250 lines
5.5 KiB
HTML
250 lines
5.5 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Server and Client Configurations</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.63
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="Encrypted Tunnels using SSH and MindTerm HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Software Installation"
|
|
HREF="software-install.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Creating the tunnels"
|
|
HREF="creating-tunnels.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Encrypted Tunnels using SSH and MindTerm HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="software-install.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="creating-tunnels.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="CONFIGURATIONS"
|
|
>4. Server and Client Configurations</A
|
|
></H1
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="SERVER-CONFIG"
|
|
>4.1. Server Configuration</A
|
|
></H2
|
|
><P
|
|
>First, make sure that your server is secure. Though traffic is encrypted as it travels over the Internet, it
|
|
can be sniffed if someone has root access on the local machine and uses a program like
|
|
<A
|
|
HREF="http://www.packetfactory.net/Projects/ngrep"
|
|
TARGET="_top"
|
|
>
|
|
ngrep</A
|
|
> to sniff traffic on a local machine. For example, in
|
|
conjunction with the dsniff program mentioned above, the following command could sniff all traffic
|
|
on the local interface network: <B
|
|
CLASS="COMMAND"
|
|
>ngrep -d lo</B
|
|
>. Securing the server is, however, beyond the scope of this
|
|
paper.</P
|
|
><P
|
|
>We'll use the POP (port 110), IMAP (port 143), SMTP (port 25), VNC (Virtual Network Computing)
|
|
(5901+), and NTOP (default port 3000) services for this example. All traffic will be forwarded to each
|
|
service's respective port on the remote host running the ssh server. All services listening on the
|
|
remote host listen on all interfaces, unless the service binds to a specific port by default or if manually
|
|
configured. In order to show how effective this technique of tunneling over ssh is, we will only allow
|
|
particular services to listen on the local interface.</P
|
|
><P
|
|
>You don't have to change your current security configurations, however. We will use tcp_wrappers,
|
|
that is installed by default with RedHat 7.0 (and previous versions), to connect to the network services.
|
|
In the <TT
|
|
CLASS="FILENAME"
|
|
>/etc/hosts.deny</TT
|
|
> file add the following line:</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
>ALL : ALL</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>And in your <TT
|
|
CLASS="FILENAME"
|
|
>/etc/hosts.allow</TT
|
|
> file add the following lines:</P
|
|
><P
|
|
><TABLE
|
|
BORDER="0"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="PROGRAMLISTING"
|
|
> sshd : ALL
|
|
in.ftpd : 127.0.0.1
|
|
ipop3d : 127.0.0.1
|
|
imapd : 127.0.0.1</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
></P
|
|
><P
|
|
>This sets sshd (the ssh server) to allow connections from anywhere any IP address. The other services
|
|
only allow connections from the local interface. You can verify this by configuring a mail client to
|
|
connect to your remote pop or imap server and/or an ftp client to connect to your ftp server, right now.
|
|
It won't allow you to connect. You'll also need to set up any user accounts to allow access to these
|
|
services. (Note: The setup above is only useful if the services are only for internal use and remote users
|
|
need to access the internal services to send and receive email or transfer files. The services can be
|
|
available for public use and be encrypted with ssh and MindTerm.) If MindTerm will be used over the
|
|
web to create tunnels or use the secure copy GUI features then a Java Runtime Environment (JRE)
|
|
will need to be installed on the server running SSH as well.</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="SECT2"
|
|
><H2
|
|
CLASS="SECT2"
|
|
><A
|
|
NAME="CLIENT-CONFIG"
|
|
>4.2. Client Configuration</A
|
|
></H2
|
|
><P
|
|
>The only client configuration that is needed is to be sure that a JRE is installed for your platform.
|
|
Windows and MacOS 8 and later have a JRE already installed. It is recommended to install Sun's JRE
|
|
on Windows. IBM has a list of ports of JRE's to various plaforms:
|
|
<A
|
|
HREF="http://www-105.ibm.com/developerworks/tools.nsf/dw/java-devkits-byname"
|
|
TARGET="_top"
|
|
>http://www-105.ibm.com/developerworks/tools.nsf/dw/java-devkits-byname</A
|
|
> as well as Sun:
|
|
<A
|
|
HREF="http://java.sun.com/cgi-bin/java-ports.cgi"
|
|
TARGET="_top"
|
|
>http://java.sun.com/cgi-bin/java-ports.cgi.</A
|
|
>
|
|
(You don't need the entire Java package with the debuggers
|
|
and compilers you just need the Java Virtual Machine to run java applications.) Also, for the tutorial
|
|
that follows, unzip the MindTerm archive, MindBright's or ISNetwork's implementation, archive into
|
|
<TT
|
|
CLASS="FILENAME"
|
|
>c:\mindterm</TT
|
|
> for windows.</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="software-install.html"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="creating-tunnels.html"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Software Installation</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Creating the tunnels</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |