First, make sure that your server is secure. Though traffic is encrypted as it travels over the Internet, it
can be sniffed if someone has root access on the local machine and uses a program like
ngrep to sniff traffic on a local machine. For example, in
conjunction with the dsniff program mentioned above, the following command could sniff all traffic
on the local interface network: ngrep -d lo. Securing the server is, however, beyond the scope of this
paper.
We'll use the POP (port 110), IMAP (port 143), SMTP (port 25), VNC (Virtual Network Computing)
(5901+), and NTOP (default port 3000) services for this example. All traffic will be forwarded to each
service's respective port on the remote host running the ssh server. All services listening on the
remote host listen on all interfaces, unless the service binds to a specific port by default or if manually
configured. In order to show how effective this technique of tunneling over ssh is, we will only allow
particular services to listen on the local interface.
You don't have to change your current security configurations, however. We will use tcp_wrappers,
that is installed by default with RedHat 7.0 (and previous versions), to connect to the network services.
In the /etc/hosts.deny file add the following line:
And in your /etc/hosts.allow file add the following lines:
sshd : ALL
in.ftpd : 127.0.0.1
ipop3d : 127.0.0.1
imapd : 127.0.0.1 |
This sets sshd (the ssh server) to allow connections from anywhere any IP address. The other services
only allow connections from the local interface. You can verify this by configuring a mail client to
connect to your remote pop or imap server and/or an ftp client to connect to your ftp server, right now.
It won't allow you to connect. You'll also need to set up any user accounts to allow access to these
services. (Note: The setup above is only useful if the services are only for internal use and remote users
need to access the internal services to send and receive email or transfer files. The services can be
available for public use and be encrypted with ssh and MindTerm.) If MindTerm will be used over the
web to create tunnels or use the secure copy GUI features then a Java Runtime Environment (JRE)
will need to be installed on the server running SSH as well.
The only client configuration that is needed is to be sure that a JRE is installed for your platform.
Windows and MacOS 8 and later have a JRE already installed. It is recommended to install Sun's JRE
on Windows. IBM has a list of ports of JRE's to various plaforms:
http://www-105.ibm.com/developerworks/tools.nsf/dw/java-devkits-byname as well as Sun:
http://java.sun.com/cgi-bin/java-ports.cgi.
(You don't need the entire Java package with the debuggers
and compilers you just need the Java Virtual Machine to run java applications.) Also, for the tutorial
that follows, unzip the MindTerm archive, MindBright's or ISNetwork's implementation, archive into
c:\mindterm for windows.