How to Securely access Linux Ubuntu over RDP

So, I'm grateful and slightly in awe that I have just started blogging again, and a few articles already seem to be popular. Thanks folks.

So, a few people have followed my guidance on setting up RDP to access Linux, because, let's face it.. RDP rocks!. However I didn't mention in the previous article how to access your Linux VM over RDP in a secure way. I guess I just though that everyone did it the way I do, so I guess some guidance might be valuable.

So, here is the guidance.

Never, ever, ever expose an RDP service on a Linux VM to the outside world by opening your firewall port 3389 to the public.

Why not? Because xRDP is not battle-hardened and I don't trust it, and neither should you. It may be secure, but it probably isn't. Do you really want your beautiful server that you have laboriously built and maintained to be turned into a botnet or spambot? I think not.

Here is how you securely access Linux Ubuntu over RDP (or any variant of *nix):

Connecting From Mac OS X

Secure Shell is enabled by default on Azure. So ssh into the VM first, and set port on your local mac os x computer to be forwarded to the same port on the Linux VM. Here is the step-by-step on how and why.

In my case, let's say my public IP address of my linux server is (it's not but let's pretent), and my ssh login username is david, then I would enter the following command at the Mac OS X Terminal prompt:

ssh -L 3389:localhost:3389  david@  

Once you have successfully logged in, a secure channel is created.

This works by allocating a socket to listen to port 3389 on the mac and when ever a connection is made the connection is securely forwarded over the ssh channel to the remote linux port, in this case, also 3389.

You can now connect to your local machine on port 3389 and it will forward this over the secure channel to the xRDP service sitting on the remote port 3389 on your linux machine.

Once you have proved that this working, then turn off public access to port 3389 via the Azure Portal.

I usually create a bash script named after the linux vm, e.g. and make it executable so I can just do ./ and I get prompted for the linux login password.

I then start an rdp client session on my mac and connection to my localhost port 3389.

To learn more, login to your linux box and type man ssh and read the section on -L options