What is the safest way of allowing access to a home system from a remote computer? I am running Fedora-6 and shorewall.
Any advice or suggestions gratefully received.
El Sábado, 30 de Diciembre de 2006 15:29, Timothy Murphy escribió:
What is the safest way of allowing access to a home system from a remote computer? I am running Fedora-6 and shorewall.
Any advice or suggestions gratefully received.
I'm used to use either VPN or OpenSSH If you're too paranoic you could allow to connect only from a remote IP (yours from the office or whatever)
Aaron Konstam wrote:
On Sat, 2006-12-30 at 10:08 -0500, Sam Varshavchik wrote:
Timothy Murphy writes:
What is the safest way of allowing access to a home system from a remote computer? I am running Fedora-6 and shorewall.
Any advice or suggestions gratefully received.
Run ssh on a non-default port.
Turn off passwords. Use ssh certificates.
There is something wrong with just saying use ssh. One assumes that the home machines are masqueraded behind a router. It seems to me that one must configure that all packets arriving at the router address be routed to a particular home machine address.
--
Rebellion lay in his way, and he found it. -- William Shakespeare, "Henry IV" ======================================================================= Aaron Konstam telephone: (210) 656-0355 e-mail: akonstam@sbcglobal.net
Goto this site below and download, NX Free Edition for Linux, NX Node for Linux, NX Client for Linux The NX will work right out of the box on FC 5, 6 and it uses SSH tunneling, SSH X-Forwarding. I use the NX-Client on my Laptop and a PC Server 800 miles away. The only kicker is , because the PC server on the other end is connected to DHCP internet ISP, the person at the PC server has to send me the the IP address , by going to http://getip.com, If you have a static IP (Fixed IP) for the server then you would be ahead of the game.
http://www.nomachine.com/download.php
Jim
On Sat, 2006-12-30 at 10:08 -0500, Sam Varshavchik wrote:
Timothy Murphy writes:
What is the safest way of allowing access to a home system from a remote computer? I am running Fedora-6 and shorewall.
Any advice or suggestions gratefully received.
Run ssh on a non-default port.
Turn off passwords. Use ssh certificates.
There is something wrong with just saying use ssh. One assumes that the home machines are masqueraded behind a router. It seems to me that one must configure that all packets arriving at the router address be routed to a particular home machine address. -- ======================================================================= Rebellion lay in his way, and he found it. -- William Shakespeare, "Henry IV" ======================================================================= Aaron Konstam telephone: (210) 656-0355 e-mail: akonstam@sbcglobal.net
Aaron Konstam wrote:
On Sat, 2006-12-30 at 10:08 -0500, Sam Varshavchik wrote:
Timothy Murphy writes:
What is the safest way of allowing access to a home system from a remote computer? I am running Fedora-6 and shorewall.
Any advice or suggestions gratefully received.
Run ssh on a non-default port.
Turn off passwords. Use ssh certificates.
There is something wrong with just saying use ssh. One assumes that the home machines are masqueraded behind a router.
Router or no router, it doesn't matter. You just need to open a port for SSH in the firewall if there is no router. If there is a router, you just need to configure one port to forward to your SSH server.
It seems to me that one must configure that all packets arriving at the router address be routed to a particular home machine address.
Why? SSH only needs one port.
On Sat, 2006-12-30 at 22:32 -0500, William Hooper wrote:
Aaron Konstam wrote:
On Sat, 2006-12-30 at 10:08 -0500, Sam Varshavchik wrote:
Timothy Murphy writes:
What is the safest way of allowing access to a home system from a remote computer? I am running Fedora-6 and shorewall.
Any advice or suggestions gratefully received.
Run ssh on a non-default port.
Turn off passwords. Use ssh certificates.
There is something wrong with just saying use ssh. One assumes that the home machines are masqueraded behind a router.
Router or no router, it doesn't matter. You just need to open a port for SSH in the firewall if there is no router. If there is a router, you just need to configure one port to forward to your SSH server.
It seems to me that one must configure that all packets arriving at the router address be routed to a particular home machine address.
Why? SSH only needs one port.
Just bad editing on my part. I meant to say ... all ssh packets ... ======================================================================= Thyme's Law: Everything goes wrong at once. ======================================================================= Aaron Konstam telephone: (210) 656-0355 e-mail: akonstam@sbcglobal.net
On 12/30/06, Timothy Murphy tim@birdsnest.maths.tcd.ie wrote:
What is the safest way of allowing access to a home system from a remote computer? I am running Fedora-6 and shorewall.
Any advice or suggestions gratefully received.
-- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
I agree - ssh with no password and then use certificates to authenticate. And start it with the -X option if you want to be able to run XWindows applications over ssh.
As for a router, as was noted, you simply need to configure your router so that all traffic coming in on whatever port you decide to use for ssh (22 being the default) is forwarded to your ssh server. You will want to assign a static IP to your ssh server (either configuring the box itself, or if your router supports it, assign static IP via DHCP for the nic in your ssh server). It would also be wise to disable root access via ssh. If you need root access, you can su or sudo once you've connected to your server.
To copy files, you can use scp to access your ssh server. If you simply want to set up a shared drive on your server, then have a look at hamachi. I've played with it (the Windows version mind you, but they have a Linux version as well). You can find Hamachi at http://www.hamachi.cc/. The nice thing with Hamachi is that it's zero configuration. You don't have to open ports on your router to get it to work. The down side if you are paranoid is that you are relying on someone else's network and product vs known/trusted ssh.
And of course VNC and its flavours might do the trick. I am pretty certain you can tunnel VNC through ssh if you want to wrap a layer of protection/encryption. I had managed to get VNC to work over Hamachi for a fleeing moment a while back (Windows box otherwise I would have tried it with ssh).
Jacques B.
Hi ,
Sorry I'm a newbie , what if I my router doesent have a public IP itself. I mean to say my provider provides me a 192.168.1.x of it's network and internally I have a lan. will I ever be able to access me personal system via router [provided my ISP provider will not change any of it's settings from his end ] . wondering if any kind of dynaDSN or peer to peer can help me to do that .
Any Suggestions ?
Regards, Ahmed Hussain
On Sun, 2006-12-31 at 12:27 -0500, Jacques B. wrote:
On 12/30/06, Timothy Murphy tim@birdsnest.maths.tcd.ie wrote:
What is the safest way of allowing access to a home system from a remote computer? I am running Fedora-6 and shorewall.
Any advice or suggestions gratefully received.
-- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
I agree - ssh with no password and then use certificates to authenticate. And start it with the -X option if you want to be able to run XWindows applications over ssh.
As for a router, as was noted, you simply need to configure your router so that all traffic coming in on whatever port you decide to use for ssh (22 being the default) is forwarded to your ssh server. You will want to assign a static IP to your ssh server (either configuring the box itself, or if your router supports it, assign static IP via DHCP for the nic in your ssh server). It would also be wise to disable root access via ssh. If you need root access, you can su or sudo once you've connected to your server.
To copy files, you can use scp to access your ssh server. If you simply want to set up a shared drive on your server, then have a look at hamachi. I've played with it (the Windows version mind you, but they have a Linux version as well). You can find Hamachi at http://www.hamachi.cc/. The nice thing with Hamachi is that it's zero configuration. You don't have to open ports on your router to get it to work. The down side if you are paranoid is that you are relying on someone else's network and product vs known/trusted ssh.
And of course VNC and its flavours might do the trick. I am pretty certain you can tunnel VNC through ssh if you want to wrap a layer of protection/encryption. I had managed to get VNC to work over Hamachi for a fleeing moment a while back (Windows box otherwise I would have tried it with ssh).
Jacques B.
On 12/31/06, Ahmed Hussain ahmedyo@gmail.com wrote:
Hi ,
Sorry I'm a newbie , what if I my router doesent have a public IP itself. I mean to say my provider provides me a 192.168.1.x of it's network and internally I have a lan. will I ever be able to access me personal system via router [provided my ISP provider will not change any of it's settings from his end ] . wondering if any kind of dynaDSN or peer to peer can help me to do that .
Any Suggestions ?
Regards, Ahmed Hussain
Check out dyndys.org - sign up for a free account and then set up Dynamic IP.
Chris
Ahmed Hussain wrote:
Hi ,
Sorry I'm a newbie , what if I my router doesent have a public IP itself. I mean to say my provider provides me a 192.168.1.x of it's network and internally I have a lan. will I ever be able to access me personal system via router [provided my ISP provider will not change any of it's settings from his end ] . wondering if any kind of dynaDSN or peer to peer can help me to do that .
Any Suggestions ?
Regards, Ahmed Hussain
On Sun, 2006-12-31 at 12:27 -0500, Jacques B. wrote:
On 12/30/06, Timothy Murphy tim@birdsnest.maths.tcd.ie wrote:
What is the safest way of allowing access to a home system from a remote computer? I am running Fedora-6 and shorewall.
Any advice or suggestions gratefully received.
-- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
I agree - ssh with no password and then use certificates to authenticate. And start it with the -X option if you want to be able to run XWindows applications over ssh.
As for a router, as was noted, you simply need to configure your router so that all traffic coming in on whatever port you decide to use for ssh (22 being the default) is forwarded to your ssh server. You will want to assign a static IP to your ssh server (either configuring the box itself, or if your router supports it, assign static IP via DHCP for the nic in your ssh server). It would also be wise to disable root access via ssh. If you need root access, you can su or sudo once you've connected to your server.
To copy files, you can use scp to access your ssh server. If you simply want to set up a shared drive on your server, then have a look at hamachi. I've played with it (the Windows version mind you, but they have a Linux version as well). You can find Hamachi at http://www.hamachi.cc/. The nice thing with Hamachi is that it's zero configuration. You don't have to open ports on your router to get it to work. The down side if you are paranoid is that you are relying on someone else's network and product vs known/trusted ssh.
And of course VNC and its flavours might do the trick. I am pretty certain you can tunnel VNC through ssh if you want to wrap a layer of protection/encryption. I had managed to get VNC to work over Hamachi for a fleeing moment a while back (Windows box otherwise I would have tried it with ssh).
Jacques B.
If you keep your computer on most likely your ISP assign dhcp IP won't change. Goto http://getip.com and you can get your IP address if it is changed. There is such a thing as a Proxy Sever that will solve this problem. I connect to a server 800 miles away using NX server at http://nomachine.com, Installed on FC6 or 5 right out of the box. The person , 800 miles away gets the IP address from getip.com and emails it to me and I pull maintenance every week. Crude way of doing things , but it works.
Jim
Jim
Ahmed Hussain wrote:
Hi ,
Sorry I'm a newbie , what if I my router doesent have a public IP itself. I mean to say my provider provides me a 192.168.1.x of it's network and internally I have a lan. will I ever be able to access me personal system via router [provided my ISP provider will not change any of it's settings from his end ] . wondering if any kind of dynaDSN or peer to peer can help me to do that .
Any Suggestions ?
Regards, Ahmed Hussain
Is the 192.168.1.x address the External interface of the router, or the Internal? If it is indeed the External interface, then your provider probably has you behind their own NAT device that you won't be able to configure. One option at that point would be to see if they provide a different service level to give you a real IP. If not, then your only option would be to use a service that provides a third party "connection gateway" server. One example service would be Hamachi.
On Sunday 31 December 2006 12:39, Ahmed Hussain wrote:
Hi ,
Sorry I'm a newbie , what if I my router doesent have a public IP itself. I mean to say my provider provides me a 192.168.1.x of it's network and internally I have a lan. will I ever be able to access me personal system via router [provided my ISP provider will not change any of it's settings from his end ] . wondering if any kind of dynaDSN or peer to peer can help me to do that .
Any Suggestions ?
Yes, run, don't walk, stumble or crawl, as fast as you can, to another provider. Having dealt with that sort of a scenario on dialup many years ago, that's a security hole you can drive an 80,000 pound load of swinging beef through. An insurance agents secretaries machine 45 miles away got infected with the first generation of sobig and tied up the whole network, and the isp refused to disconnect a good customer. We were all linux on the gateway side so that worm, nor any of the others have ever bothered out servers. The winderz boxes in the various offices are another horse entirely though. But we did make quite an impression on them about opening emails from unknown srcs after word got around that we were no longer spending days per machine running viri detectors, but were simply re-imageing the machine that got infected, losing ALL their personal stuff including sales leads and black book addresses.
We sent several emails, finally getting into the nastygram mode, to which the sexytaries only reply was "so what, its working for me. And if you contact me again with that kind of language the next phone call will be from our lawyer." A genuine cast iron bitch she was.
It cost us 95% of our bandwidth defending against that box 45 miles away, back when a 56k dialup was the rule of the land. So we spent better than 15 grand on a T1 till a new isp came on the scene.
vz at least gives me an outside address at the outside of my router, in this case an old box with DD-WRT installed on it.
DD-WRT, and an outside address, can setup a VPN in just a few minutes.
Regards, Ahmed Hussain
On Sun, 2006-12-31 at 12:27 -0500, Jacques B. wrote:
On 12/30/06, Timothy Murphy tim@birdsnest.maths.tcd.ie wrote:
What is the safest way of allowing access to a home system from a remote computer? I am running Fedora-6 and shorewall.
Any advice or suggestions gratefully received.
-- Timothy Murphy e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie tel: +353-86-2336090, +353-1-2842366 s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland
-- fedora-list mailing list fedora-list@redhat.com To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
I agree - ssh with no password and then use certificates to authenticate. And start it with the -X option if you want to be able to run XWindows applications over ssh.
As for a router, as was noted, you simply need to configure your router so that all traffic coming in on whatever port you decide to use for ssh (22 being the default) is forwarded to your ssh server. You will want to assign a static IP to your ssh server (either configuring the box itself, or if your router supports it, assign static IP via DHCP for the nic in your ssh server). It would also be wise to disable root access via ssh. If you need root access, you can su or sudo once you've connected to your server.
To copy files, you can use scp to access your ssh server. If you simply want to set up a shared drive on your server, then have a look at hamachi. I've played with it (the Windows version mind you, but they have a Linux version as well). You can find Hamachi at http://www.hamachi.cc/. The nice thing with Hamachi is that it's zero configuration. You don't have to open ports on your router to get it to work. The down side if you are paranoid is that you are relying on someone else's network and product vs known/trusted ssh.
And of course VNC and its flavours might do the trick. I am pretty certain you can tunnel VNC through ssh if you want to wrap a layer of protection/encryption. I had managed to get VNC to work over Hamachi for a fleeing moment a while back (Windows box otherwise I would have tried it with ssh).
Jacques B.
Aaron Konstam wrote:
There is something wrong with just saying use ssh. One assumes that the home machines are masqueraded behind a router.
William Hooper replied:
Router or no router, it doesn't matter. You just need to open a port for SSH in the firewall if there is no router. If there is a router, you just need to configure one port to forward to your SSH server.
Aaron had also written:
It seems to me that one must configure that all packets arriving at the router address be routed to a particular home machine address.
William asked:
Why? SSH only needs one port.
Aaron said:
Just bad editing on my part. I meant to say ... all ssh packets ...
That's not true either. You can set up SSH to listen on any port you care to choose (assuming that it's not already in use). So you can set up different ports for each PC you want to access.
On many home routers, you can also forward from one public port on the router to a different port on a computer on the local network. Personally, I find it easier not to bother, at least with SSH -- keep the port numbers consistent throughout, then you've got one less variable to worry about.
Hope this helps,
James.
-
Aaron Konstam -
Ahmed Hussain -
Chris Mohler -
Gene Heskett -
Jacques B. -
James Wilkinson -
Jim -
Manuel Aróstegui -
Paul F. Johnson -
Sam Varshavchik -
Timothy Murphy -
William Hooper