SSH, VNC & Tunnelling (updated)

I’ve been meaning to implement, what turned out to be, a simple security improvement with for connecting to my Pi over VNC.

Specifically, tunnelling my VNC connection over an SSH connection using Putty.

Prior to this change I used my router to forward an external non-standard port to the standard VNC port that I could use internally. In addition, I was only running my VNC connection as needed and strictly killing the service once it was no longer needed.  Thus limiting external exposure.

Now, if someone gets access to my system via SSH, I have far bigger issues to be concerned with, so while killing the service to reduce resource usage may be a good practice, its not the same level of concern.

Now, not only do I get to remove a port forwarding rule from my router, but my entire VNC session is encrypted.

The Method (minus Madness)

Starting with a Putty profile that I can already use to establish a successful SSH connection…

  1. Load the “Saved Session”
  2. Modify “Saved Session” name (e.g. add “- vnc” to the end) and save
  3. Category -> Connection -> SSH -> Tunnels
    1. Source Port: Set to an open local port (e.g. 5900)
    2. Destination:  Set to the VNC server’s address and port (e.g. localhost:5901)
    3. Click “Add”
  4. Go back to the “Saved Sessions” section and save again
  5. Open the VNC saved session in Putty

Now you should be able to connect to the VNC server with your VNC Viewer by going to “localhost:1” (change as appropriate if not using the default settings).

Source: http://martybugs.net/smoothwall/puttyvnc.cgi

Update: Connecting to a separate Windows box using Windows Remote Desktop

After successfully doing the above, I did not see a reason why it would not similarly work a host other than ‘localhost’.

And I was right, with the above instructions only changing slightly.

  • I set the Source Port to “3388”
  • And for the Destination, I set the value to the remote machine’s IP & port (e.g. 10.0.10.10:3389)

Since they do not conflict, I was even able to add this forwarded port to the same profile as my VNC tunneling.

Once configured, I only have to connect to “localhost:3388” with Windows Remote Desktop.

Note:  Port 3389 is the standard Windows Remote Desktop port.

Preface: Common ownCloud Path

(This is part of My ownCloud Adventure)

For any adventure to come to a successful conclusion, the proper preparations must first be made.

With my previous experience working with the Raspberry Pi I was able to quickly get a dedicated server setup and connected to my Synology NAS via NFS.

I should mention here, to plant a seed of thought, that throughout my endeavors the security posture of my system has been a constant consideration.  As an example, with my NFS configuration there are mounts available on my network that I did not give my ownCloud host access to… I am just not comfortable with some files being remotely accessible.

While not exhaustive, there are some common tasks that should probably be performed when setting up a new Raspbian instance:

SD Card Images

Throughout my adventure I made extensive use of Win32 Disk Imager to create images of the SD card.  This allowed me to configure common features once and just reload an image to start over if needed.

For example, I have an image that I created after performing my basic Raspbian updates and configurations.  After that I have an image with SSL certs and MySQL already taken completed.  This definitely made it much easier to go from Apache2, to lighttpd and finally end up at nginx with a “clean” system.

SSL Certs

To allow any of the webservers to utilize HTTPS, generating SSL certificates is the first task.  There are MANY resources available out there, but here are the basic commands I performed.

  1. cd /etc/sll
  2. sudo mkdir localcerts
  3. sudo openssl req -newkey rsa:2048 -x509 -days 365 -nodes -out /etc/ssl/localcerts/myServer.fqdn.pem -keyout /etc/ssl/localcerts/myServer.fqdn.key
  4. sudo chmod 600 localcerts/meister*

These commands result in 2 files as output:  a PEM certificate & a key.  Both are used by any webserver to enable HTTPS.

You will be asked a number of questions during key generation.  Since this results in a self-signed key, answer them however you like.  Except for the FQDN question, I’m not sure any of them even technically matter.  And in the case of the FQDN question, I didn’t care if its value matched my dynamic DNS name or not.

The one important technical detail is that if you do not want to enter a password every time your webserver starts, then do not enter a password when prompted.

Good Resources:

MySQL

ownCloud supports multiple database backends, but I chose MySQL since its familiar to me (although I do wish MariaDB were available in the Raspbian repository).

  1. sudo aptitude
    1. Install MySQL server
    2. The install will ask for a ‘root’ password for your new database server
  2. mysql_secure_installation
    • A script that performs a number of standard bets practice configurations.  Be sure to follow its recommendations!
  3. mysql -u root -p
    • No need to put your password in as an option, you will be prompted
  4. At the “mysql>” prompt
    • create database myOcDbase;
    • create user ‘myOcUser’@’localhost’ identified by ‘myUserPass’;
    • create user ‘myOcUser’@’127.0.0.1’ identified by ‘myuserPass’;
    • grant all privileges on myOcDbase.* to ‘myOcUser’@’localhost’;
    • grant all privileges on myOcDbase.* to ‘myOcUser’@’127.0.0.1’;
    • exit

Good Resource:  http://dev.mysql.com/doc/refman/5.5/en/index.html

Acquiring ownCloud

Getting a hold of ownCloud is not difficult and can be accomplished via various means.

I originally dabbled with manually adding an ownCloud repository to my system’s repo list.  I just followed the instructions found for Debian off ownCloud’s Linux packages install link.

  1. cd /etc/apt/sources.list.d
  2. sudo nano owncloud.list
    • Enter:  “deb http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/ /”
    • save and exit
  3. cd
  4. wget http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/Release.key
  5. apt-key add – < Release.key
  6. sudo apt-get update
  7. sudo apt-get install owncloud

While this method did work and is not a bad way to go, especially considering its many advantages… I was unsure of how quickly the repository would be updated with new versions, so I instead elected to go with the manual install.

  • cd
  • wget http://download.owncloud.org/community/owncloud-5.0.10.tar.bz2
    • As versions change, this link will change.  So be sure to get the latest Tar link.
  • tar -xjvf owncloud-5.0.10.tar.bz2
  • mv owncloud owncloud_5.0.10
  • cp -r owncloud_5.0.10 /var/www
  • cd /var/www
  • sudo chmod -R www-data:www-data owncloud_5.0.10
  • sudo ln -s owncloud_5.0.10 owncloud
    • Using a symbolic link in this fashion can help in the future with manual updates.  Just follow ownCloud’s manual update instructions and pre-position the latest version’s directory under /var/www and re-do the symlink for a quick and easy upgrade

And that seems to wrap up the common activities across each of the volumes in my adventure.

Raspbian – Misc To-Done

Misc things I’ve done to configure my Pi for my personal usage.

Most have to be done via “sudo”

  • Create a new user, separate from “pi”
    • Command:  ‘adduser’
    • Appears to be a Debian specific command, different than the usual Linux ‘useradd’
  • Make new user’s primary group be “users”
    • Since I’m connecting to my Synology NAS over NFS, this allows any files I create as the new user to be part of a common group between the Pi and NAS
    • Command: ‘usermod -g users <newuser>’
  • As “pi” user, give new user ‘sudo’ access
    • Command: ‘visudo’
  • Create RSA key for authentication
    • Command: ‘ssh-keygen’
    • Be sure to keep your key safe and retrievable so that access is not lost… Don’t lose your key!
  • Add pub key to “~/.ssh/authorized_keys” file for new user
  • After achieving access via key authentication, disable SSH password authentication
    • Edit /etc/ssh/sshd_config
    • “PasswordAuthentication no”
  • Optional, specify SSH access for accounts
    • Edit /etc/ssh/sshd_config
    • At bottom of the file, add:
      • AllowUsers newUser1 newUser2
    • Good way to leave default “pi” user “active”, but not directly accessible via SSH
  • Changed hostname
    • nano /etc/hosts
    • nano /etc/hostname
    • reboot
  • Install rsync
    • aptitude install rsync
  • rsync backup script caused an error
    • Error: Too many open files
    • Testing solution: edit /etc/security/limits.conf
      • @users     hard     nofile     32768
  • Configure NTP to sync with NAS
    • Edit /etc/ntp.conf
    • Comment out existing lines starting with “server” that look like “server 0.debian.pool.ntp.org”
    • Add line like “server <nas IP>”
    • Save
    • service ntp restart

To be continued…

Raspbian – SSH Keys

Very important note: once you get access to your Pi, do regenerate the SSH keys.
Since Raspbian (and basically all the other distributions) are distributed as prepared images to copy onto the SD card, it is not safe to keep the default SSH keys.
To regenerate the keys proceed as follows:

# sudo rm /etc/ssh/ssh_host_*
# sudo dpkg-reconfigure openssh-server

Source: http://www.slblabs.com/2012/08/16/rpi-ssh-ip/