4. Server and Client Configurations
4.1. Server Configuration
First, make sure that your server is secure. Though traffic is encrypted as it travels over the Internet, it can be sniffed if someone has root access on the local machine and uses a program like ngrep to sniff traffic on a local machine. For example, in conjunction with the dsniff program mentioned above, the following command could sniff all traffic on the local interface network: ngrep -d lo. Securing the server is, however, beyond the scope of this paper.
We'll use the POP (port 110), IMAP (port 143), SMTP (port 25), VNC (Virtual Network Computing) (5901+), and NTOP (default port 3000) services for this example. All traffic will be forwarded to each service's respective port on the remote host running the ssh server. All services listening on the remote host listen on all interfaces, unless the service binds to a specific port by default or if manually configured. In order to show how effective this technique of tunneling over ssh is, we will only allow particular services to listen on the local interface.
You don't have to change your current security configurations, however. We will use tcp_wrappers, that is installed by default with RedHat 7.0 (and previous versions), to connect to the network services. In the /etc/hosts.deny file add the following line:
ALL : ALL |
And in your /etc/hosts.allow file add the following lines:
sshd : ALL in.ftpd : 127.0.0.1 ipop3d : 127.0.0.1 imapd : 127.0.0.1 |
This sets sshd (the ssh server) to allow connections from anywhere any IP address. The other services only allow connections from the local interface. You can verify this by configuring a mail client to connect to your remote pop or imap server and/or an ftp client to connect to your ftp server, right now. It won't allow you to connect. You'll also need to set up any user accounts to allow access to these services. (Note: The setup above is only useful if the services are only for internal use and remote users need to access the internal services to send and receive email or transfer files. The services can be available for public use and be encrypted with ssh and MindTerm.) If MindTerm will be used over the web to create tunnels or use the secure copy GUI features then a Java Runtime Environment (JRE) will need to be installed on the server running SSH as well.
4.2. Client Configuration
The only client configuration that is needed is to be sure that a JRE is installed for your platform. Windows and MacOS 8 and later have a JRE already installed. It is recommended to install Sun's JRE on Windows. IBM has a list of ports of JRE's to various plaforms: http://www-105.ibm.com/developerworks/tools.nsf/dw/java-devkits-byname as well as Sun: http://java.sun.com/cgi-bin/java-ports.cgi. (You don't need the entire Java package with the debuggers and compilers you just need the Java Virtual Machine to run java applications.) Also, for the tutorial that follows, unzip the MindTerm archive, MindBright's or ISNetwork's implementation, archive into c:\mindterm for windows.