5. Creating the tunnels

MindTerm can be started a few ways. If you have the JRE installed then you can double-click on the mindtermfull.jar application file. Another way is to open up a dos-shell and type the command:

jview -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm

or

javaw -cp  c:\mindterm\mindtermfull.jar mindbright.application.MindTerm

or

java -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm

(jview is used if you are using Windows and you don't download the JRE. Javaw comes with the Windows JRE download and is used because a dos-shell box won't be needed in order to run MindTerm so there is one less window open)

MindTerm 2.0 is now available. The argument to start it has changed slightly. Instead of the command above:

java -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm

this will start MindTerm from the commandline:

java -cp c:\mindterm\mindtermfull.jar com.mindbright.application.MindTerm

Only the "com." was added to the applet parameter.

This will start the MindTerm program and you can then type the server name when prompted and it will prompt you to " Save as Alias". You can type a short server name so when you start the applet again you can simply type the Alias you created. You will then be prompted for your login name. After you type it, hit enter and a dialog box will appear informing you that the host doesn't exist and prompt you to create it. Click Yes. Another dialog will appear prompting you if you want to add that host to your known_host file. Click Yes. Then you are prompted for your password. Type your password and hit enter. If you supplied the proper username and password then you should be at a command line on the server you specified.

We'll create a tunnel to the POP and SMTP server, first. After you have successfully logged in (and optionally enabled vlock) click on Tunnels on the menu and then click Basic. A dialog box will appear. Add the following settings to each box, respectively:

Now click Add. A dialog box should appear stating "The tunnel is now open and operational". (Note: If you select a port that is already open an error message will appear stating " Could not open tunnel. Error creating tunnel. Error setting up local forward on port XXXX, Address in use.) Click OK and the tunnel configuration should appear in the box now. Click Close Dialog. Open up your email client's options or preferences menu. We'll use Netscape Messenger for this example.

  1. Open up Netscape

  2. Click on Edit -> Preferences.

  3. On the left column click on Mail " Newsgroups, if the contents aren't already displayed.

  4. Click on Identity and type your information in each box.

  5. Click on Mail Servers in the left column. The default install of Netscape has "mail" in the box underneath Incoming mail servers.

  6. Click on mail.

  7. Click Edit to the right of that box and a dialog box should appear.

  8. If POP is not already selected in that drop down box, select it now.

  9. In the Server Name box type localhost:2010 (remember we chose that local port in the MindTerm tunnel creation menu to forward to the remote servers POP (110) port) and then your username. Set any other options as you see fit.

  10. Click OK.

  11. In the box Outgoing mail (SMTP) server type your smtp server name and underneath that type your Outgoing mail server user name.

  12. Click OK. (Don't do anything to the Use Secure Socket Layer (SSL) or TLS for outgoing messages option).

  13. Now click on Communicator on the menu.

  14. Click Messenger.

  15. You should then be prompted for your password. Type your password and hit enter. If you have mail you should now be able to read it.

As long as you have a MindTerm ssh session open, this should work with most email clients. Remember that the remote server name or POP server name will be "localhost:". If you are asked for the POP server and port seperately then add it accordingly. Any connections to the local port 2010, in this example, will be forwarded to the remote hosts' port 110. If you configure an ftp client to connect to the localhost port 2010, right now it wouldn't work. Why? The POP protocol doesn't understand ftp protocol. Only POP clients can be forwarded to the localhost port 2010 for the tunnel to be effective. A POP server isn't any good if you don't have an smtp server. If you have a mail program like Postfix ( www.postfix.net), Qmail (www.qmail.org), or Sendmail (www.sendmail.org) then a secure tunnel can be created to it, as well.

With the MindTerm client still running click on Tunnels again then Basic and add these settings.

Click Add. Then click OK on the confirmation menu. Now smtp should be added to the list underneath the settings for POP. In the Netscape Messenger mail server settings add: localhost:2025 as your Outgoing mail (SMTP) server. All email you send to the remote host will be encrypted. However, if you send mail to someone outside of the remote host's mail server, your email will be encrypted only from your local machine to your remote smtp server. From the remote smtp server to any other host, will not be encrypted, unless you've configured a tunnel to the other hosts.

To enable encrypted ftp sessions add these settings to a new tunnel.

Click Add. Then click OK on the confirmation menu. Now ftp (see the leech ftp example and wsftp-- picture 1 and picture 2) should be added to the list underneath the settings for SMTP.

Imap settings:

Click Add. Then click OK on the confirmation menu. Now ftp should be added to the list underneath the settings for POP.

All these settings can be automated in a batch file. Simply add the following to a startup script to automatically create a tunnel to your pop server after authentication:

jview (or java or javaw) -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm
 -server -local0 2010:localhost:110

Here is an example based on what we've done above. Add the following to a file in an editor:

jview (or java or javaw) -cp c:\mindterm\mindtermfull.jar mindbright.application.MindTerm
 -server -local0 2010:localhost:110 -local1 2025:localhost:25 -local2 /ftp/2021:localhost:21
-local3 2043:localhost:143

now save it with a .bat extension. Double-click on it. You should be prompted for your login name when MindTerm starts up then type your password. After you are authenticated click on the Tunnels menu and click Basic. You should see the tunnels in the box that opens up. This is an easy way to allow remote users to start up the tunnels without many configurations on their part. They only need to click the .bat file and type their username and password and optionally run vlock. Their client software can be pre-configured for remote profiles that connect to the tunnels automatically.

When you are finished using the MindTerm, be sure to close all applications that are using a tunnel. If you forget to close the programs using the tunnels, MindTerm will display a message when you attempt to exit from the console or quit the program.

What about VNC and NTOP? These services work the same way. Here the VNC server was running on a RedHat 7.0 workstation. When you start the VNC server, it first listens on port 5901 and each server after that increments up 1 port so the second instance of VNC will listen on port 5902, and the third 5903, etc.. On Linux, you can run multiple VNC servers and people can connect to each VNC server as well. In MindTerm you can simply add a VNC tunnel with the following settings:

Click Add. Then click OK on the confirmation menu.

Run the vncviewer application on your local machine and type: localhost:2001, and then the password, when prompted, for the VNC desktop and you have an encrypted VNC session.

Ntop works the same way. If you want to run ntop in web mode as a network monitor, you can tunnel connections to your local machine and view the stats in your local browser, without having to install a webserver or opening port 3000 on your remote server. By default, ntop in web mode listens on port 3000 and waits for an http connection to display network stats. Simply create a tunnel to the server running the ssh server and ntop. First run ntop in web mode: ntop -d -w 3000 Then add the settings to the MindTerm tunnel:

Click Add. Then click OK on the confirmation menu.

Open up your web browser and in the location bar type: http://localhost:2080 You should now see the network stats page for ntop (see the ntop man pages to add password protected access to the ntop display). Similarly, if you want to install a web server so you can use web-based applications to control your server or firewall, then just create a tunnel to port 80. You don't have to open up a port on the public interface. Simply bind the webserver to the local interface and create a tunnel to the remote hosts' port 80. For Apache, edit the httpd.conf file and change the BindAddress * option to BindAddress 127.0.0.1. Then add localhost to the ServerName directive: ServerName localhost. Finally, change the Listen directive to: Listen 127.0.0.1:80 As you can see by now MindTerm can secure almost any TCP service. It can be used on a remote server to run Webmin, which is an excellent web-application to administer your servers. It comes with its own perl-based webserver and listens on port 10000 by default. Simply create a tunnel to it using MindTerm and it should work without any changes to the Webmin application or your local web browser. The MindTerm download zip file contains many useful examples, such as using it from the command line and an explanation of all the menu options. MindTerm has more features than outlined in this tutorial but the tunnel option is well worth spending time focusing on.