Remote maintenance and automation with RPort

Light at the End of the Tunnel

Tunnel Instead of VPN

The wish to access SSH port 22 or remote desktop port 3389 quickly and easily on a network with no direct connection is typically prevented by network address translation (NAT). But NAT is not a problem for RPort; thanks to its tunneling capabilities, any TCP port on the target system and neighboring systems can be accessed, and the tunnels are only active for as long as they are needed, which saves resources.

Select a client in the inventory on the left and click the Add Tunnel button. Depending on the operating system, an SSH or an RDP tunnel is preselected (Figure 1). The tunnel is protected with an IP address lock and your current public IP address is pre-filled. A click on Add Tunnel to set up the tunnel takes only a fraction of a second.

Figure 1: With the RPort dashboard in the background, the software shows an SSH connection through an RPort tunnel.

The tunnel ends on a random port on your RPort server. You can now connect to it by remote desktop protocol (RDP) or SSH (Figure 2). Alternatively, press the Launch Tunnel icon to open the default SSH or remote desktop program. The connection settings are pre-filled here, too. Now you can reach any server – even if it is behind a NAT router – without a VPN or jump host by SSH or RDP.

Figure 2: If a remote desktop connection through an RPort tunnel is active, access to your remote systems is working.

Each RPort client can also serve as a network bridge to other systems, which means you can reach servers on which RPort is not installed, as well as web configurations of printers or network-attached storage (NAS) systems. To do this, create a new tunnel and select Service Forwarding as the Service to access ; then, set the target port and a target address.

Executing Commands and Scripts

If you installed the client with the pairing code, you are allowed to run commands and scripts (Figure 3). As soon as you select a client on the left, you can expand the Commands and Scripts area on the right. The commands and scripts are transferred to the client and executed without further authentication. You can see the results in the browser. Commands are executed on Windows with cmd.exe and on Linux with /bin/sh. Along with the scripts, you also get access to PowerShell on Windows. If you use a script frequently, you can save it in the library.

Figure 3: The RPort server generates pairing codes for quick client installation.

Running commands and scripts is not limited to individual systems. In the top navigation bar, select Commands or Scripts , which lets you run commands on multiple systems in parallel.

If you have security concerns because the RPort server can take full control of all connected systems by executing commands, take a look at the remote-commands and remote-scripts sections in the client configuration file rport.conf (Listing 1). As you can see, you can disable the execution of commands and scripts, and the server cannot override these restrictions. Also, you have the option of allowing only single commands or prohibiting specific commands. For example, you can allow only restarting of services and server reboots. However, note that the rules cannot be applied to scripts. You can only enable and disable scripts, and filtering their content is also impossible.

Listing 1

Command and Script Security

[remote-commands]
## Enable or disable execution of remote commands sent by server.
## Defaults: true
#enabled = true
## Allow commands matching the following regular expressions.
## The filter is applied to the command sent. Full path must be used.
## See {order} parameter for more details how it's applied together with {deny}
## Defaults: ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
#allow = ['^/usr/bin/.*','^/usr/local/bin/.*','^C:\\Windows\\System32\\.*']
## Deny commands matching one of the following regular expressions.
## The filter is applied to the command sent. Full path must be used.
## See {order} parameter for more details how it's applied together with {allow}.
## With the below default filter only single commands are allowed.
## Defaults: ['(\|||;|,|\n|&)']
#deny = ['(\|||;|,|\n|&)']
## Order: ['allow','deny'] or ['deny','allow']. Order of which filter is applied first.
## Defaults: ['allow','deny']
##
## order: ['allow','deny']
## First, all allow directives are evaluated; at least one must match,
## or the command is rejected.
[remote-scripts]
enabled = true
## Enable or disable execution of remote scripts sent by server.
## Defaults: false
#enabled = false

Enabling Two-Factor Authentication

If you allow script and command execution, it makes sense to protect the RPort server with two-factor authentication. In addition to a username and password, you will need to enter a one-time password when logging in. The password is sent to you by email or a push message. The installation script enables two-factor authentication by default. The tokens are sent by a free Internet service provided by the RPort developers. For some initial tests, this is very convenient, but for permanent operation, you might prefer to use your own SMTP server along with Pushover [3].

The server's configuration file in /etc/rport/rportd.conf already contains examples of two-factor authentication. Either enter the access data for your SMTP server or specify your keys for the Pushover push message service. To supplement the examples in the configuration file, you will find more information [4] about setting up two-factor authentication in the RPort Knowledge Base.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus