1 RemoteRemote AdministrationAdministration ofof DesktopDesktop SystemsSystems AdamAdam JohnJohn TrickettTrickett www.iredale.net [email protected] PGP Key: 0xAF0DB8C8 Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 2 GeneralGeneral problemproblem • $ou need to connect to a remote system • $ou need to administer the system (upgrade, re&air, extend etc.) • $ou need to see the desktop as the user sees it • The end user may not be technical Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. * TopologyTopology Firewall Other Your +nternet PC PC Router Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. , TechnicalTechnical problemsproblems • -here is the other P / • 0ost +". on!y o1er dynamic +. • 2ow do I get through the fire3a!!/ • 5ac# make and mode! is different • 2ow do I reach t#e PC on the inside/ • 0ost networks use dynamic 6 &rivate +.s on the inside • -hat needs to be installed on the tar'et system/ • Not a!! systems #ave everyt#in' insta!!ed by de4ault Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 7 WhereWhere isis thethe otherother PCPC • The best solution is a static IP for the router84ire3all • "tandard 3ith some +".s • 9&tiona! cost extra 3ith ot#ers • +4 dynamic is the only o&tion, then: • "ome routers/fire3a!!s wi!! auto-update Dynamic DNS services • $ou can insta!! a dynamic DNS client on the tar'et . • $ou can create a script to emai! you t#e e(terna! +. Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. ; FireFire allall -- rulesrules • 0ost sane routers a!lo3: • A!! &orts outbound • A!! &orts inbound that are &art of an outbound &air • A!! &orts inbound that are not &art of a &air are denied • $ou will need to tell it to allo3 at least one port inbound: • "ome #ave virtua! <D0=> • "ome #ave 'enera! ru!es Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 7 RouterRouter -- ForFor ardingarding • The remote system?s fire3all/router needs to 4or3ard incoming connections: • of type @, e.g. tc& • of &ort $, e.g, 22 • to +P address =, e.g. 1A2.1;B.0.10 • External port number and interna! port number are the same by de4ault Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. B RouterRouter –– NAT%DHCPNAT%DHCP • $ou need to ensure that the PC you want to reach has the same private IP so that the NAT rule points to the correct system every time: • D2 P reservation usin' 0A address • "tatic configuration in router and . Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. A BasicBasic toolstools -- SSHSSH • "ecure "#e!! (“""2>) • Ce&!aces Telnet, r!o'in, rs#, D& etc • "tandard on a!most a!! Einu(8Fnix systems • "ecure • "up&orts &ort 4or3ardin' • reates a tem&orary on-demand instant <VPN-!ite> Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 10 ()tra()tra toolstools • 0obi!e Shell %<Mos#>) • Dea!s 3it# !ost connections better than ""2 • Does not su&&ort &ort 4or3ardin' • 9&enV.N • Guilds a &ermanent secure brid'e between systems • Doesn't reHuire user con4iguration to use • Cequires administrative configuration to set-u& • 0ore comp!ex t#an ""2 Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 11 GeneralGeneral installationinstallation • 9&enS"2 server, though in a!! distros is not insta!!ed by de4au!t on all o4 them • 0osh is widely avai!able but not installed by de4ault on most8all • "udo is widely available and insta!led by de4ault on many but all • "creen is widely available but not installed by de4ault on most8all Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 12 SpecificSpecific installationinstallation • linu(vnc shares t#e physical conso!e as VNC session, use4u! in emer'encies or headless servers • x11vnc shares t#e desktop X session as a VNC session and a!lows you to interact with the deskto& at t#e same time as the user • There are others but I'm not going to talk about them Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 1* ForFor ardingarding SSHSSH portsports • The remote system?s fire3all/router needs to: • Ior3ard T . &ort on the externa! side to T P &ort on t#e tar'et . • ""2 norma!!y uses tc& &ort 22 • 0os# norma!!y uses ud& &ort ;0001 (and up) &!us ""2 to start 3ith on!y • 0any people change the externa! port to reduce t#e noise from script kiddies Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 1, BasicBasic AdministrationAdministration • Fse S"H/Mosh to connect to the remote system • De4ault ""2 configuration 3il! 3ork but you need to #arden it • Cun norma! command !ine too!s 4rom !ogin s#e!! of your c#oice • Jood 4or day to day administration and a!! standard tasks • No 'ood if you need to see 3#at the user sees or configure a deskto& a&&!ication Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 17 &arden&arden SS&SS& • 9&en S"2 is pretty 'ood but it is not as secure as it can be out o4 the bo( on most Linux distributions: • Turn off &ass3ord !ogin K on!y a!!ow ""2 keys • Turn off root !o'in K on!y a!!ow rea! users • "&ecify the named users you 3ant to a!!o3 • Turn off ""2 &rotoco! 1 K it may stil! be turned on in some distros Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 1; ConfigureConfigure SSHSSH ClientClient • Edit your ~/.ssh/config 4ile: Host <machinename>* <ip address> HostName <machinename.network.com> user <your username on machinename> Port <TCP port num er> ForwardX11 yes Compression yes LocalForward localhost:5900 localhost:5900 Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 17 ProcedureProcedure • Add your S"H-Ley to your ""2-A'ent • "tart your S"H session to the other system • ss# mac#inename • $our de4au!t shell starts at the other end • "tart screen • "tart any @ &ro'rams • "tart x11vnc or !inuxvnc • "tart your VN client on your deskto& Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 1B WhatWhat doesdoes SSHSSH forfor ardingarding do*do* • -hen you start x11vnc or linuxvnc they start to listen on the local host o4 the remote system on tcp port 7A00 by de4ault • The S"H c!ient on your PC also listens on TCP port 7A00 locally, but 4or3ards t#e packets to the remote system to its T . port 5900 • That means an insecure protocol like VNC is no3 running over a secure and com&ressed S"2 connection Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 1A VNC !ient x11VNC T . 7A00 T P 7A00 !isten !isten ""2 "erver ""2 !ient "ecure ""2 T P 22 !isten Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 20 )++,nc)++,nc configurationconfiguration • To automate and 'et the best out o4 x11vnc without end user interaction – there are a lot o4 optionsM • "omething like: $ sudo x11vnc -nopw -localhost -ncache 10 -ncache_cr \ -q -nodpms -auth <something> Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 21 linuxvnclinuxvnc configurationconfiguration • Exports a physica! terminal • Fse4ul i4 X has fai!ed to start • A!!o3s you to see kernel messa'es etc • 94 only limited use, but nice to kno3 $ sudo linuxvnc 1 -alwaysshared Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 22 DemoDemo Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 2* Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 2, Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 27 Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 2; Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 27 Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 2B Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. 2A Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence. *0 Version 1.0.0 © Adam Trickett, January-2017 Distributed under a creative commons Attribution-Non ommercia!-"#areA!ike !icence.