Remote setup via Internet

satimis · 2008-02-17 16:12:38

Hi folks,

Could you please shed me some light where can I find relevant document re. remote setup/configure server via Internet. I have been searching on Wiki without result. I have no problem to setup/configure server remotely on Intranet via ssh. TIA

B.R.
satimis

Last edited by satimis (2008-02-17 16:26:00)

mfolnovic · 2008-02-17 19:44:40

hmm, I think you want webmin

vogt · 2008-02-17 22:30:37

maybe you missed this.

satimis · 2008-02-18 03:07:41

mfolnovic wrote:

hmm, I think you want webmin

Thanks for your advice.

I don't mean headless installation nor remote admin via webmin. I have the latter running on the server. IIRC I came across a technical article before on remote admin/setup including installing new packages. Because remote admin may open to attack. Unfortunately I can't find the technical article anymore. I have the link written down on a document. Also I can't discover the latter on my database.

B.R.
satimis

satimis · 2008-02-18 03:40:20

vogt wrote:

maybe you missed this.

Thanks for your link.

On co-location remote admin becomes necessary rather than taking the server back for maintenance. I have been googling around discovering many documents for MS Windows only a few for Linux/Unix. I found follow;
http://www.cyberciti.biz/tips/rhel-cent … sshfs.html

On remote admin security is of paramount importance. Because it may easily be open to attack.

satimis

remote · 2008-02-18 04:17:23

Why not stick with ssh as you know it, or goes all crazy with a VPN connection and then ssh into the system. Nice when you add just your remote IP into iptables rule for allow and drop all other.

satimis · 2008-02-18 06:29:43

remote wrote:

Why not stick with ssh as you know it, or goes all crazy with a VPN connection and then ssh into the system. Nice when you add just your remote IP into iptables rule for allow and drop all other.

Whether you suggest running VPN;

OpenVPN
http://openvpn.net/

building a tunnel. Then ssh connect the Server remotely?

On /etc/hosts.allow

# Allow these adress to connect via ssh
sshd: Public_IP of remote PC

TIA

B.R.
satimis

tomk · 2008-02-18 07:28:35

ssh on its own is secure enough IMO, once it's configured properly.

satimis · 2008-02-18 08:41:14

tomk wrote:

ssh on its own is secure enough IMO, once it's configured properly.

Noted with thanks.

Just played around on;

$ ssh arch.satimis.com

the server name, including public_ip. Always popup with following warning:

ssh: connect to address arch.satimis.com/public_ip port 22: Connection refused

Then I fiddled around on iptables but w/o result. Finally it turned out port 22 forwarding to LAN ip of the server on router is needed. I also googled around on Internet, all documents discvoerd pointing iptables and/or non properly setup of ssh. It is a little bid funny to me.

Edit:

How to make;
$ hostname

and
$ hostname -f

printout the same "arch.satimis.com"

Now
$ hostname -> arch
$ hostname -f -> arch.satimis.com

TIA

satimis

Last edited by satimis (2008-02-18 08:44:45)

remote · 2008-02-18 21:30:40

So many ways to do the same thing, makes it a challenge at times.
For your name check /etc/rc.conf and /etc/hosts
On iptables it would depend on method, to know your IP, hopefully it's static.
iptables -A INPUT -s 192.168.255.48 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
iptables -A OUTPUT -d 192.168.255.48 -p tcp -m tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 -j DROP

satimis · 2008-02-19 13:21:19

remote wrote:

So many ways to do the same thing, makes it a challenge at times.
For your name check /etc/rc.conf and /etc/hosts

on /etc/rc.conf
changed;
HOSTNAME="arch"

to;
HOSTNAME="arch.satimis.com"

similar to that on /etc/hosts. Rebooted PC

Now
$ hostname
$ hostname -f
arch.satimis.com

Thanks. Is there any way avoiding a reboot?

On iptables it would depend on method, to know your IP, hopefully it's static.
iptables -A INPUT -s 192.168.255.48 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
iptables -A OUTPUT -d 192.168.255.48 -p tcp -m tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 -j DROP

$ cat /etc/iptables/iptables.rules

# Generated by iptables-save v1.3.8 on Sun Feb 17 07:00:44 2008
*filter
:INPUT DROP [3:96]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -m icmp --icmp-type 18 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 9 -j DROP 
-A INPUT -p icmp -m icmp --icmp-type 5 -j DROP 
-A INPUT -s 127.0.0.0/255.0.0.0 -i eth0 -j DROP 
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP 
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j DROP 
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j DROP 
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -j interfaces 
-A INPUT -j open 
-A INPUT -p tcp -j REJECT --reject-with tcp-reset 
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable 
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -f -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP 
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
-A interfaces -i lo -j ACCEPT 
-A interfaces -i eth0 -j ACCEPT 
-A open -p tcp -m tcp --dport 22 -j ACCEPT 
-A open -i ppp0 -p tcp -m tcp --dport 80 -j ACCEPT 
COMMIT

I'm running static IP here. I'll add your 4 lines at the bottom of the file, changing "192.168.255.48" to "192.168.0.52", IP addr of Arch.

Would there be any conflict to the existing rules? It seems there is no OUTPUT rule there.

re;
INPUT DROP [3:96]
what does 3:39 represent? Drop time? TIA

B.R.
satimis

remote · 2008-02-19 19:37:52

Instead of reboot on network changes:
/etc/rc.d/network restart

Conflict yes, for you allow all to reach ssh if I'm reading your rules correctly.
Also the IP would be the one from your client, not the system the daemon is running on.

satimis · 2008-02-20 02:45:20

remote wrote:

Instead of reboot on network changes:
/etc/rc.d/network restart

Can it refresh hostname as well NOT only the network?

Conflict yes, for you allow all to reach ssh if I'm reading your rules correctly.

1)
If the workstation used for Admin over WAN running on public_ip, say 123.456.123.456 and behind a router, with IP addr 192.168.0.101, how to set a rule on Server iptables only allowing this workstation to connect? TIA

2)
With this rule

-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP

ssh doesn't work on LAN. But it works on WAN with port 22 forwarded. How to adjust it allowing ssh works both on LAN and WAN? TIA

Also the IP would be the one from your client, not the system the daemon is running on.

Noted

B.R.
satimis

remote · 2008-02-20 05:07:51

You would simply add both IP's to allow followed by the DROP
This is a bit much for a forum post, if you like join me for a chat at http://b.zaxter.net/chat/ hopefully I'll be around when you join.

satimis · 2008-02-20 06:36:45

remote wrote:

You would simply add both IP's to allow followed by the DROP

Whether with follow rules added at bottom of server iptables

iptables -A INPUT -s server_ip -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -s workstation_ip -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
iptables -A OUTPUT -d  server_ip -p tcp -m tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -d  workstation_ip -p tcp -m tcp --sport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 -j DROP

This is a bit much for a forum post, if you like join me for a chat at http://b.zaxter.net/chat/ hopefully I'll be around when you join.

I tried to login as guest with the password "************" on the box. But only a white page popup. Besides I don't have audio installed on the server.

satimis

remote · 2008-02-20 20:00:20

Think of the rules as any code, they have a process order to follow. Having a DROP before an ACCEPT, you simply have a DROP.

The URL I gave does not require sound, yet it does require flash for your browser and you just click connect. Join from any workstation with any XMPP client, info http://zaxter.net/xmpp.html

Last edited by remote (2008-02-20 20:34:25)

Arch Linux

#1 2008-02-17 16:12:38

Remote setup via Internet

#2 2008-02-17 19:44:40

Re: Remote setup via Internet

#3 2008-02-17 22:30:37

Re: Remote setup via Internet

#4 2008-02-18 03:07:41

Re: Remote setup via Internet

#5 2008-02-18 03:40:20

Re: Remote setup via Internet

#6 2008-02-18 04:17:23

Re: Remote setup via Internet

#7 2008-02-18 06:29:43

Re: Remote setup via Internet

#8 2008-02-18 07:28:35

Re: Remote setup via Internet

#9 2008-02-18 08:41:14

Re: Remote setup via Internet

#10 2008-02-18 21:30:40

Re: Remote setup via Internet

#11 2008-02-19 13:21:19

Re: Remote setup via Internet

#12 2008-02-19 19:37:52

Re: Remote setup via Internet

#13 2008-02-20 02:45:20

Re: Remote setup via Internet

#14 2008-02-20 05:07:51

Re: Remote setup via Internet

#15 2008-02-20 06:36:45

Re: Remote setup via Internet

#16 2008-02-20 20:00:20

Re: Remote setup via Internet

Board footer