cancel
Showing results for 
Search instead for 
Did you mean: 

Question: Open ports / port forwarding

Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

Question: Open ports / port forwarding

can someone clue me in about this please?

I want to try to access my linux box from anywhere on the 'net. I can do this using VNC (tightvnc in my case).
The two ways I think I can do this are:
1. Open the default port (5901 usually) on the router for tighvnc -- easy, but leaves the port open and relies on the tightvnc server passwording for security
2. Set up a "SSH tunnel" using say Putty-ssh and "redirecting" the SSH port(22) to 22 on the router. I am given to understand that this is somehow "inherently" more secure

What I'm failing to understand is how: Surely in both cases 1 and 2 there's a port open on the router which could be exploited?

If I'm simply being dim please don't be hard on me ... I've been in bed with 'flu for 3 days AND I'm a BB+ user :roll:

tia

paul
6 REPLIES
Community Veteran
Posts: 4,729
Registered: 04-04-2007

Question: Open ports / port forwarding

Take a look at;
http://www.nomachine.com/

I would recommend it over VNC for Linux remote control.
And it has Windows clients. (In fact that's how I use it.)

The free version is limited to two sessions and two users, but you can specific which two users.

Chilly
Community Veteran
Posts: 1,229
Thanks: 1
Registered: 30-07-2007

Question: Open ports / port forwarding

Thanks.
That looks a good "static" solution. I wanted a "dynamic" solution, meaning being able to access the linux box from wherever I am. I think using NX would mean having to install their client on every machine from which I wish to access my linux box.
The reason I use tightvnc is that I can do either of two things with it: carry linux-on-a-stick around with me on my usb flash drive, which i can then boot into on any pc with a bootable usb drive, and utilise the native linux vnc client; OR, on the same usb stick, carry a single windows tightvnc executable <300k for when I can't do that.
I've already done both of these things by leaving the appropriate port open on my firewall, but I'm twitchy about that.
So my question was more about clarifying my understanding of the networking/security/ports issue.

paul
Community Veteran
Posts: 4,729
Registered: 04-04-2007

Question: Open ports / port forwarding

To avoid answering your question once again.

I have copied the no machine program file directory "NX Client for Windows" to a memory stick and run it from there, no problems. (Written by unix programers so no registry use.)

As for security risk of opening ports, then any open port is a risk, what you need to do is ensure that risk is as small as possible to be acceptable.

The problem is that telnet / ssh / remote control software must be one of the biggest risks. But I am not qualified to answer questions on that subject.

Chilly
N/A

Question: Open ports / port forwarding

If you change the ports away from standard, given the HUGE number of ports out there, you're probably safe. If your router is set to refuse pings then your machine doesn't exist anyway as far as the rest of the world is concerned.
pacem
Grafter
Posts: 175
Registered: 07-09-2007

Question: Open ports / port forwarding

To answer your question;

ssh(d) is a security tool. It is written specifically to only allow one sort of connection. When you login over ssh the entire connection is encrypted and can guarantee against man-in-the-middle attack.

Tightvnc is a standard vnc connection, does not encrypt the connection so your password is visible to all, has no knowledge of man-in-the-middle and is likely to have many more exploits than ssh.

You might as well have asked what is the difference between telnet and ssh.

Paul.<><
Community Veteran
Posts: 4,729
Registered: 04-04-2007

Question: Open ports / port forwarding

That covers “Man in the middle attacks”.

But how safe it is to have a ssh port open to the Internet?

I was being modest above when I said that I am not qualified to answer, as I have enough knowledge to be dangerous on this subject. ie enough to sound convincing, but make a total fool of myself and leave you exposed to unnecessary risks.

How robust are the security and authentication systems within ssh to prevent for example, a brute force attack?

I could sit here all night trying to log in to your box, as root with a list of common passwords.
Perhaps there are other common users on your system with weaker passwords.

Are there any buffer overflow venerabilities in the version of ssh that you are using.

It really all comes down to the setup and configuration.
Here is a quick list of things I would research to improve security;


    Limit the hosts that can connect.
    Limit the users that can login remotely
    Enforce strong passwords / consider other authentication methods.
    Some form of Intrusion Detection System (IDS) that will pick up attacks
    Move service to a none standard port

And I am sure that there are more.

Chilly