This web site has been retired. Please follow my activities at pztrick.com.

pZtrick.com

the personal site of patrick paul

URPad.net VNC Quick-start

| Comments

A remote Xubuntu desktop session via VNC I purchased a VPS (virtual private server) yesterday from URPad.net and selected to install their Ubuntu 10.04 x86 Minimal distribution. It was the most light-weight Ubuntu distribution that they offered (by my reckoning) and I prefer to install packages myself so that I know precisely what is installed.

Ubuntu server editions are distributed without any desktop display; everything must be performed at the command line. While I do love the terminal, I also love remote desktops. It was an easy decision to install a VNC server package – but it was a little difficult to finally get the SSH tunnel and firewall, SolusVM Panel @urpad.netthe VNC server, and the desktop packages to play nice together.

Fortunately, I did figure it out after some trial-and-error (and OS re-installs via the SolusVM panel, pictured at left), and am now very pleased with my xubuntu-desktop and tightvncserver configuration. I took very good notes because it was the nature of the thing that I would re-install the guest OS and have to replicate all my settings all over again. Here are the notes:

Ubuntu 10.04 x86 Minimal

First, change your root password:

bash terminal
1
2
3
4
root@localhost:~# passwd
Enter new UNIX password: ********************
Retype new UNIX password: ********************
passwd: password updated successfully

Invent a new hostname:

/etc/hostname
1
limberry
/etc/hosts
1
2
127.0.0.1 localhost.node localhost
::1 limberry.node limberry

Add your Google DNS:

/etc/resolv.conf
1
2
nameserver 8.8.8.8
nameserver 8.8.4.4

Prevent superfluous recommended packages from cluttering your system:

/etc/apt/apt.conf #
1
2
3
// Recommends are as of now still abused in many packages
APT::Install-Recommends "0";
APT::Install-Suggests "0";

Update & upgrade real quicklike:

bash terminal
1
root@localhost:~# apt-get update && apt-get upgrade

Add a new user:

bash terminal
1
2
3
root@localhost:~# adduser patrick
root@localhost:~# adduser patrick sudo        
      (the sudo group should already exist, else check /etc/sudoers)

Tighten up SSH a tad by changing the listening port and user access control

/etc/ssh/sshd_config #
1
2
3
4
Port 12345                   (change to something other than 22)
Protocol 2
PermitRootLogin no
AllowUsers patrick

Install iptables if it isn’t already there

bash terminal
1
root@localhost:~# apt-get install iptables

Configure a basic firewall using iptables (but don’t restart it yet)
(alternatively, you can wait to install a GUI firewall like firestarter later)

bash terminal #
1
2
root@localhost:~# iptables -F    (flushes any existing rules)
root@localhost:~# vim /etc/iptables.up.rules
/etc/iptables.up.rules #
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
*filter

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH connections
#
# THE -dport NUMBER IS THE SAME ONE YOU SET UP IN THE SSHD_CONFIG FILE
#
-A INPUT -p tcp -m state --state NEW --dport 12345 -j ACCEPT

# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT
bash terminal #
1
2
3
4
5
6
7
8
root@localhost:~# iptables-restore < /etc/iptables.up.rules
      (this command loads the rules for the current session only)
root@localhost:~# iptables --list
      (next we ensure these rules are restored on every boot)
root@localhost:~# touch /etc/network/if-pre-up.d/iptables
root@localhost:~# chmod +x /etc/network/if-pre-up.d/iptables
root@localhost:~# vim /etc/network/if-pre-up.d/iptables
      (the following script will be loaded at boot and loads the new rules)
/etc/network/if-pre-up.d/iptables #
1
2
#!/usr/sh
/sbin/iptables-restore < /etc/iptables.up.rules

You can also restrict the ssh daemon to specific remote IPs:

/etc/hosts.allow
1
2
3
sshd:12.34.56.78:allow
sshd:work-domain.com:allow
sshd:ALL:deny

Reboot and reconnect as your sudoer:

bash terminal
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
root@localhost:~# reboot

Broadcast message from root@localhost
        (/dev/pts/0) at 22:46 ...

The system is going down for reboot NOW!

...

login as: patrick
patrick@XX.XX.XX.XX's password: ********************
Linux limberry 2.6.32 #1 SMP Sun Jun 24 20:25:35 MSD 2012 i686 GNU/Linux
Ubuntu 10.04.1 LTS

Welcome to Ubuntu!
 * Documentation:  https://help.ubuntu.com/
Last login: Wed Aug 15 22:33:20 2012 from c-12-34-45-78.abc1.de.comcast.net

patrick@limberry:~$

Install a light-weight desktop and VNC server that runs during SSH sessions

bash terminal
1
2
3
4
5
6
7
8
9
patrick@limberry:~$ sudo apt-get install xubuntu-desktop tightvncserver
      (go make some coffee and come back in a couple minutes)
      (an alternative desktop: gnome-core xserver-xorg gdm)
      (or just do the bloated: ubuntu-desktop)
patrick@limberry:~$ vncpasswd
      (must be less than 8 characters)
      (not too crucial since we will restrict VNC to localhost accessible via encrypted SSH tunneling)
patrick@limberry:~$ vim .bash_aliases && vim .bashrc && vim .bash_logout
      (and now we make it run automatically on SSH login)
>> .bash_aliases
1
2
3
4
# Start VNC server
alias svnc='vncserver -geometry 1024x768 -depth 16 :$UID -localhost '
# Kill VNC server
alias kvnc='vncserver -kill :$UID'
>> .bashrc
1
2
3
4
5
6
7
# Load VNC at user login to permit SSH tunneling the desktop
if [ -n "$SSH_CONNECTION" ]
then
  /usr/bin/vncserver -geometry 1024x768 -depth 16 :$UID -localhost > /dev/null 2>&1
  echo -e "\n\e[1;33m*** Remote VNC desktop available via SSH tunnel at localhost:$(expr 5900 + $UID)\e[00m\n"
fi
# End VNC
>> .bash_logout
1
2
3
# Kill VNC at user logout and hide the output
/usr/bin/vncserver -kill :$UID > /dev/null 2>&1
# End VNC

VNC remote usage:
ssh patrick@12.34.56.78 -p 12345 -L 6900:localhost:6900
vncviewer localhost:6900

Adjust your time zone if desired:

bash terminal
1
patrick@limberry:~$ sudo dpkg-reconfigure tzdata

Install default packages for the Xubuntu desktop:

  • midori light-weight browser
  • xarchiver light-weight archiver
  • mousepad light-weight notepad
  • ristretto light-weight image viewer
  • xfce4-taskmanager light-weight process / CPU / RAM viewer

Install any packages necessary for your particular application stack:

  • git distributed version control system (`git-flow too!)
  • apache2 web server
  • mysql-server SQL server
  • python python-setuptools
  • et cetera

Additional suggested packages that may not be installed:

  • rsyslog system logging daemon

And finally, a pretty album of the whole VNC experience!


Revisions

  • 2012/8/17 – Updated VNC .bashrc to test for SSH_CONNECTION
  • 2012/8/17 – Updated VNC .bashrc to use $UID instead of ‘1’ literal to allow multiple users’ desktop sessions
  • 2012/9/20 – Added rsyslog to suggested packages

Comments