlds. I think you would like it.

    on port-forwarding, there isn't really a lot to configure. it has a listening port, a forwarded server, and a forwarded port. the rest of it needs to be taken care of by the server/service config. unless you know the endpoint(s) that the connections will come from though, there isn't a lot more that you can do, other than hardening your service.

    I haven't worked with apache in production (we're an IIS shop) but yes, appropriately configured apache is quite web-safe.
    Ok, thanks again. Also thanks CVGH
    I have successfully managed to generate a key for my client and my server and have logged on. Quite chuffed Now for fail2ban and denyhosts. Thanks

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •