Linux makes remote administration easy! - Linux

This is a discussion on Linux makes remote administration easy! - Linux ; How to reach Linux clients behind a firewall, with good security. http://wifi.homelinux.com/docuwiki/d...rse_ssh_server -- Linux full time, on the desktop, since August 1997...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Linux makes remote administration easy!

  1. Linux makes remote administration easy!

    How to reach Linux clients behind a firewall, with good security.

    http://wifi.homelinux.com/docuwiki/d...rse_ssh_server

    --
    Linux full time, on the desktop, since August 1997

  2. Re: Linux makes remote administration easy!

    On Sat, 25 Oct 2008 10:05:53 -0500, Terry Porter wrote:

    > How to reach Linux clients behind a firewall, with good security.
    >
    > http://wifi.homelinux.com/docuwiki/d...rse_ssh_server


    The thought of you anywhere near a network Terry Porter scares me.

    Still using telnet or have you finally learned?

    --
    Moshe Goldfarb
    Collector of soaps from around the globe.
    Please visit The Hall of Linux Idiots:
    http://linuxidiots.blogspot.com/
    Please Visit www.linsux.org

  3. Re: Linux makes remote administration easy!

    Terry Porter wrote:
    > How to reach Linux clients behind a firewall, with good security.
    >
    > http://wifi.homelinux.com/docuwiki/d...rse_ssh_server


    I don't see the need for a middle machine (assuming anonymity is not
    needed), John could simply connect to Terry's machine, making a tunnel, and
    Terry could use that tunnel to connect back to John. Also, don't use
    standard ports for ssh and don't use passwords but asymmetric key
    cryptography instead.

    Regards.

  4. Re: Linux makes remote administration easy!

    On Mon, 27 Oct 2008 14:17:19 +0000, LusoTec wrote:

    > Terry Porter wrote:
    >> How to reach Linux clients behind a firewall, with good security.
    >>
    >> http://wifi.homelinux.com/docuwiki/d...rse_ssh_server



    Hi LusoTec

    >
    > I don't see the need for a middle machine (assuming anonymity is not
    > needed),


    No its not.

    > John could simply connect to Terry's machine, making a tunnel,


    Only if Terrys machine has SSH ports open to the Internet, which it
    doesn't, and won't.

    > and Terry could use that tunnel to connect back to John. Also, don't use
    > standard ports for ssh


    Even my remote ssh server doesn't use standard ssh ports. Doing so
    invites about 200 crack attempts per hour (in my case).

    > and don't use passwords but asymmetric key
    > cryptography instead.


    Excellent advice.

    I have other internal machines I like to access remotely from time to
    time, and the reverse ssh server works nicely in this manner also.

    That way no firewalling or port forwarding on my Gateway has to be
    altered to make different machines available on a adhoc basis.


    Cheers
    Terry






    --
    Linux full time, on the desktop, since August 1997

  5. Re: Linux makes remote administration easy!

    Terry Porter wrote:
    > On Mon, 27 Oct 2008 14:17:19 +0000, LusoTec wrote:
    >> John could simply connect to Terry's machine, making a tunnel,

    >
    > Only if Terrys machine has SSH ports open to the Internet, which it
    > doesn't, and won't.


    Won't? Why not?

    I have a non standard port open by sshd in almost all my systems. I rarely
    have hacking attempts but for those rare occasions a log monitor detects
    them, changes the ssh port, restarts sshd, and sends me an encrypted email
    informing me of the hacking activity and the new ssh port.

    >> and Terry could use that tunnel to connect back to John. Also, don't use
    >> standard ports for ssh

    >
    > Even my remote ssh server doesn't use standard ssh ports. Doing so
    > invites about 200 crack attempts per hour (in my case).


    Around 35000 a day from thousands of IPs was the worst case I have seen.
    There is an army of bots out there that are making dictionary attacks on
    ssh servers.

    >> and don't use passwords but asymmetric key
    >> cryptography instead.

    >
    > Excellent advice.
    >
    > I have other internal machines I like to access remotely from time to
    > time, and the reverse ssh server works nicely in this manner also.
    >
    > That way no firewalling or port forwarding on my Gateway has to be
    > altered to make different machines available on a adhoc basis.


    Since most times I want to ssh to a system that I don't yet have access to
    reverse ssh is of little use to me. Also, reverse ssh has higher latency
    and probably lower bandwidth than direct ssh.

    Regards.

  6. Re: Linux makes remote administration easy!

    LusoTec wrote:
    > Terry Porter wrote:
    >> How to reach Linux clients behind a firewall, with good security.
    >>
    >> http://wifi.homelinux.com/docuwiki/d...rse_ssh_server

    >
    > I don't see the need for a middle machine (assuming anonymity is not
    > needed), John could simply connect to Terry's machine, making a tunnel,
    > and Terry could use that tunnel to connect back to John. Also, don't use
    > standard ports for ssh and don't use passwords but asymmetric key
    > cryptography instead.


    And don't allow root to login using ssh. If you need root access create a
    normal user account, login to that account and then su(do) to have root
    access.

    Regards.

  7. Re: Linux makes remote administration easy!

    On Mon, 27 Oct 2008 23:28:09 +0000, LusoTec wrote:

    > Terry Porter wrote:
    >> On Mon, 27 Oct 2008 14:17:19 +0000, LusoTec wrote:
    >>> John could simply connect to Terry's machine, making a tunnel,

    >>
    >> Only if Terrys machine has SSH ports open to the Internet, which it
    >> doesn't, and won't.

    >
    > Won't? Why not?


    I guess I have read too many of my server logs ?

    Is paranoia a good reason ? ;-)

    >
    > I have a non standard port open by sshd in almost all my systems. I
    > rarely have hacking attempts but for those rare occasions a log monitor
    > detects them, changes the ssh port, restarts sshd, and sends me an
    > encrypted email informing me of the hacking activity and the new ssh
    > port.


    I used to have sshfilter, but I was still worried. In the end I decided
    that if I didn't have SSH open to the Internet, a SSH exploit couldn't be
    used against me.


    >
    >>> and Terry could use that tunnel to connect back to John. Also, don't
    >>> use standard ports for ssh

    >>
    >> Even my remote ssh server doesn't use standard ssh ports. Doing so
    >> invites about 200 crack attempts per hour (in my case).

    >
    > Around 35000 a day from thousands of IPs was the worst case I have seen.
    > There is an army of bots out there that are making dictionary attacks on
    > ssh servers.


    Yes, I recall discovering my first dictionary attack, they started at "a"
    and were working their way to 'zzzzzzzz"

    I was like .... "WHAT THE !!"

    >
    >>> and don't use passwords but asymmetric key cryptography instead.

    >>
    >> Excellent advice.
    >>
    >> I have other internal machines I like to access remotely from time to
    >> time, and the reverse ssh server works nicely in this manner also.
    >>
    >> That way no firewalling or port forwarding on my Gateway has to be
    >> altered to make different machines available on a adhoc basis.

    >
    > Since most times I want to ssh to a system that I don't yet have access
    > to reverse ssh is of little use to me. Also, reverse ssh has higher
    > latency and probably lower bandwidth than direct ssh.


    Also true, especially on a little WRT54G!

    >
    > Regards.


    Nice chatting LusoTek, *you* know what you're talking about and it's a
    pleasure to meet you on COLA.



    --
    Linux full time, on the desktop, since August 1997

  8. Re: Linux makes remote administration easy!

    On Mon, 27 Oct 2008 23:32:06 +0000, LusoTec wrote:

    > And don't allow root to login using ssh. If you need root access create
    > a normal user account, login to that account and then su(do) to have
    > root access.
    >
    > Regards.


    Also, good advice.




    --
    Linux full time, on the desktop, since August 1997

+ Reply to Thread