Secure VNC connections with Free VNC edition

VNC is a usefull tool which permits to administrate remotely a computer. The free version of this tool has great features, but not the one about SSL communication during a VNC session.
This may result in different security issues, such as traffic sniffing that can cause sensitive data theft. To avoid these possible annoying issues we can route the VNC session inside a SSL connection and secure the communication.

In this tutorial I will show how make a secure tunnel connection and then route the free VNC edition through this tunnel to secure the communication of the VNC session.

What we need:

• 2 hosts, generally one is depicted as a server and the other one as a client.
• VNC server installed on the server host
• VNC viewer installed on the client host
• freesshd installed on the server host (if windows based) or openssh-server (on linux machines)
• putty installed on client machine (if windows based) or openssh-client (on linux machines)

 As seen in the post "SSH Tunneling" on this blog is possible to create a secure tunnel between two hosts. Here below we will see the commands that must be used to create a tunnel:

Under Linux machines on the client side:

ssh user@serverip -L <LOCAL_PORT>:127.0.0.1:<VNC_PORT_ON_SERVER>

Where:

• <LOCAL_PORT> is the port on the client host where VNC connection will be redirected.
• <VNC_PORT_ON_SERVER> is the port on the server where VNC service is running.
• The middle address "127.0.0.1" means that the <VNC_PORT_ON_SERVER> on the host 127.0.0.1 (so the server to which we are connecting) will be redirected to <LOCAL_PORT> on the client.

Under Windows machines on the client side:

Start putty and under the Session section place user@serverip in the circled field.

Under SSH->Tunnels:

In Source Port place the equivalent of <LOCAL_PORT>
In Destination place the equivalent of "127.0.0.1:<VNC_PORT_ON_SERVER>"

Once set up, click Open.

Now, both on Windows or Linux machines, you can open the secure VNC session connecting to:

127.0.0.1:<LOCAL_PORT>

In this case the packets will be routed through the ssh connection until they get to the server.

VNC Free + secure connections.


Enjoy

My First Post on Happy Engineer - SSH Tunneling

A very powerfull tool is SSH. SSH is the acronym of secure shell and is a kind of prehistoric version of Remote Desktop Connection or VNC. The main difference between VNC, RDC and SSH is that SSH make possible to manage a remote host using without using GUIs, but only through a prompt.

You can think "Bleah, only a poor command prompt?  Where the way to unpack tarball is made of a long sequence of chars??? WTF????"

Answer: "Yes".

Trust me, if you begin to use linux's terminal it will be the END. You'll not use linux without using terminal! It's a drug!

But, wait a second, try to think about the idea of sending only few bytes to manage remote hosts instead of large quantities of bytes for send screenshots of VNC and RDC. It sounds good!!

Leaving behind these considerations, let's talk technically.

If you want to connect to a remote host using ssh you have to be sure of two things:

1 - The remote host must have installed a SSH daemon (OpenSSH for example) and must be correctly configured.

In Ubuntu distributions is very simple to install OpenSSH, just open terminal and type:

    sudo apt-get install openssh-server

Once installed, the daemon will startup automatically when the host starts up, and all the user of the host will be enabled to use ssh service, so if you want to access to your machine you can use the credentials you normally use to access the host.

2- You must know a pair o username-password enabled on the remote host.

Try to connect to a remote host using ssh. Open the terminal and type:

    ssh username@hostip



Where:

    Username is the username on the remote host
    hostip defines the remote host ip you want to connect using SSH

 If you want to test if OpenSSH is working on your local host you can run:

    ssh yourusername@localhost



After the execution of this command you'll be asked to accept a key and you'll need to answer "yes".

    What's the meaning of this question?



SSH bases its operation on the use on a public key cryptography system and the first time you make a connection to a remote host you must accept its public key to start the conversation.

    Wow... Now i'm connected to a remote host.. And now?



The main advantage of using SSH for administrate remote hosts is the limitate usage of bandwidth. It seems a nonsense, but there are a lot of situations where the optimization of bandwidth usage can make the difference.



    Yeah. .. Boring Things...



Wait!

There's a little funcionality of SSH that is very powerfull. The Tunneling. Tunneling defines the possibility to make a tunnel between two hosts and make possible to exchange data between them.

Imagine to have three hosts:

    host A, connected to the internet, placed in Australia
    host B and C in the same subnet but only B is directly connected to the Internet. These two hosts are in Norway.

Imagine also that host A must access to C for some reasons. There are a lot of ways to do this for example VPNs (maybe we talk about this another time).. Another way can be tunneling.

Idea!

Using host B like a gateway for exchange data with C. Great! How?

SSH

There's a little tiny argument that you can pass to SSH command before execute it. The -L argument. Let's see a usage for this argument.

    ssh johndoe@hostB -L 5000:hostC:21



In this example i'm connecting to the host B placed in Norway, using the username johndoe. Passing -L argument i'm saying to ssh to bind port 21 of hostC (hostC must be the subnet's ip of host C) to the port 5000 of my host. So if i connect using a FTP client to port 5000 of my localhost, the communication will be routed through the tunnel to host C using host B like a gateway.

So if you have the possibility to access a host of a subnet using SSH, you'll be able to access on every host of that subnet.

I wish that you will appreciate this post. I'm also happy if you want to correct me in contents or in grammar (i'm not so trained about writing english :) )

Yhank you, see you soon