Secure way to work on office Arch machine from home?

madpet · 2018-08-04 12:00:23

Hi all, I'll be honest: Networking is not really my expertise, but I want to improve and also learn more about security best-practice.

Currently, I have a computer running Arch in the office, behind a ZyXeL router, and at home I have my home iMac. I often work on the same code (I work as a programmer) from home and from the office, and use a git repo, Tresorit and sometimes Box.com to keep things in sync. However, from a security standpoint, the moment the files are synced to my home iMac, it becomes a liability - especially because I use it for much more than just work stuff, so I really want to reduce it to having as little stuff locally as possible, so sensitive data doesn't 'leave the office' so to speak.

Thus, I'm searching for a way to, if I have the day off but still want to get work done, get on my home iMac and connect to my office Arch machine and then work directly on it through a remote connection and saving the work saves it directly on the work Arch machine, so once I disconnect nothing work-related is left on my home iMac.

I'm comfortable in a terminal and already use SSH to edit stuff on our company servers on DigitalOcean, so using SSH to work from home seems like an ideal solution, although I'm having problems setting up a OpenSSH Server, especially with the office router - I'm aware that I need to open up some sort of port forwarding for it to work, but OTOH I don't want to accidentally expose the entire office to new security vulnerabilities from having an open router, so I only want to open up the bare necessities... whatever those are.

Secondly, there might also be times where I'd have to use LibreOffice and other GUI-based tools to work with .csv files and such, so I'll probably also need a way to get remote access to KDE running on my Arch machine, if possible. Incidentally, I actually want to look for ways to run GUI-based (X based?) applications without a Desktop Environment as I'm trending more and more towards getting things done via terminal, so if you know a way of running window-based applications without a DE, I'm all ears.

From what I describe above, can anyone give me some hints as to what is secure, common practice? I'd also appreciate any helpful resources or guides you can link to. I've been struggling with finding anything, as I wasn't really sure what terms to search for.

Thanks a lot

graysky · 2018-08-04 12:49:37

Can't get more secure than SSH. Yes, you need to open a port for it but that is usually done to a specific IP/host not the entire network. For KDE, you can use tigervnc tunneling over ssh. I do it all the time. See the wiki page.

Trilby · 2018-08-04 13:37:43

Opening port 22 through the router is only one issue, and the easiest issue.

Do you fully contol the router? If not, you're probably S.O.L. The main issue is having a public IP address for your work computer.

ewaller · 2018-08-04 14:35:22

You might want to set up a VPN on your home machine (I run one on my router itself) and have the arch machine at the office establish a VPN connection to your home machine.
Also, on the office machine, I suggest running a VM that is the machine that actually establishes the VPN connection. That VM can be configured to talk to the host over a private virtual network.

This way, the host machine is not impacted by the VPN and runs normally on the office network. It can communicate with the guest machine via ssh on the virtual LAN. It maintains a VPN link to the home machine from behind the firewall. Your home network can ssh through the VPN to the guest VM at work. From there, you can go through the host at work.

I like this set up in particular, because it I trust my security more than I trust security at work. BTW, security at work is good; very good. The problem is there are a lot of people on it providing what I consider the weakest link.

Also, be sure you check with IT on this. They might not appreciate someone setting up a VPN connection without their knowledge. Doing so is wrong, and, at many places, career limiting.

newsboost · 2018-08-04 20:51:44

I suggest to lookup "reverse ssh tunnel", e.g. https://www.howtoforge.com/reverse-ssh-tunneling + more sites...

I ALSO STRONGLY suggest telling (or agreeing with) the IT department about it first, or I imagine the company could/would fire you immediately with 5 seconds notice and risking not getting paid for the whole notice period, at least that is possibly in my country, when we talk about consequences of severe unloyal activities or whatever that is called in legal terms...

madpet · 2018-08-07 06:11:32

Thanks for all the replies! To clarify with regards to the IT department: I am the IT department (yeah, we're a small place), hence why I'm so worried about security.

I can confirm that we do have a static IP at the office. I'm gonna try opening up a non-standard, high-number port on the office router, forward it to my LAN IP address, setup SSH on the office box with public key auth only, add my home public key to the authorized_keys file in ~/.ssh/ and then see what I can make happen. I'll get back to you if (when) something goes wrong

Trilby · 2018-08-07 13:21:57

madpet wrote:

Hi all, I'll be honest: Networking is not really my expertise

madpet wrote:

To clarify with regards to the IT department: I am the IT department

You're screwed.

Lone_Wolf · 2018-08-07 16:11:30

I'm gonna try opening up a non-standard, high-number port on the office router

I hope that router has firewall capabilities and you can configure it to only accept ssh from your home ip-address ?

drcouzelis · 2018-08-07 16:40:04

Lone_Wolf wrote:

I hope that router has firewall capabilities and you can configure it to only accept ssh from your home ip-address ?

I don't know about madpet, but my IP address at home is always changing.

What is the harm in NOT configuring the router to only accept SSH from the home IP address? If anyone else attempts to SSH to the work computer, it will just be denied...

herOldMan · 2018-08-08 15:32:52

Here's my approach:

Use ssh with key authentication only (password authentication disabled).

Pick a high port. Some say this is useless because smart attackers scan for all open ports. However, there are lots of stupid attackers and my firewall logs show that 22, closed in our case, is hammered over 600K times a month... fully 100 times more often than the six other obscure ssh ports exposed by our router (combined). Key authentication solves the problem, but why let these dummies through the router with their pesky lock-picking tricks.

Place a pfsence (or other) gateway/firewall/router between the ISP's modem and your work LAN. At this firewall, block all incoming connections by default and pass only the ssh port. Use the NAT setup to forward the port to your work machine's (static IP).

Pfsense and other router distros allow you to block incoming requests not originating from your home IP or its name translation (like a dynamic DNS name).

ngoonee · 2018-08-08 17:59:12

drcouzelis wrote:

Lone_Wolf wrote:
I hope that router has firewall capabilities and you can configure it to only accept ssh from your home ip-address ?
I don't know about madpet, but my IP address at home is always changing.
What is the harm in NOT configuring the router to only accept SSH from the home IP address? If anyone else attempts to SSH to the work computer, it will just be denied...

Unless a new vulnerability is found in openssh. Highly unlikely but security is always better when layered.

Reverse SSH would be best, then the sensitive work machine need not open up any incoming port. If the IP address is always changing then some sort of DNS updater is in order, but that's not hard (autossh on the work machine). I use this myself.

bulletmark · 2018-08-08 23:24:37

herOldMan wrote:

Use ssh with key authentication only (password authentication disabled).
Pick a high port. Some say this is useless because smart attackers scan for all open ports. However, there are lots of stupid attackers and my firewall logs show that 22, closed in our case, is hammered over 600K times a month... fully 100 times more often than the six other obscure ssh ports exposed by our router (combined). Key authentication solves the problem, but why let these dummies through the router with their pesky lock-picking tricks.

Disabling simple password authentication and only enabling keys is surely secure enough. It's just unnecessary to go the extra hassle of blocking all but specific IP addresses and you then would also preclude your own remote access when you are using your notebook out and about etc.

I agree with forwarding a high external port (rather than port 22) to port 22 on your ssh server simply to avoid the huge amount of ssh bot login attempts you otherwise see in your logs. Just a heap of noise and activity best to not bother with. For remote ssh access to my home, I usually forward port 443 on my home router to port 22 on my internal PC because many business and other firewalls block outgoing non-standard ports (they nearly always block port 22 outbound) but they allow port 443 (normally https) outbound.

ewaller · 2018-08-09 02:54:16

Staying on the standard port provides the following:

1. It is standard.
2. Some networks block non-standard ports -- if you are on one (like in a hotel), you may not be able to reach your system.
3. The log in attempts provide a constant stream of new IP addresses to add to my blacklists

Trilby · 2018-08-09 04:57:03

ewaller wrote:

3. The log in attempts provide a constant stream of new IP addresses to add to my blacklists

So you prefer enumerating badness?

ngoonee · 2018-08-09 05:21:16

Trilby wrote:

ewaller wrote:
3. The log in attempts provide a constant stream of new IP addresses to add to my blacklists
So you prefer enumerating badness?

That... was a fun read, thanks Trilby.

That said I've been bitten by non-standard ports myself, so I always leave 443 forwarded on now. No guts to leave 22 though, the amount of traffic on that is crazy.

ewaller · 2018-08-09 14:09:20

Yes. Because my machine has a fairly low volume, so I don't move too far up the curve.

And, as my logs prove, a dog always returns to it vomit.

Edit: And, as I read that, the notion of blocking a computer on a private net from reaching a "Bad" site is folly -- I agree. I don't, however, think is wrong to maintain a list of sites that are known to have attacked you to prevent them trying in the future.

Last edited by ewaller (2018-08-09 14:27:23)

Trilby · 2018-08-09 15:46:38

ewaller wrote:

I don't, however, think is wrong to maintain a list of sites that are known to have attacked you to prevent them trying in the future.

You may disagree with the logic of that article - but the thinking of yours I quoted is exactly what it is critiquing. Don't wait for a threat to be identified then block it. Block everything by default and allow just what you want. Don't use black lists; use white lists - that's the main point of it.

Arch Linux

#1 2018-08-04 12:00:23

Secure way to work on office Arch machine from home?

#2 2018-08-04 12:49:37

Re: Secure way to work on office Arch machine from home?

#3 2018-08-04 13:37:43

Re: Secure way to work on office Arch machine from home?

#4 2018-08-04 14:35:22

Re: Secure way to work on office Arch machine from home?

#5 2018-08-04 20:51:44

Re: Secure way to work on office Arch machine from home?

#6 2018-08-07 06:11:32

Re: Secure way to work on office Arch machine from home?

#7 2018-08-07 13:21:57

Re: Secure way to work on office Arch machine from home?

#8 2018-08-07 16:11:30

Re: Secure way to work on office Arch machine from home?

#9 2018-08-07 16:40:04

Re: Secure way to work on office Arch machine from home?

#10 2018-08-08 15:32:52

Re: Secure way to work on office Arch machine from home?

#11 2018-08-08 17:59:12

Re: Secure way to work on office Arch machine from home?

#12 2018-08-08 23:24:37

Re: Secure way to work on office Arch machine from home?

#13 2018-08-09 02:54:16

Re: Secure way to work on office Arch machine from home?

#14 2018-08-09 04:57:03

Re: Secure way to work on office Arch machine from home?

#15 2018-08-09 05:21:16

Re: Secure way to work on office Arch machine from home?

#16 2018-08-09 14:09:20

Re: Secure way to work on office Arch machine from home?

#17 2018-08-09 15:46:38

Re: Secure way to work on office Arch machine from home?

Board footer