Ok right now it is
Remote PC's - {internet} - IPCop(firewall) - Server
My server is running several services, the only ones accesable outside
are http and ssh. ssh is how I connect into my network remotely, and
I use things like VNC, Squid, etc through that.
I don't want to remove the firewall. I just want another layer of
security with out adding another machine that only does ssh.
Some how make it so my servers ssh is not open to the outside, because
this is a server that has data I don't want to lose. Infact I would
rather protect that than my PC.
Have a web/ssl VPN tunnel would be one way.(you would be in the
network, but not on my server yet) or chroot/virtual machine is
another.
On 7/24/06, Stephen Boddy
On Monday 24 July 2006 19:48, Cody Nelson wrote:
I ssh through a port I have forwarded from my firewall to my internal server. That server is my server with over a terabyte of space on it.
Is there a better way to do this with out having a 3rd computer that needs to be on all the time? Thinking of some sort of chroot or vmware for ssh to run in on my server, or even my IPCop firewall.
Or using some kidn of Web/SSL VPN . Anyone know of any good open source Web/SSL VPN?
I usually only use ssh, web, and VNC remotely.
Hi Cody,
You're a little unclear, but what I think you're asking is, givin the current setup:
Server | IPCop Firewall | {Internet} | Roaming machine
Can you get rid of the IPCop machine?
If I've understood you correctly, then yes you can. You can place multiple NIC's in the server, allocate the security appropriately for each NIC using YaST, and make the server the gateway machine. However this does reduce your security to a degree, as you lose "defense in depth". You'd want to ensure only SSH or VPN with pre-shared keys is running on the "External Interface". Remove password only access, as you'd be susceptable to script-kiddies trawling for common and/or slack passwords.
Theoretically you could put a firewall in a vmware machine, but I don't think vmware takes over the NIC at the hardware level, so you still need to protect the servers "External Interface" as it will be active in bridged mode.
As to chroot, I don't know it all, so can't help in truth, but I suspect it would again boil down to the ability to isolate the NIC to the server in the chrooted environment.
-- Steve Boddy
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com