vnc, port forwarding

Joined
Sep 29, 2009
Messages
70
Reaction score
0
Points
6
i just got a vnc to work locally on my macbook from an ubuntu netbook;
can control the desktop and access stuff fine;
i am wondering if i can access this from other networks?
what would i use as the ip, since i enter 192.168.1.x to get on the macbook from the same network;
would i use the wan ip and some type of port forwarding?
if so, my router asks for the name of a service, eg. AIM, telnet, http, ftp
ideally, i would like to access files on the macbook, but can i also route traffic through my home router to a proxy service or through the macbook via proxy service;
so i can browse anonymously (to a certain extent) from a netbook in, for example, a starbucks through my router at home
 
OP
B
Joined
Sep 29, 2009
Messages
70
Reaction score
0
Points
6
...

come on, has anyone ever set up a VPN at home,
and been able to access from different networks?
 
Joined
Feb 26, 2010
Messages
2,116
Reaction score
123
Points
63
Location
Rocky Mountain High, Colorado
Your Mac's Specs
1.8 GHz i7 MBA 11" OSX 10.8.2
VNC is insecure - and if use it over the internet - you'll want to encrypt it by portforwarding through ssh.
Setup a dynamic dns - there are a myriad of ways to do this but most routers support dyndns - then you don't have to worry about knowing the ip address.
DynDNS.com - Services -- Dynamic DNS Free (DDNS) Service

Setup SSH on ubuntu - search the web for securing ssh, ssh and iptables, and denyhosts. Also search for rsa public key - and don't allow password login. Do note that once you open port 22 you will get attacked so that is why these precautions are neccesary.

Then port forward 22 to your ubuntu

You can then ssh tunnel to any port on your internal network. To do vnc the command would look like
ssh -L 5910:192.168.1.2:5900 [email protected]
Needs to be capital L - otherwise l means login
5910 is the local port you are forwarding to
192.168.1.2:5900 - the internal ipaddress and port you are forwarding
ivanl would be your login to your ubuntu box
myregistereddomain.dyndns.org is the name you registered with dynamic dns

This is just a high level overview but I'd not recommend doing any of this until you fully understand the security risks involved - which are many.

Opening and forwarding ports is very dangerous especially known ports like VNC, RDC, SSH, etc as there are script attacks setup for pretty much all known ports. SSH is pretty secure but again - search and understand the ways ssh can be attacked.
 
OP
B
Joined
Sep 29, 2009
Messages
70
Reaction score
0
Points
6
sweet

i am not quite sure of all the risks involved, but the data on the computers is well backed up and i wouldnt care if anyone stole it or i had to do a reinstall;
i think this is a good way of learning the risks involved though;

just to be clear, i am wanting to have my macbook at home (with an ext HD), i have a reserved address for it on the network (192.168.1.x) which otherwise is using DHCP;
i read some about setting up ssh, but dont i need to set it up on the macbook as well and forward to the port on this machine?
i thought i would need to forward to the machine at home?
or have i got it backwards?
thanks for the great post, i think with this info it is now just a matter of time before i can leave my mac out of harms way and travel with a cheap netbook with free open source software

edit: btw i set up an account with no-ip.org, so they are providing a static ip that refers to my sometimes changing ip from provider? do i need to correspond any port forwarding to this service, or just to the macbook? or to the netbook (although i dont see how, unless i specify by MACaddress, because the netbook would have different IP depending on where i was)
 
Joined
Feb 26, 2010
Messages
2,116
Reaction score
123
Points
63
Location
Rocky Mountain High, Colorado
Your Mac's Specs
1.8 GHz i7 MBA 11" OSX 10.8.2
Sorry I misunderstood your setup.

Also let me say - I am very serious about network security. You might think why bother no one is going after me. As I said once you start opening ports to the internet there are scripts ready to attack. Your machines can be made zombies, your email could get hacked and get blacklisted, hence making that email useless. If there is any information available you could become a victim of identity theft - it doesn't take much data to take your identity, open credit cards, take loans in your name, etc. So you should care if someone gets into your network. Do you ever buy anything online? Do you ever bank online? Do you ever do taxes online? If the answer is ever yes then you should care. But I digress...

The high level view of what I described is this.
remote client <->(internet)<->ssh server <-> any port, any computer inside the network

I'll pirate an image from the web



That being said you can port forward the server's ports as well - which I do quite often. As long as the server has an ssh-server on it (which the mac does) you can set this up.

The no-ip setup is just so you can point to an easy to remember site name instead of an ip address. It serves the same function as the dyndns I suggested. So once it is pointing to your network there isn't anything you need to do for no-ip - it is a passthrough more or less. Just remember to have a script or something that updates the IP every now and then. The reason I use dyndns is most routers including mine have a built in setup for dyndns. So as an example I want to ssh to my machine. I registered imcool.noip.com - I port forward and open port 22 to my ssh server (in your case the mac) All I'd have to do is ssh imcool.noip.com and I am sshing to the mac. So on top of being able to port forward ssh to any machine internal of my network, I can also use ssh to copy, move, etc files to and from the ssh server. Cyberduck with sftp - can use scp.
Cyberduck | FTP, SFTP, WebDAV, Cloud Files & Amazon S3 Browser for Mac OS X | About
So again I just point cyberduck to imcool.noip.com - and it opens a window that lets me browse my ssh server.
 
OP
B
Joined
Sep 29, 2009
Messages
70
Reaction score
0
Points
6
pimp tight

i will do more research on the vulnerabilities of what i set up, but dont i need to type the admin password to do anything significant as of 10.5.8?
like to install a keylogger program, for example, on the macbook, even if they access the machine remotely, dont they need physical access or admin password to install any executable?
if its a more complicated issue, i will be doing some long term reading, i got "the network self-teaching guide" which has commonly used protocols like ssh;
is there a specific resource you would point me towards?

thanks for the clear instructions
 
Joined
Feb 26, 2010
Messages
2,116
Reaction score
123
Points
63
Location
Rocky Mountain High, Colorado
Your Mac's Specs
1.8 GHz i7 MBA 11" OSX 10.8.2
Oh yeah Occam's razor - if all you really want to do is transfer files from your mac and control it remotely try team viewer
TeamViewer - Free Remote Access and Remote Desktop Sharing over the Internet
free for personal use. Has a built in file transfer and remote desktop viewing/sharing. Very easy and it is cross platform between mac and windows - now if you have linux that is an issue.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top