ssh tunnel to ultravnc on windows

[two4twoinpa]

I have openSSH Server installed on a Windows XP PC using a non-standard (non-22) port.  I have my windows firewall configured to accept this non-standard port.  I also have my router configured to forward this non-standard port to that PC.  The router AND the PC have static IP.  I installed ConnectBot on my Nexus 7 and successfully connected to my Windows PC over the internet through my router using the non-standard port.  I also have UltraVNC server installed my Windows PC -- using non-standard (non-5900) port and have set the Windows firewall to accept my non-standard port and configured my router to forward the non-standard port to the Windows PC.  I installed android-vnc-viewer 0.5.0 on my Nexus 7 and successfully connected (without the ConnectBot SSH tunnel) over the internet through my router to my PC using the non-standard port.  But when I try to use the ConnectBot SSH tunnel for my VNC Viewer to connect to the PC it says "connection refused".  I used another PC (a Linux PC) to test VNC through an SSH tunnel over the internet with my non-standard ports, and the port forwarding in my router does work, and the tunnel does work -- on that Linux PC.  Thus, the firewall on the Windows PC and the port forwarding on my router are shown to be set properly.  On my Linux PC I set my VNC viewer to go to "localhost:myport", but when you use a non-standard port (non-5900) for VNC it gets a bit tricky in that it adds what you specify in "myport" to the 5900, and that should add up to the non-standard port you are using.  This works from the Linux client.  But when I tried to do it this way on my Nexus 7 with the tunnel I created in ConnectBot the connection is refused. 

 

In case I missed something I am going to test again with my Linux clients and make sure I've exactly duplicated my Linux method onto my Android clients.  But in the meantime, can anyone provide some guidance for configuring the ConnectBot tunnel so that I can use the Androind VNC viewer client with a non-standard port and then how to configure the Android viewer VNC client?  I'd assume to set them up exactly the same way I did the Linux PC clients. 

 

I hope I explained it all so it can be understood.

 

Thanks in advance to all you more-experienced and educated gurus.

[l00g33k]

I have done exactly what you have done so rest assured it works.

It's a bit lengthy to truely digest what you wrote, so, sorry, I only glanced
through it.

But here's what my suggestions is. Make your ConnectBot forward from
phone's 5900 to remote non-standard port. That let's your phone's
android-vnc-viewer 0.5.0 to use standard 5900 port. Since it's only on
your phone, there is no fear that others discover you have a VNC server
on the remote non standard port.

Best Regards,

> --
> You received this message because you are subscribed to the Google Groups
> "ConnectBot Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to connectbot-use...@googlegroups.com.
> To post to this group, send email to connectb...@googlegroups.com.
> Visit this group at http://groups.google.com/group/connectbot-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>

[two4twoinpa]

Thanks for your reply 100g33k.  The VNC viewer on the Linux PC adds the two together (local port + 5900) to send to the server, which adds up to my non-standard port.  Are you saying the VNC viewer client on the android doesn't do that?

[l00g33k]

I'm saying if you forward your phone's 5900 to whatever remote port, then
your VNC viewer client on your android can connect to the standard port
on localhost, thereby avoid confusing your VNC viewer client on android.

>> > email to connectbot-use...@googlegroups.com <javascript:>.

>> > To post to this group, send email to

>> > connectb...@googlegroups.com<javascript:>.

[Karl Pearson]

One thing to try with your current setup is to use 127.0.0.1 (or ...2-9)
instead of "localhost"

Sometimes the network stack on a device doesn't seem to process
localhost as well as 127.0.0.1 or 127.0.0.2 ...

But what l00g33k wrote may be a better solution.

Karl


---
Karl L. Pearson | ka...@ourldsfamily.com | Owner/Admin:
OurLDSFamily.com | LDSMissionaryMoms.com | LDSMilitaryMoms.com
Support for any service we offer: Support.OurLDSFamily.com
My "Mormon.org" profile: http://mormon.org/me/1GCM
---

[two4twoinpa]

Thanks everyone.  I got it.  I did what 100g33k said.  Avoided confusion.

 

 

 

Now, a very important question:

 

How does using this SSH tunnel protect my computer from hacking the VNC password if I don't use MS login?  I can't get the UltraVNC server on my Windows XP machine to work with MS login -- maybe because it's Windows XP Home Edition?  And the Android VNC Viewer doesn't support DSM Plugin.  This leaves the only protection for the Windows PC to be the VNC password, which we all know to have been hacked quite a long time ago.  Seems to me it doesn't matter that I connect through an SSH tunnle because my Windows PC still has a port open for VNC, and any good hacker will keep pounding my open ports to try to discover what's behind them and will discover that my non-standard port connects to VNC and POOF!, they're in!  Also, how does this SSH tunnel prevent ANY kind of direct access to open ports on my Windows PC?  Coultn't someone simply connect trough ANY open port without using my SSH tunnel?

 

Is there such a thing as MAC filtering on my Windows firewall?

 

Also, if I put MAC filtering on my home router, then I've got to get every device we and our guests have and put the MACs in the router.  But does this prevent people from coming to my router and passing through a forwarded port? 

[David H]

MAC filtering won't help; that's a layer 2 filter that would only block other systems on the same local network from talking to the computer.  Outside traffic comes only from the router local to that computer so the mac would always be the same on inbound traffic since it would be the router's internal interface mac.

If your PC is on a private LAN and your router is port forwarding to it, the only port you should need open, if you're truly tunneling, is the port that SSH is running on, tunneled in from the router.  So firewall off all other ports on the PC, only port forward the non-standard SSH to it  You'd have to start the SSH session successfully between your device and the PC before you could do forwarding of traffic to other ports, and that would all be carried over the SSH tunnel.  Your VNC port would not be exposed to the internet nor would someone be able to get to the VNC port by way of the SSH port unless they authenticated off your SSH server first to do their own tunneling to it.  Make sure you're using certificate-based authentication on the SSH side.

[Dennis Rockwell]

On 11/13/2013 09:51 AM, two4twoinpa wrote:
> How does using this SSH tunnel protect my computer from hacking the
> VNC password if I don't use MS login? I can't get the UltraVNC server
> on my Windows XP machine to work with MS login -- maybe because it's
> Windows XP Home Edition? And the Android VNC Viewer doesn't support
> DSM Plugin. This leaves the only protection for the Windows PC to be
> the VNC password, which we all know to have been hacked quite a long
> time ago. Seems to me it doesn't matter that I connect through an SSH
> tunnle because my Windows PC still has a port open for VNC, and any
> good hacker will keep pounding my open ports to try to discover what's
> behind them and will discover that my non-standard port connects to
> VNC and POOF!, they're in! Also, how does this SSH tunnel prevent ANY
> kind of direct access to open ports on my Windows PC? Coultn't
> someone simply connect trough ANY open port without using my SSH tunnel?

See if your VNC server binds its listening ports to 127.0.0.1 so any
attack would have to be code actually running on your PC (like the SSH
server), which excludes connections from the outside. For instance,
ConnectBot does this for "Local" port forwards to avoid exactly this issue.

All connections from off-PC to VNC would then have to be through the
much more secure SSH tunnel.

Dennis

[two4twoinpa]

I think I got it.  Thanks you guys (ispcolohost and Dennis).  Now I think I understand.  Tell me if this is correct:  The ONLY port I should open and forward on my router (and this would be open to the internet) would be my chosen SSH port.  All other access would come from the port-forward on my SSH client device and would thus come through the SSH tunnel -- which only MY DEVICE has access to because IT is what would have established the tunnel.  And thus it doesn't matter that my only VNC security is the VNC password because no one else would be able to get past my router because no VNC port would be open on my router.  Did I get it?

So tell me, what is to prevent any person, other than me, from connecting to my Windows XP PC through SSH?  So far the only security and authentication for my Windows XP SSH server is the MS loginid/password.  Is this good enough or has MS login/password also been hacked as easily as VNC password was? 

 

Does ConnectBot support the other authentications such as keys?  And does OpenSSH running on Windows XP Home Edition support keys?  I could not get UltraVNC running on my Windows XP Home Edition to work with MS login and I couldn't find a VNC viewer for Android that supports DSM keys, and this is why I went with SSH. 

[David H]

You are correct that the only port that should need to be open externally is your ssh port, so VNC and its password are a non-issue if you're only able to connect to it through an SSH tunnel.

Your Microsoft Windows password and username would be encrypted as part of the SSH connection, but ideally you'd want your windows ssh server to do certificate-based authentication instead, so you wouldn't be using your windows password at all.  ConnectBot does support certificate auth.

[l00g33k]

> So tell me, what is to prevent any person, other than me, from connecting
> to my Windows XP PC through SSH?

That's the right question!

What I did is to reconfigure my sshd server to:

1) Use non standard port. Everyone scans for open port 22. The chance
some one hits port 46826 (I've just made it up) is much less than port 22.
So the chance some one tries to break into your sshd server would
corresponding be less. It probably is a good idea to research a bit so you
don't accidently pick a port that's a popular malware secret control backdoor
port that everyone also tries to connect to.

2) Reject password/interactive login. Accept only public key login.
That way the only way to get in is with a public key that you
have already installed on your server.

3) Then you want the latest sshd server so that all known vulnerability
fixed.

Then you have something that's about as secure as possible.

And that's what I have.

FYI here's a few line of notes I wrote for myself. I don't want to put
how I did it here because I am no way the authority to says this is right
and thereby propagate misinformation.

vi /etc/ssh/sshd_config
PasswordAuthentication no
PubkeyAuthentication yes

Google is your friend.

>> On Wed, Nov 13, 2013 at 9:51 AM, two4twoinpa <two4t...@yahoo.com<javascript:>

>>> email to connectbot-use...@googlegroups.com <javascript:>.

>>> To post to this group, send email to

>>> connectb...@googlegroups.com<javascript:>

[two4twoinpa]

Excellent!  Thank you.  Now I won't need to worry as much because you, even though you know all my vulnerabilities and have all the knowledge to do so, will have a slightly more difficult time breaking into my home PC.

 

 

Say, how does this affect my adventures on Pirate Bay?

[Shai Ayal]

For added security (although maybe a little overkill), you can install on the server logwatch which will send you a report showing all breakin attempts each day, and denyhosts which will not let any single IP try to connect too many times at once.

These are all linux tools. I would be quite wary of putting a windows machine directly on the internet without any firewall in the middle

--
You received this message because you are subscribed to the Google Groups "ConnectBot Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to connectbot-use...@googlegroups.com.
To post to this group, send email to connectb...@googlegroups.com.
Visit this group at http://groups.google.com/group/connectbot-users.
For more options, visit https://groups.google.com/groups/opt_out.

--

SPT - persistent SSH tunnels for android.

[Karl Pearson]

I absolutely agree with Shai. For a checking tool of /var/log/secure I
use Fail2Ban, which if configured correctly, send an email report every
time an attacker attempts to break in. Instead of port 22 you would need
to configure it on the non-standard port you use for your tunnels.

Karl



---
Karl L. Pearson | ka...@ourldsfamily.com | Owner/Admin:
OurLDSFamily.com | LDSMissionaryMoms.com | LDSMilitaryMoms.com
Support for any service we offer: Support.OurLDSFamily.com
My "Mormon.org" profile: http://mormon.org/me/1GCM
---