Remote desktop access is a must-have for many Linux users. It lets us work on our Linux machines from anywhere in the world.
But security is crucial when connecting to machines over the internet. Obviously – we don’t want hackers getting into our systems.
Linux has several remote desktop options that are both easy to use and robust. Popular choices include VNC, RDP and ThinLinc.
When it comes to remote desktop, there’s always a server and a client machine. In this article we’ll focus on securing the server part of the equation – by looking into the best tools and practices for setting up a secure remote desktop access on linux.
Setting up secure remote desktop tools on Linux
Remote desktop access on Linux requires careful setup to ensure security and functionality. We’ll explore key protocols, installation steps, and configuration options to help you establish a safe remote connection.
Choosing the right remote desktop protocol
It all starts with choosing the right protocol for your use case.
Popular options include:
- VNC (Virtual Network Computing): Versatile and widely supported
- RDP (Remote Desktop Protocol): Common for Windows, but also usable on Linux
- X11: A native Linux protocol that offers good performance but can be complex to set up and is not very secure.
- ThinLinc: A secure, user-friendly remote desktop experience.
VNC offers flexibility and broad compatibility. It’s often the go-to choice for Linux remote desktop setups.
RDP can work well if you need to connect to both Windows and Linux machines. It may however require additional setup on Linux systems.
SSH is highly secure but it is text-based. It can be used to tunnel graphical connections for that added protection. SSH is often used in conjunction with VNC.
A newer addition – ThinLinc – is a powerful solution that combines the benefits of VNC with enhanced security features. It has VNC + SSH built in – also allowing multiple users to access the same Linux environment securely. This makes it an excellent choice for organizations looking to provide remote access to their machines, without compromising on security.
Comparing RDP, VNC, X11 and ThinLinc
Protocol | Security | Performance | Ease of Setup |
RDP | Moderate | Good | Moderate |
VNC | Low | Moderate | Easy |
X11 | Low | Moderate | Complex |
ThinLinc | High | Excellent | Moderate |
Installing and configuring a VNC server
Please note: In order to use a remote desktop server like tigerVNC, you first need to have a desktop environment or a window manager – like Xfce – installed on your Linux machine.
To set up VNC on Linux (for Debian-based distributions), follow these steps:
1. Install a VNC server package like TigerVNC:
sudo apt install tigervnc-standalone-server
2. Set a VNC password:
vncpasswd
3. Create a startup script for the VNC server.
4. Configure your desktop environment to work with VNC.
5. Start the VNC server:
vncserver :1
After that, remember to open the necessary ports on your firewall. VNC typically uses port 5901 for the first display.
Establishing a secure SSH Tunnel for your VNC connection
An SSH tunnel enhances VNC security. To create one, do the following:
1. On your local machine, create an SSH tunnel:
ssh -L 5901:localhost:5901 user@remote_host
2. Connect to VNC through the tunnel using localhost:5901.
This method encrypts your VNC traffic, protecting it from potential eavesdropping.
However, you still need to take care of other security precautions – like setting up proper firewall settings.
Installing ThinLinc – a more secure VNC+SSH powered option
ThinLinc offers a comprehensive Linux remote desktop solution. It uses TigerVNC for display, has SSH built-in and adds extra features like:
- Centralized management, intuitive and efficient administration interfaces
- Load balancing and redundancy to scale efficiently, supporting several thousand users
- Various authentication methods, including OTP, Kerberos, and Smart Cards
- Built-in audio support for both input and output
Before proceeding with ThinLinc installation:
Make sure you have installed a desktop environment, such as Xfce, LXDE, MATE or similar. Please refer to your distributions documentation for how to install these.
To install ThinLinc, follow these steps:
This guide is for version 4.17.0 of ThinLinc. You can find the latest version of the ThinLinc server here.
1. Download the server installer from the Cendio website.
2. Unpack the downloaded ZIP file by right-clicking and selecting “Extract…”. You can also unpack it from a command prompt:
unzip tl-4.17.0-server.zip
3. You can start the graphical installation of ThinLinc by double-clicking on “install-server”. You can also start the installation from a command prompt:
cd tl-4.17.0-server ./install-server
4. Follow the setup wizard to configure your server.
5. To connect to your ThinLinc server, you first need to download a client for your platform. Read more about connecting to your instance from the Quick start guide.
Note about user management: A ThinLinc user is a standard POSIX user – so that means ThinLinc uses exactly the same user accounts as the underlying Linux server on which it is installed. So in order to create a ThinLinc user, you simply use the same tools as you would for a Linux system user.
When running ThinLinc in a cluster configuration, a centralised authentication mechanism such as LDAP or Active Directory is normally used.
We recommend exploring different options to find the best fit for your specific needs and security requirements.
Best practices for maintaining security and performance
Implementing up-to-date security measures is a crucial step for secure remote desktop access on Linux.
Here are some recommended strategies to make your remote desktop experience more enjoyable and secure.
Securing connections with encryption and firewalls
Protecting your remote desktop connections is essential. Follow these best practices:
- Always use encryption – whether it be via SSH tunneling or by using ThinLinc’s default encryption.
- Configure firewalls to allow only necessary ports and protocols.
- Implement IP whitelisting to restrict access from unauthorized locations.
ThinLinc’s military-grade encryption is considered one of the best ways to safeguard your data during transmission. When using ThinLinc, you can rest assured that the software is constantly developed and thoroughly tested, with reliability and security in focus.
Ensuring secure access with two-factor authentication
Two-factor authentication (2FA) adds an extra layer of security to your remote desktop setup. Two-Factor authentication is not possible out of the box with tools like VNC or RDP.
- Enable 2FA for all user accounts.
- Choose a reliable 2FA method (e.g., time-based one-time passwords or hardware tokens).
- Educate users on the importance of 2FA and proper usage.
We advise regularly reviewing and updating your authentication policies to stay ahead of potential security threats. ThinLinc supports multiple authentication methods, allowing you to choose the most suitable option for your organization.
How to add a 2FA TOTP authentication for ThinLinc
Adding a one-time password with time-based codes is one of the easiest ways to add a second step to your user authentication. This is done by installing a google-authenticator module on your Linux machine that is hosting the ThinLinc server.
The steps below might differ slightly for other distributions. If you are using a RHEL based distribution or you have SELinux enabled, please see this post for more info.
Following these steps will enable 2FA for users’ regular SSH connections as well.
To enable TOTP Authentication on Debian based machines:
1. Install google-authenticator:
sudo apt install libpam-google-authenticator
2. Configure sshd to allow challenge based authentication.
Edit /etc/ssh/sshd_config and make sure that ChallengeResponseAuthentication is set to yes. Note that there might be configuration files inside /etc/ssh/sshd_config.d with a higher priority. Make sure that you edit the file with the highest priority.
ChallengeResponseAuthentication yes
3. Restart the ssh server
sudo systemctl restart sshd
4. Configure PAM to use the google-authenticator module.
Edit /etc/pam.d/common-auth and add the following lines to the end of the file.
Please note: The google authenticator step should be placed after the password step, the order is important here. The nullok option allows login for users that haven’t enabled OTP yet. This option should be removed if you want to force 2FA OTP.
auth required pam_google_authenticator.so nullok auth required pam_permit.so
5. Install Google Authenticator on the user’s mobile device.
There are also open source options like Aegis, which offers similar functionality to Google Authenticator.
6. Enable OTP for the user.
When you run “google-authenticator” on your users’ account, It’s important to answer “y” to “Do you want authentication tokens to be time-based” and “n” to the following question:
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks
Answering no will enable ThinLinc’s authentication process to work.
Scan the QR code on the users Google Authenticator.
ssh <ADMIN>@<SERVER> su <USERNAME> google-authenticator
7. The server configuration is now complete.
Now when logging in with SSH or ThinLinc, the user will be presented with the “Verification code” prompt after providing their password.
Optimizing remote desktop quality and performance
To ensure a seamless user experience, consider these performance optimization techniques:
- Adjust display settings based on available bandwidth.
- Enable hardware acceleration for graphics-intensive applications.
- Use ThinLinc’s server-side graphics acceleration for OpenGL-based software.
We suggest fine-tuning these settings to strike the right balance between visual quality and responsiveness. ThinLinc offers an easy-to-use interface for monitoring performance.
Common remote desktop access pitfalls
Not applying security patches
One of the biggest mistakes is not keeping software updated. Failing to apply security patches can leave your system vulnerable to attacks. Regular updates help protect against known vulnerabilities.
Not using tunneling for remote desktop
Using a remote desktop connection without tunneling can expose your data to attacks. SSH tunneling is a simple way to secure your connection. It encrypts the data, making it harder for attackers to intercept.
Bad or no user access management
Poor user management can lead to unauthorized access. It’s crucial to have a system in place to manage user permissions effectively. Here are some tips:
- Regularly review user access.
- Remove access for users who no longer need it.
- Implement role-based access control.
How ThinLinc helps you overcome security pitfalls
ThinLinc offers a more secure option for remote desktop access. It operates over SSH, providing a secure connection by default. This means you can avoid many common pitfalls associated with other protocols like plain VNC. ThinLinc simplifies remote access without the need for extensive firewall adjustments, making it a great choice for secure remote desktop access.
Conclusion
By following the best practices outlined in this guide, such as using strong passwords, enabling two-factor authentication, and keeping software updated, you can significantly reduce the risk of unauthorized access.
Tools like ThinLinc offer a user-friendly and secure way to access Linux remotely, making it easier for teams to collaborate and work efficiently from anywhere. As remote work continues to grow, investing in robust security measures will help safeguard your systems and data.
FAQ – secure remote desktop access
Remote desktop access on Linux raises important security concerns. Let’s address some common questions.
What are the best practices for securing remote desktop access on Linux?
To secure remote desktop access on Linux, make sure to:
- Use strong, unique passwords
- Enable two-factor authentication – wherever possible
- Limit failed login attempts
- Keep software updated
- Use encrypted connections (SSH tunneling or VPN)
Always close unused ports and restrict access to trusted IP addresses.
Which Linux remote desktop client offers the best security features?
We highly recommend our solution – ThinLinc – for secure remote desktop access on Linux. It offers:
- Strong encryption
- Centralized management, efficient administration interface
- Load balancing and redundancy to scale efficiently
- Various authentication methods
How do I enable secure remote desktop access from Windows to Linux?
To set up secure Windows-to-Linux remote access, follow these steps:
- Install and configure an RDP server on Linux (like Xrdp)
- Configure firewalls to allow RDP traffic
- Use a VPN for added security
Consider using ThinLinc for a more secure and user-friendly experience. ThinLinc includes VNC + ssh built-in and can also facilitate connections from Windows (or Mac) to Linux remote machines.
What methods are available to restrict access to Linux remote desktop services?
You can restrict Linux remote desktop access by:
- Implementing IP whitelisting
- Setting up time-based access rules
- Using network segmentation
- Configuring user group permissions
Regular security audits help ensure your restrictions remain effective.
Why should I use ThinLinc over other remote desktop solutions?
ThinLinc offers better sound quality, image responsiveness, and security features than any other option.
It also supports multiple users on the same remote machine.
Can I access the ThinLinc server from any device?
Absolutely! You can access ThinLinc from Windows, Mac, or Linux devices, as well as through a web browser.