I want to configure remote access to my box

dtw · 2006-07-19 16:29:05

Work has finally got too boring and I am stuck for things to do. Also the luxury of being able to connect to my box at home and run builds throughout the day would be a distinct bonus!

I've got a no-ip account and installed the daemon to make sure it is up to date and I've configured my router to give my box a static IP. I can happily forward the port from my router to said box..but how do I do it all securely?

I know a few basics like don't run the shell socket on the normal port, use good passwords but I could use a bit more knowledge about the whole thing. Any explicit tips or reading material suggestions?

soloport · 2006-07-19 17:18:36

Punch a port-22 hole through the router and a couple of other higher-end reandom numbers and read this short article.

I need to tunnel into home, office and other servers and be able to do so from any client's office. This technique keeps the log files clean. Without it, just watch the SSH attacks arrive within 30 min. of openning up port 22.

Incidently, I failed to set this up on a client's box once -- never again. A spammer loaded a perl script onto this box and was sending out MB of spam per minute. How did the spammer breach a Linux (fully up-to-date Arch) box? The client had created an account called 'admin' with the password 'admin'. Duh!

There seems to be no way to lock down ignorance.

EDIT0: In /etc/ssh/sshd_config set "PermitRootLogin=no". Then set up your normal user name in /etc/suduers -- just copy the entry for "root" and change the word "root" to your username. Test the sudo change before you change sshd_config!

EDIT1: If you have a single static IP (WAN) for your home, you can tunnel to multiple boxes by setting each box to listen to "Port XXX" (XXX being a unique port) in /etc/ssh/sshd_config -- i.e. sshd doesn't have to listen to port 22, exclusively. Then be sure to route a corresponding port through your router to the right internal IP.

Then when you're out and about, use 'ssh -p XXX username@[static-IP-address]' to get to the box that listens to XXX (and YYY for the box that listens to YYY).
.

dtw · 2006-07-19 17:49:05

Looks great! A really neat idea. Two things:
1) Why isn't that on our wiki you lazy monkey!
2) I'll be connecting from windows so the shell script is no good..but I guess nmap is available so I'll just have to do it manually

I current don't run an iptables firewall as I run no services (not even X) and am behind my router, which should be good enough. However, it seems that running iptables would now be a good idea to block other ports than those forwarded by the router, n'est pa?

Lastly...will the IT bods at my place of work be seeing loads of "dodgy" port traffic from my PC and will it appear vastly out the ordinary on a "normal" office network?

soloport · 2006-07-19 19:06:17

Well, you twisted my arm.

If you use putty.exe, I think it has provisions for prepending commands. Of course, Cygwin is another option (i.e. has nmap). However, using telnet works just as easily:
> telnet hostname 1234
(some message about timeout)
> telnet hostname 5678
(some message about timeout)

Done.

Your router (virtually all routers) acts as a decent firewall (contrary to what the "firewall" sellers would have you believe). A router is built to "route" traffic, after all. It will do as is told, so to speak. So you should be fine, so long as you open up just the ports you'll need -- and your LAN is NATed. If you haven't done so already, you'll see that "openning up a port" includes a destination IP address. Since this is the case, not all the hosts on your LAN can receive traffic (unsolicited, that is) from prot 22 -- only one host. Otherwise, how would the router know where you want traffic for port 22 to go next? :shock:

The only reasons I run an iptables firewall: 1) I do silly tricks like the one in the article; 2) If someone breaks into one server from the outside, they'll not simply hop over to the next and the next with wreckless abandon, inside my LAN.

IT probably won't notice -- or care. They probably do the same thing. (Most IT help is paid so poorly that they often have second or third side "jobs" going on all the time. They work these projects from the comfort of their "day job".) They're probably more interested in your browsing habbits. :twisted:

Chances are, though, that they may have blocked ssh traffic (Cisco has some nice products for doing this). Someone would advise you to use a different port, but that's not what I mean. They're likely to block *traffic*, not simply a port. As in, their PIX or whatever they're using sniffs each and every packet to determine what protocol is being used -- regardless of port.

However, if this is the case, I wouldn't hesitate to ask them to open up the protocol and port for you. What do they care? They're underpaid and under-appreciated "drones".
.

tomk · 2006-07-19 20:47:07

However, if they do care and say no, or if you don't feel like letting them know your plans by asking, you could use httptunnel, which will look like ordinary web traffic to them. This works fine on cygwin, and of course there's a package in extra for your home machine.

PeteMo · 2006-07-20 00:59:00

I'd suggest setting up key based authentication - for one how-to, see http://sial.org/howto/openssh/publickey-auth/ although there are tons, just google.

You can also set up denyhosts http://denyhosts.sourceforge.net/ a server side daemon that scans /var/log/auth.log every X seconds and adds ip's to /etc/hosts.deny based on rules set up by you.

curana · 2006-07-20 08:37:03

I havent read the article about the SSH attacks, but for my BSD-server (also a dyn-dns-domain) I just changed the ssh port. Thats all. I never had any login attacks.

Ok, I use the "normal" router firewall just to block traffic from outside. Works quite smooth for me. Its not the most secure way to protect your server but for my needs its absolutely ok.

Good luck.

adderd · 2006-07-27 18:03:11

I haven't gone to the trouble of trying to setup port knocking or a huge hosts.deny file. Instead I just use, and only allow, key based auth. Let's see an attacker figure out my private key. The many logins attempts on port 22 don't bother me anymore because they ALL are trying with passwords and passwords aren't allowed on my machine.

curana · 2006-07-27 18:06:11

@adderd: That's why I cant...tzzz, I will keep trying!!

jk !

paranoos · 2006-07-27 18:45:32

dtw wrote:

I want to configure remote access to my box

I think you want teledildonics.

tmadhavan · 2006-07-29 12:58:46

Heeheheeeeeeeee. How d'you set up port knocking with those things?

Bebo · 2006-07-29 15:44:36

If you want something more advanced in the port-knocking business, you should check out SADoor. It sounds like a black hat tool (think trojans etc), but it really isn't. It's just a very good way to give yourself very secure remote access to your box(es). Maybe it's not the tool for accessing a box inside a LAN (since you, in that case, probably would want/need to forward a whole bunch of ports), but for a box directly connected to the net or on a DMZ I think it is really good.

My own setup at home: I have an ordinary switch which NATs a high port on the WAN side to the standard SSH port 22 on the box I want to access on the LAN. That way the SSH port on the LAN is the default one, so I don't have to do "-p <high_port>" all the time. Of course that is easily fixed by adding the proper Host entry in ssh_config, but, oh well :? On the box running the SSH server, I only allow key authentication for a specified user; the interesting settings in sshd_config are these:

AllowUsers some_user
PermitRootLogin no
PasswordAuthentication no

In addition to this, my iptables firewall only allow access to port 22 from certain IPs. Of course, this is suboptimal if I want to have (unplanned) access to the box from other IPs, since I have to reconfigure the firewall in those cases. I have set up some port knocking stuff using the recent module in iptables, but for some reason I couldn't get that to work from, heh, work. Probably I have some very picky firewalls/routers on the route to home, that don't allow the odd packets (for instance SYN+FIN ) I use for knocking...

Anyway, not using the default port, and only allowing key authentication for a certain user ought to be pretty OK.

As for tunnelling, I think I would suggest ProxyTunnel instead of HTTPTunnel, since this can use the HTTPS protocol as well, which makes it a lot harder to see the "rouge" traffic (it is difficult to distinguish encrypted traffic from other encrypted traffic ). I just now found a page commenting on different tools for tunnelling through firewalls. Oh, BTW, if a company terminates SSL connections on their own proxies and then let them set up the connection outside the company's network, it will be just as transparent, and open for content filtering, as the ordinary HTTPTunnel, though.

dtw · 2006-08-14 13:45:39

PeteMo wrote:

I'd suggest setting up key based authentication - for one how-to, see http://sial.org/howto/openssh/publickey-auth/ although there are tons, just google.
You can also set up denyhosts http://denyhosts.sourceforge.net/ a server side daemon that scans /var/log/auth.log every X seconds and adds ip's to /etc/hosts.deny based on rules set up by you.

OK - from what I read setting up key-based authentication requires me to create keys on my workstation at work, where I have no admin privs, so that seems out.

Secondly, as for port knocking...there is knockd, which Judd created, that simplifies the process. Now, this is all well and good except that surely I need to forward a range of ports on my router to my box for the knocks to get through? And then I'll need to configure my knocks within that range. Surely that greatly reduces the level of entropy associated with port knocking?

Also...does anyone know a good password generator - must be able to do a 10 digit mixed alphanumeric with non-alphanumeric and capitals combinations

Bebo · 2006-08-14 15:02:29

dtw wrote:

OK - from what I read setting up key-based authentication requires me to create keys on my workstation at work, where I have no admin privs, so that seems out.

No, you don't have to be admin, you set it up on your account - provided that they haven't disabled key authentication in the server conf, of course. As an example:

$ ssh-keygen -t dsa
$ cat ~/.ssh/id_dsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"

dtw wrote:

Secondly, as for port knocking...there is knockd, which Judd created, that simplifies the process. Now, this is all well and good except that surely I need to forward a range of ports on my router to my box for the knocks to get through? And then I'll need to configure my knocks within that range. Surely that greatly reduces the level of entropy associated with port knocking?

Indeed. But it need not be a problem, if the router responds in the same way as a forwarded port. Who more than you knows what ports you have forwarded if they "sound" the same?

dtw wrote:

Also...does anyone know a good password generator - must be able to do a 10 digit mixed alphanumeric with non-alphanumeric and capitals combinations

Well, IMO pwgen is nice; it is available in Extra.

dtw · 2006-08-14 15:40:32

Bebo wrote:

dtw wrote:
OK - from what I read setting up key-based authentication requires me to create keys on my workstation at work, where I have no admin privs, so that seems out.
No, you don't have to be admin, you set it up on your account - provided that they haven't disabled key authentication in the server conf, of course.

I forgot to say that it is a Windows XP workstation.

Bebo wrote:

Indeed. But it need not be a problem, if the router responds in the same way as a forwarded port. Who more than you knows what ports you have forwarded if they "sound" the same?

Good point. I'll have to test that!

allucid · 2006-08-14 15:46:53

I would just use a non-standard port (not 22), disallow root login, use a strong password, and use keys.

You do not need iptables if you are behind a NAT router and only have this port open. This doesn't need to be incredibly complex.

PeteMo · 2006-08-14 15:51:26

You can generate the key pair on your server at home and carry the private key to work on a usb drive. You can use putty on your XP machine if you first load the private key using PuttyGen. See http://the.earth.li/~sgtatham/putty/0.5 … tml#pubkey

It is also apparently possible to generate the key pair using PuttyGen, although I've never done that.

dtw · 2006-08-14 16:33:07

allucid wrote:

use a strong password, and use keys.

Why both?

PeteMo wrote:

You can generate the key pair on your server at home and carry the private key to work on a usb drive. You can use putty on your XP machine if you first load the private key using PuttyGen.

Sweet, thanks for the info

allucid · 2006-08-14 19:20:31

dtw wrote:

allucid wrote:
use a strong password, and use keys.
Why both?

You can use either/or. I always keep passwords incase I'm on a box that doesn't have my key. I use keys for easy login with ssh-agent.

Arch Linux

#1 2006-07-19 16:29:05

I want to configure remote access to my box

#2 2006-07-19 17:18:36

Re: I want to configure remote access to my box

#3 2006-07-19 17:49:05

Re: I want to configure remote access to my box

#4 2006-07-19 19:06:17

Re: I want to configure remote access to my box

#5 2006-07-19 20:47:07

Re: I want to configure remote access to my box

#6 2006-07-20 00:59:00

Re: I want to configure remote access to my box

#7 2006-07-20 08:37:03

Re: I want to configure remote access to my box

#8 2006-07-27 18:03:11

Re: I want to configure remote access to my box

#9 2006-07-27 18:06:11

Re: I want to configure remote access to my box

#10 2006-07-27 18:45:32

Re: I want to configure remote access to my box

#11 2006-07-29 12:58:46

Re: I want to configure remote access to my box

#12 2006-07-29 15:44:36

Re: I want to configure remote access to my box

#13 2006-08-14 13:45:39

Re: I want to configure remote access to my box

#14 2006-08-14 15:02:29

Re: I want to configure remote access to my box

#15 2006-08-14 15:40:32

Re: I want to configure remote access to my box

#16 2006-08-14 15:46:53

Re: I want to configure remote access to my box

#17 2006-08-14 15:51:26

Re: I want to configure remote access to my box

#18 2006-08-14 16:33:07

Re: I want to configure remote access to my box

#19 2006-08-14 19:20:31

Re: I want to configure remote access to my box

Board footer