Tunneling GUI Logins through SSH

Unfortunately, neither X nor VNC was designed with great attention to security. With the exception of VNC passwords, which are delivered over the network in encrypted form, data sent via both of these protocols isn't very well protected. These protocols, therefore, make poor choices for use in high-security environments or over the Internet at large. The solution in both cases is to enlist the help of SSH in encrypting data transfer sessions.

Note Enabling the use of encryption is only part of the GUI login security puzzle. To improve security further, you should restrict access to the nonsecured ports. You can use firewall rules, as described in Chapter 20, to do this job. X servers run on ports 6000 and up, while VNC servers run on ports 5900 and up (5800 and up for versions that accept HTTP logins with Java). In both cases, the first session is on the lowest numbered port (6000, 5900, or 5800), the second session takes over the next-higher port, and so on. For the best security, block the entire range from 5800 to 6099 to anything but local access.

0 0

Post a comment