LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/MindTerm-SSH-HOWTO/configurations.html

250 lines
5.5 KiB
HTML
Raw Permalink Blame History

<HTML
><HEAD
><TITLE
>Server and Client Configurations</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
"><LINK
REL="HOME"
TITLE="Encrypted Tunnels using SSH and MindTerm HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Software Installation"
HREF="software-install.html"><LINK
REL="NEXT"
TITLE="Creating the tunnels"
HREF="creating-tunnels.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Encrypted Tunnels using SSH and MindTerm HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="software-install.html"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="creating-tunnels.html"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="CONFIGURATIONS"
>4. Server and Client Configurations</A
></H1
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="SERVER-CONFIG"
>4.1. Server Configuration</A
></H2
><P
>First, make sure that your server is secure. Though traffic is encrypted as it travels over the Internet, it
can be sniffed if someone has root access on the local machine and uses a program like
<A
HREF="http://www.packetfactory.net/Projects/ngrep"
TARGET="_top"
>
ngrep</A
> to sniff traffic on a local machine. For example, in
conjunction with the dsniff program mentioned above, the following command could sniff all traffic
on the local interface network: <B
CLASS="COMMAND"
>ngrep -d lo</B
>. Securing the server is, however, beyond the scope of this
paper.</P
><P
>We'll use the POP (port 110), IMAP (port 143), SMTP (port 25), VNC (Virtual Network Computing)
(5901+), and NTOP (default port 3000) services for this example. All traffic will be forwarded to each
service's respective port on the remote host running the ssh server. All services listening on the
remote host listen on all interfaces, unless the service binds to a specific port by default or if manually
configured. In order to show how effective this technique of tunneling over ssh is, we will only allow
particular services to listen on the local interface.</P
><P
>You don't have to change your current security configurations, however. We will use tcp_wrappers,
that is installed by default with RedHat 7.0 (and previous versions), to connect to the network services.
In the <TT
CLASS="FILENAME"
>/etc/hosts.deny</TT
> file add the following line:</P
><P
> <TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
>ALL : ALL</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>And in your <TT
CLASS="FILENAME"
>/etc/hosts.allow</TT
> file add the following lines:</P
><P
><TABLE
BORDER="0"
BGCOLOR="#E0E0E0"
WIDTH="100%"
><TR
><TD
><FONT
COLOR="#000000"
><PRE
CLASS="PROGRAMLISTING"
> sshd : ALL
in.ftpd : 127.0.0.1
ipop3d : 127.0.0.1
imapd : 127.0.0.1</PRE
></FONT
></TD
></TR
></TABLE
></P
><P
>This sets sshd (the ssh server) to allow connections from anywhere any IP address. The other services
only allow connections from the local interface. You can verify this by configuring a mail client to
connect to your remote pop or imap server and/or an ftp client to connect to your ftp server, right now.
It won't allow you to connect. You'll also need to set up any user accounts to allow access to these
services. (Note: The setup above is only useful if the services are only for internal use and remote users
need to access the internal services to send and receive email or transfer files. The services can be
available for public use and be encrypted with ssh and MindTerm.) If MindTerm will be used over the
web to create tunnels or use the secure copy GUI features then a Java Runtime Environment (JRE)
will need to be installed on the server running SSH as well.</P
></DIV
><DIV
CLASS="SECT2"
><H2
CLASS="SECT2"
><A
NAME="CLIENT-CONFIG"
>4.2. Client Configuration</A
></H2
><P
>The only client configuration that is needed is to be sure that a JRE is installed for your platform.
Windows and MacOS 8 and later have a JRE already installed. It is recommended to install Sun's JRE
on Windows. IBM has a list of ports of JRE's to various plaforms:
<A
HREF="http://www-105.ibm.com/developerworks/tools.nsf/dw/java-devkits-byname"
TARGET="_top"
>http://www-105.ibm.com/developerworks/tools.nsf/dw/java-devkits-byname</A
> as well as Sun:
<A
HREF="http://java.sun.com/cgi-bin/java-ports.cgi"
TARGET="_top"
>http://java.sun.com/cgi-bin/java-ports.cgi.</A
>
(You don't need the entire Java package with the debuggers
and compilers you just need the Java Virtual Machine to run java applications.) Also, for the tutorial
that follows, unzip the MindTerm archive, MindBright's or ISNetwork's implementation, archive into
<TT
CLASS="FILENAME"
>c:\mindterm</TT
> for windows.</P
></DIV
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="software-install.html"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="creating-tunnels.html"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Software Installation</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Creating the tunnels</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>
Reference in New Issue View Git Blame Copy Permalink