Tuesday, July 17, 2007
Now get Putty.exe for you client computer from HERE and run it.
Fill in your IPCop's host name or public IP and then change the port to 222.
Next, expand Connection, then SSH and select Tunnels.
Add a new forwarded port source 3399 (since this one isn't commonly used) and forward it to the target server's internal IP (NOT the IPCop's IP!) and add a :3389 to the end of the string as in the second figure.
Go back to Session, click Save, and give this connection a name. Click Open, and you will be prompted for a username and password - give these (preferably the remote user we created earlier instead of the dangerous root user) and you will get a prompt. You're done with Putty for now!
Now go to Start, Run, and type mstsc.
Fill in the Server line with localhost:3399 and hit connect. If all been done correctly, you will get a remote desktop on your target machine.
Some background: Microsoft RDP (Remote Desktop Protocol) has vulnerabilities with regards to security and encryption (details are beyond the scope of this post). If we use a protocol that is more secure (namely SSH), then tunnel RDP through the more secure protocol, we wind up with a much more secure implementation.
- IPCop Firewall - or your favorite Linux distro server serving up SSH on a public IP address - I'll only address IPCop, but this can be generally applied.
- Remote Desktop Server (Like Windows XP Pro or Windows Server 2003 - other protocols like VNC will work with this, you just ned to know the required ports to fill in on your Putty Tunnel settings.
- A Windows client with Putty installed (it's easy, just go here -- and download putty.exe)
SSH to your IPCop as root and sign in.
Create a new user called remote as a member of a new group (also named remote) and use this user for shared remote access. As root, issue the following commands to add the new user:
useradd -s /bin/bash -g remote -m -k /dev/null remote
The meaning of the command line options (from ifs.vlsm.org):
- -s /bin/bash
This makes bash the default shell for user lfs.
- -g remote
This option adds user remote to group remote.
This creates a home directory for remote.
- -k /dev/null
This parameter prevents possible copying of files from a skeleton directory (default is /etc/skel) by changing the input location to the special null device.
This is the actual name for the created group and user.
To log in as remote (as opposed to switching to user remote when logged in as root, which does not require the remote user to have a password), give remote a password: