« Previous 1 2 3 Next »
Remote maintenance and automation with RPort
Light at the End of the Tunnel
Tunnel Instead of VPN
The wish to access SSH port 22 or remote desktop port 3389 quickly and easily on a network with no direct connection is typically prevented by network address translation (NAT). But NAT is not a problem for RPort; thanks to its tunneling capabilities, any TCP port on the target system and neighboring systems can be accessed, and the tunnels are only active for as long as they are needed, which saves resources.
Select a client in the inventory on the left and click the Add Tunnel button. Depending on the operating system, an SSH or an RDP tunnel is preselected (Figure 1). The tunnel is protected with an IP address lock and your current public IP address is pre-filled. A click on Add Tunnel to set up the tunnel takes only a fraction of a second.
The tunnel ends on a random port on your RPort server. You can now connect to it by remote desktop protocol (RDP) or SSH (Figure 2). Alternatively, press the Launch Tunnel icon to open the default SSH or remote desktop program. The connection settings are pre-filled here, too. Now you can reach any server – even if it is behind a NAT router – without a VPN or jump host by SSH or RDP.
Each RPort client can also serve as a network bridge to other systems, which means you can reach servers on which RPort is not installed, as well as web configurations of printers or network-attached storage (NAS) systems. To do this, create a new tunnel and select Service Forwarding as the Service to access ; then, set the target port and a target address.
Executing Commands and Scripts
If you installed the client with the pairing code, you are allowed to run commands and scripts (Figure 3). As soon as you select a client on the left, you can expand the Commands
and Scripts
area on the right. The commands and scripts are transferred to the client and executed without further authentication. You can see the results in the browser. Commands are executed on Windows with cmd.exe
and on Linux with /bin/sh
. Along with the scripts, you also get access to PowerShell on Windows. If you use a script frequently, you can save it in the library.
Running commands and scripts is not limited to individual systems. In the top navigation bar, select Commands or Scripts , which lets you run commands on multiple systems in parallel.
If you have security concerns because the RPort server can take full control of all connected systems by executing commands, take a look at the remote-commands
and remote-scripts
sections in the client configuration file rport.conf
(Listing 1). As you can see, you can disable the execution of commands and scripts, and the server cannot override these restrictions. Also, you have the option of allowing only single commands or prohibiting specific commands. For example, you can allow only restarting of services and server reboots. However, note that the rules cannot be applied to scripts. You can only enable and disable scripts, and filtering their content is also impossible.
Listing 1
Command and Script Security
[remote-commands] ## Enable or disable execution of remote commands sent by server. ## Defaults: true #enabled = true ## Allow commands matching the following regular expressions. ## The filter is applied to the command sent. Full path must be used. ## See {order} parameter for more details how it's applied together with {deny} ## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*'] #allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*'] ## Deny commands matching one of the following regular expressions. ## The filter is applied to the command sent. Full path must be used. ## See {order} parameter for more details how it's applied together with {allow}. ## With the below default filter only single commands are allowed. ## Defaults: ['(\|||;|,|\n|&)'] #deny = ['(\|||;|,|\n|&)'] ## Order: ['allow','deny'] or ['deny','allow']. Order of which filter is applied first. ## Defaults: ['allow','deny'] ## ## order: ['allow','deny'] ## First, all allow directives are evaluated; at least one must match, ## or the command is rejected. [remote-scripts] enabled = true ## Enable or disable execution of remote scripts sent by server. ## Defaults: false #enabled = false
Enabling Two-Factor Authentication
If you allow script and command execution, it makes sense to protect the RPort server with two-factor authentication. In addition to a username and password, you will need to enter a one-time password when logging in. The password is sent to you by email or a push message. The installation script enables two-factor authentication by default. The tokens are sent by a free Internet service provided by the RPort developers. For some initial tests, this is very convenient, but for permanent operation, you might prefer to use your own SMTP server along with Pushover [3].
The server's configuration file in /etc/rport/rportd.conf
already contains examples of two-factor authentication. Either enter the access data for your SMTP server or specify your keys for the Pushover push message service. To supplement the examples in the configuration file, you will find more information [4] about setting up two-factor authentication in the RPort Knowledge Base.
« Previous 1 2 3 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.