Remote desktop access is a must-have for many Linux users. It lets us work on our Linux machines from anywhere in the world.
But security is crucial when connecting to machines over the internet. Obviously - we don't want hackers getting into our systems.
Linux has several remote desktop options that are both easy to use and robust. Popular choices include VNC, RDP and ThinLinc.
When it comes to remote desktop, there’s always a server and a client machine. In this article we’ll focus on securing the server part of the equation - by looking into the best tools and practices for setting up a secure remote desktop access on linux.
Remote desktop access on Linux requires careful setup to ensure security and functionality. We'll explore key protocols, installation steps, and configuration options to help you establish a safe remote connection.
It all starts with choosing the right protocol for your use case.
Popular options include:
VNC offers flexibility and broad compatibility. It's often the go-to choice for Linux remote desktop setups.
RDP can work well if you need to connect to both Windows and Linux machines. It may however require additional setup on Linux systems.
SSH is highly secure but it is text-based. It can be used to tunnel graphical connections for that added protection. SSH is often used in conjunction with VNC.
A newer addition - ThinLinc - is a powerful solution that combines the benefits of VNC with enhanced security features. It has VNC + SSH built in - also allowing multiple users to access the same Linux environment securely. This makes it an excellent choice for organizations looking to provide remote access to their machines, without compromising on security.
| Protocol | Security | Performance | Ease of Setup |
| RDP | Moderate | Good | Moderate |
| VNC | Low | Moderate | Easy |
| X11 | Low | Moderate | Complex |
| ThinLinc | High | Excellent | Moderate |
Please note: In order to use a remote desktop server like tigerVNC, you first need to have a desktop environment or a window manager - like Xfce - installed on your Linux machine.
To set up VNC on Linux (for Debian-based distributions), follow these steps:
1. Install a VNC server package like TigerVNC:
sudo apt install tigervnc-standalone-server
2. Set a VNC password:
vncpasswd
3. Create a startup script for the VNC server.
4. Configure your desktop environment to work with VNC.
5. Start the VNC server:
vncserver :1
After that, remember to open the necessary ports on your firewall. VNC typically uses port 5901 for the first display.
An SSH tunnel enhances VNC security. To create one, do the following:
1. On your local machine, create an SSH tunnel:
ssh -L 5901:localhost:5901 user@remote_host
2. Connect to VNC through the tunnel using localhost:5901.
This method encrypts your VNC traffic, protecting it from potential eavesdropping.
However, you still need to take care of other security precautions - like setting up proper firewall settings.
ThinLinc offers a comprehensive Linux remote desktop solution. It uses TigerVNC for display, has SSH built-in and adds extra features like:
Before proceeding with ThinLinc installation:
Make sure you have installed a desktop environment, such as Xfce, LXDE, MATE or similar. Please refer to your distributions documentation for how to install these.
This guide is for version 4.17.0 of ThinLinc. You can find the latest version of the ThinLinc server here.
1. Download the server installer from the Cendio website.
2. Unpack the downloaded ZIP file by right-clicking and selecting “Extract…”. You can also unpack it from a command prompt:
unzip tl-4.17.0-server.zip
3. You can start the graphical installation of ThinLinc by double-clicking on “install-server”. You can also start the installation from a command prompt:
cd tl-4.17.0-server ./install-server
4. Follow the setup wizard to configure your server.
5. To connect to your ThinLinc server, you first need to download a client for your platform. Read more about connecting to your instance from the Quick start guide.
Note about user management: A ThinLinc user is a standard POSIX user - so that means ThinLinc uses exactly the same user accounts as the underlying Linux server on which it is installed. So in order to create a ThinLinc user, you simply use the same tools as you would for a Linux system user.
When running ThinLinc in a cluster configuration, a centralised authentication mechanism such as LDAP or Active Directory is normally used.
We recommend exploring different options to find the best fit for your specific needs and security requirements.
Implementing up-to-date security measures is a crucial step for secure remote desktop access on Linux.
Here are some recommended strategies to make your remote desktop experience more enjoyable and secure.
Protecting your remote desktop connections is essential. Follow these best practices:
ThinLinc's military-grade encryption is considered one of the best ways to safeguard your data during transmission. When using ThinLinc, you can rest assured that the software is constantly developed and thoroughly tested, with reliability and security in focus.
Two-factor authentication (2FA) adds an extra layer of security to your remote desktop setup. Two-Factor authentication is not possible out of the box with tools like VNC or RDP.
We advise regularly reviewing and updating your authentication policies to stay ahead of potential security threats. ThinLinc supports multiple authentication methods, allowing you to choose the most suitable option for your organization.
Adding a one-time password with time-based codes is one of the easiest ways to add a second step to your user authentication. This is done by installing a google-authenticator module on your Linux machine that is hosting the ThinLinc server.
The steps below might differ slightly for other distributions. If you are using a RHEL based distribution or you have SELinux enabled, please see this post for more info.
Following these steps will enable 2FA for users’ regular SSH connections as well.
1. Install google-authenticator:
sudo apt install libpam-google-authenticator
2. Configure sshd to allow challenge based authentication.
Edit /etc/ssh/sshd_config and make sure that ChallengeResponseAuthentication is set to yes. Note that there might be configuration files inside /etc/ssh/sshd_config.d with a higher priority. Make sure that you edit the file with the highest priority.
ChallengeResponseAuthentication yes
3. Restart the ssh server
sudo systemctl restart sshd
4. Configure PAM to use the google-authenticator module.
Edit /etc/pam.d/common-auth and add the following lines to the end of the file.
Please note: The google authenticator step should be placed after the password step, the order is important here. The nullok option allows login for users that haven’t enabled OTP yet. This option should be removed if you want to force 2FA OTP.
auth required pam_google_authenticator.so nullok auth required pam_permit.so
5. Install Google Authenticator on the user’s mobile device.
There are also open source options like Aegis, which offers similar functionality to Google Authenticator.
6. Enable OTP for the user.
When you run “google-authenticator” on your users’ account, It’s important to answer “y” to “Do you want authentication tokens to be time-based” and “n” to the following question:
Do you want to disallow multiple uses of the same authentication token? This restricts you to one login about every 30s, but it increases your chances to notice or even prevent man-in-the-middle attacks
Answering no will enable ThinLinc’s authentication process to work.
Scan the QR code on the users Google Authenticator.
ssh <ADMIN>@<SERVER> su <USERNAME> google-authenticator
7. The server configuration is now complete.
Now when logging in with SSH or ThinLinc, the user will be presented with the “Verification code” prompt after providing their password.
To ensure a seamless user experience, consider these performance optimization techniques:
We suggest fine-tuning these settings to strike the right balance between visual quality and responsiveness. ThinLinc offers an easy-to-use interface for monitoring performance.
One of the biggest mistakes is not keeping software updated. Failing to apply security patches can leave your system vulnerable to attacks. Regular updates help protect against known vulnerabilities.
Using a remote desktop connection without tunneling can expose your data to attacks. SSH tunneling is a simple way to secure your connection. It encrypts the data, making it harder for attackers to intercept.
Poor user management can lead to unauthorized access. It's crucial to have a system in place to manage user permissions effectively. Here are some tips:
ThinLinc offers a more secure option for remote desktop access. It operates over SSH, providing a secure connection by default. This means you can avoid many common pitfalls associated with other protocols like plain VNC. ThinLinc simplifies remote access without the need for extensive firewall adjustments, making it a great choice for secure remote desktop access.
By following the best practices outlined in this guide, such as using strong passwords, enabling two-factor authentication, and keeping software updated, you can significantly reduce the risk of unauthorized access.
Tools like ThinLinc offer a user-friendly and secure way to access Linux remotely, making it easier for teams to collaborate and work efficiently from anywhere. As remote work continues to grow, investing in robust security measures will help safeguard your systems and data.
Remote desktop access on Linux raises important security concerns. Let's address some common questions.
To secure remote desktop access on Linux, make sure to:
Always close unused ports and restrict access to trusted IP addresses.
We highly recommend our solution - ThinLinc - for secure remote desktop access on Linux. It offers:
To set up secure Windows-to-Linux remote access, follow these steps:
Consider using ThinLinc for a more secure and user-friendly experience. ThinLinc includes VNC + ssh built-in and can also facilitate connections from Windows (or Mac) to Linux remote machines.
You can restrict Linux remote desktop access by:
Regular security audits help ensure your restrictions remain effective.
ThinLinc offers better sound quality, image responsiveness, and security features than any other option.
It also supports multiple users on the same remote machine.
Absolutely! You can access ThinLinc from Windows, Mac, or Linux devices, as well as through a web browser.
