How to bind vdrp service to 127.0.0.1?

[ziyou]

Since I use SSH port forwarding to secure the remote connection of vdrp and do authentication, I want remote desktop server runs on 127.0.0.1 instead of 0.0.0.0 by default. Is there any configuration file related to this parameter?

[mpack]

"127.0.0.1" means local host, i.e. local loopback. It can't be used to indicate remote anything.

[ziyou]

"127.0.0.1" means local host, i.e. local loopback. It can't be used to indicate remote anything.

If the service runs on loopback NIC of Host, then I can wrap the data with SSH tunnel to traverse the firewall. I do this for VNC server (use vncserver -localhost) and secure the VNC session through ssh portforwarding. In fact, I doubt the security of RD protocol, so I hope it runs on loopback, which would ease my anxiety about privacy.

[mpack]

A local loopback used inside the guest would cause the guest to address itself - exactly the same as any PC.

If the guest needs to address another PC, e.g. the host PC, then it needs to use the proper IP address.

[ziyou]

Sorry, I cannot understand your point. I know that my remote display service is running on the port 3389 of a linux host machine (say 200.1.1.2). I use another windows machine (say 199.2.2.2) and visit the 200.1.1.2:3389, then I can login the guest machine. This works because the linux host is listening 0.0.0.0:3389

However, anyone (say 201.2.2.2) can also login my guest machine, which is dangerous. I hope the remote display service can only listen 127.0.0.1:3389. Then I can login guest machine by visiting 127.0.0.1:3389 on host machine or visit 127.0.0.1:3389 via ssh remotely.

Now I must use iptable to block the specific port from WAN.

[BillG]

I cannot understand your point either, but that is fine because it does not matter. What does matter is that it has nothing whatever to do with VirtualBox. If you have some odd way of fooling the network protocols that is fine, but it would make no difference whatever if the machines were all physical, all virtual or a mixture of both. It is purely a networking matter.

[ziyou]

Here are programs listening on all network interfaces:

Code: Select all

xxx@XXX:/tmp# netstat -nplt
Active Internet connections (only servers)
Proto Recv-Q Send-Q  Local Address          Foreign Address    State     PID/Program name 
tcp        0      0  0.0.0.0:22             0.0.0.0:*          LISTEN    1238/sshd
tcp        0      0  0.0.0.0:3389           0.0.0.0:*          LISTEN    20178/VirtualBox    

To the best of my knowledge, VirtualBox will listen on all network interfaces by default. Since I do not want expose any port other than 22 to external network, can you or anybody else change it to loopback interface?

Code: Select all

Fake # netstat -nplt
Proto Recv-Q Send-Q  Local Address          Foreign Address    State     PID/Program name 
tcp        0      0  0.0.0.0:22             0.0.0.0:*          LISTEN    1238/sshd
tcp        0      0  127.0.0.1:3389         0.0.0.0:*          LISTEN    20178/VirtualBox

[C. M. Stephan]

Sorry I don't have uri post permissions yet.. but if you go to the manual on the virtualbox website in ch08 under vboxmanage-modifyvm-vrde:

You can use the --vrdeport and --vrdeaddress options to specify the binding information for the VRDE rdp/vnc server to listen on. So for your usecase:

Code: Select all

$ VBoxManage startvm $VM --type headless --vrde on --vrdeaddress 127.0.0.1 --vrdeport 3389