SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
1 edit |  reply to Raphion
Re: The most secure way to use Windows Remote Desk
An alternative to changing the port in the /etc/sshd_config file on the server, and one that I use, is to keep the server listening on TCP Port 22 but redirect a high number port through your firewall/NAT/router to TCP Port 22 on your server. When calling from a remote location use the new high number port. See the attached image for an example of that...
Glad its working for you...
--
"When all else fails, read the instructions..." |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
 ·Verizon Online DSL
 ·Skype
1 edit | reply to SoonerAl
said by Sooner :
AlWell, no I have not seen that error before...
Really?! Well, you haven't lived until you've scoured the databases looking for definitions to cryptic crap like this.
10053 or WSAECONNABORTED and other error messages extremely similar to these were all the rage in the mid 90s. ... before search engines were good.
App writers didn't want to take the time to translate the error, so they just popped it up to the user interface.
And, naturally, Joe Public was confused by this.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~
---
[Mod Note: Edited to fix broken quote. --kc] |
|
Raphion
join:2000-10-14
Samsara
2 edits | reply to Raphion
[edit] It seems I actually do NOT know how to change the port. I did get my keys setup, and password authentication off.
I noticed that both ssh_config and sshd_config have the passwordauthentication line. Should it be NO in both?
I saw the line "port" in ssh_config, but changing it breaks it. How do I change the port?
[edit yet again]I did figure it out after all, change the port in sshd_config not ssh_config. |
|
Raphion
join:2000-10-14
Samsara
| reply to Raphion
Confusion over  I uninstalled and reinstalled COPSSH, and now I can login just fine. Must've messed something up accidentally first time. Like being too lazy to actually logout and back into an admin account, and just using "runas" for the install, and then not bothering to reboot before messing with stuff.
I see the necessity and function of port forwarding now too. Have to do that even just to access the server machine over RDP I see. I'm able to access multiple machines on my network over the tunnel now.
I'm going to try making my RSA keys next.
Can you tell me how to change the port number that COPSSH uses? |
|
Raphion
join:2000-10-14
Samsara
| reply to SoonerAl
said by SoonerAl  :said by Raphion :Every step stumps me. Now I made accounts without spaces, and tried again, and PuTTY says "Network error: Software caused connection abort". This is why I say VPN or any other tunneling system is way over my head.  I have never seen that error... Can you post screen shots of how you have PuTTY setup? Make sure you test locally before you try to do this over the public internet and test with a psssword before you try to setup and use a key pair. I followed the link you gave exactly, only skipping the port forwarding because I'll only want to connect to the one machine for now, and replacing the address with my own of course.
I looked at the exchange between the machines using a sniffer, and what I see is:
Client sends SYN from port 2145 to Server port 22,
Server sends SYN ACK from port 22 to Client port 2145,
Client sends ACK from port 2145 to Server port 22,
Server sends RST ACK from port 22 to Client port 2145.
And that's all that happens. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to funchords
said by funchords :said by SoonerAl :said by Raphion :and PuTTY says "Network error: Software caused connection abort". I have never seen that error... Oh, I'm sure you have seen it and don't recognize it because it's actually in text and not in the usual cryptic form. This is the WSAECONNABORTED error, and the 10053 error. Well, no I have not seen that error before...
--
"When all else fails, read the instructions..." |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| reply to SoonerAl
said by SoonerAl :said by Raphion :and PuTTY says "Network error: Software caused connection abort". I have never seen that error... Oh, I'm sure you have seen it and don't recognize it because it's actually in text and not in the usual cryptic form. This is the WSAECONNABORTED error, and the 10053 error.
In this case, most likely Winsock sent data over the connection that was not acknowledged before a timeout, so Winsock closed the connection.
Another reason would be because winsock couldn't open the connection due to some constraint, such as a socket's queue being full.
--
Robb Topolski -= funchords.com =- Hillsboro, Oregon USA
~ Keeper of the D-Link FAQ ~ Did you Search? ~ More features, Free! Join BBR! ~ |
|
YqE41k24
Premium
join:2004-05-02
Tarrytown, NY
| reply to Raphion
That's a good point.
»projects.cerias.purdue.edu/secpr···-Related Vulnerabilities
»www-128.ibm.com/developerworks/w···=r,p=arp
»www-128.ibm.com/developerworks/s···icle=wir
I'm a little puzzled why you can't figure out how to run a VPN, though. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to Raphion
said by Raphion :Every step stumps me. Now I made accounts without spaces, and tried again, and PuTTY says "Network error: Software caused connection abort". This is why I say VPN or any other tunneling system is way over my head. I have never seen that error...
Can you post screen shots of how you have PuTTY setup?
Make sure you test locally before you try to do this over the public internet and test with a psssword before you try to setup and use a key pair.
--
"When all else fails, read the instructions..." |
|
Raphion
join:2000-10-14
Samsara
1 edit | reply to YqE41k24
said by YqE41k24 :That's why in the link above, they say that this exploit is more viable with DNS than without. This isn't the kind of attack you'd run into at a coffee shop or public internet (unless you think the ISP is hosting the attack). Why wouldn't it be easy to run on a coffee shop network? MITM attacks are extremely easy on a WiFi network. All you have to do is ARP poison both the target and the gateway, and then you have every bit of the target's IP traffic running through your machine, and can do whatever you want with it. I've done that on my own network, and it's childsplay.
[edit] I suppose a well run network would have guards in place to make MITM less easy, like kicking a client that sends out excessive ARPs. But I wouldn't expect to see anything like that in a small network like a hotel or hotspot, where they dole out private IP's to everyone via a SOHO DSL router. Though it would be a nice idea. |
|
YqE41k24
Premium
join:2004-05-02
Tarrytown, NY
| reply to Raphion
Thank you for the link. I skimmed through the article and this discussion
»groups.google.com/group/microsof···deddc08e
I don't like the looks of the Cain&Able program. Anyways... you would have to work to use this RDP attack. You need to position yourself and the environment such that the RDP client initiates a connection to you instead of the real RDP server. That's why in the link above, they say that this exploit is more viable with DNS than without. This isn't the kind of attack you'd run into at a coffee shop or public internet (unless you think the ISP is hosting the attack). This attack is also not specific to the RDP protocol. SSH would have the same vulnerability, for instance, were it not the fact that each server generates and publishes its own certificate.
Here are some "famous last words".
I wouldn't leave anything like in service all the time either. This is how holes often appear in networks. Somebody opens up a port for a special case, gets distracted, and the port remains open. It would be better, IMHO, to set up a VPN which you can leave active and secure. If you can understand the RDP attacks and open/close ports, you shouldn't have any trouble setting up a VPN these days. |
|
Raphion
join:2000-10-14
Samsara
| reply to YqE41k24
said by YqE41k24 :This article describes one vulnerability to Windows Remote Desktop. It sounds real, but an attacker would have to be pretty determined to get anywhere with it. » www.xatrix.org/article.php?s=1943I don't think there's any practical problem with using RDP over a clear channel (unless you are worried about targeted corporate espionage...). But taken from a system perspective, why would you want to? A better system design is to use a VPN-capable firewall to protect you from snooping and your inner equipment from the internet. You could use straight RDP, but it's better to have a secure entre into your lan through one path instead of opening one-off paths with firewall rules for protocol-specific ports. I read about a worse exploit that allows total decryption of the whole RDP session. »www.oxid.it/downloads/rdp-gbu.pdf (Sorry it's a PDF) And it's built right into a program called Cain&Able, so you don't even have to work much at all to use it.
As to why I would like to be able to use something simple like RDP; I really don't have the knowledge to setup or administer any of those VPN firewall things. I've looked at some, and all I get for it is a headache.
I wouldn't leave anything like in service all the time either. I would only open the ports for it at my gateway router when the rare occasion comes that I'll actually need it. |
|
Raphion
join:2000-10-14
Samsara
| reply to SoonerAl
Every step stumps me. Now I made accounts without spaces, and tried again, and PuTTY says "Network error: Software caused connection abort". This is why I say VPN or any other tunneling system is way over my head. |
|
YqE41k24
Premium
join:2004-05-02
Tarrytown, NY
| reply to Anav
This article describes one vulnerability to Windows Remote Desktop. It sounds real, but an attacker would have to be pretty determined to get anywhere with it.
»www.xatrix.org/article.php?s=1943
I don't think there's any practical problem with using RDP over a clear channel (unless you are worried about targeted corporate espionage...). But taken from a system perspective, why would you want to? A better system design is to use a VPN-capable firewall to protect you from snooping and your inner equipment from the internet. You could use straight RDP, but it's better to have a secure entre into your lan through one path instead of opening one-off paths with firewall rules for protocol-specific ports. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to Raphion
said by Raphion :Well I'm trying CopSSH, but I can't activate my user account. I was able to activate administrator, but not an account that I actually use. It tells me the account does not exist, even though it just listed it.  The account name in question has a space in it, does the space break this? That is the problem...
»www.itefix.no/phpws/index.php?mo···MS[]=205
--
"When all else fails, read the instructions..." |
|
Raphion
join:2000-10-14
Samsara
| reply to SoonerAl
Well I'm trying CopSSH, but I can't activate my user account. I was able to activate administrator, but not an account that I actually use. It tells me the account does not exist, even though it just listed it.
The account name in question has a space in it, does the space break this? |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to Raphion
Yes, you can change the listening port for RDP. See the section near the end of this page that has information about that...
»theillustratednetwork.mvps.org/R···ing.html
Personally I think your better off running RDP through a VPN or Secure Shell (SSH) tunnel for added security. For a home user/SOHO user SSH is quite easy to setup and quite a bit safer than using the native RDP data link, IMHO...
»theillustratednetwork.mvps.org/S···SSH.html
»theillustratednetwork.mvps.org/S···Key.html
--
"When all else fails, read the instructions..." |
|
Raphion
join:2000-10-14
Samsara
| reply to Flaubert
Is it possible to change the port used by RDP?
I'm going to want to try RDP from some insecure WiFi soon, as VPN seems way over my head. I plan to do all my online tasks from my home computer over RDP as a lazy man's workaround. I'd feel a bit more secure about it if I could change the port to something obscure so as to keep the hax0rz from trying the door as much.
Second question; how long would be long enough for a purely random mixed case password? |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
| reply to Flaubert
Re: The most secure way to use Windows Remote Desktop
Another reason I like using a SSH tunnel is that once the tunnel is connected I can grab files off of my PC without using Remote Desktop. Both Tunnelier or WinSCP, both free, offer that functionality...
»winscp.net/eng/index.php
Also, WebDrive allows mapping of drives through a SSH tunnel.
»www.webdrive.com/index.php?pg=./···ve/index
Unfortunately I have not been able to get it to work yet, but I will...:)
--
"When all else fails, read the instructions..." |
|
funchords
Hello
Premium,MVM
join:2001-03-11
Washington, DC
·Verizon Online DSL
·Skype
| reply to Flaubert
I often enable RDP without requiring a tunnel. I have set the password policy (in gpedit.msc) to lock out an account after 3 failed password attempts.
So far, I haven't seen _any_ abuses in the log, but I know that's just a matter of time.
Worst possible thing I expect to happen is a DDOS on my account. But they're not getting in.
--
Robb Topolski -= http://www.funchords.com/ =- Hillsboro, Oregon USA
... Did you wake up grouchy this morning or did you let her sleep in? ... |
|
