On Wednesday 18 May 2005 13:33, Stan Glasoe wrote:
On Wednesday 18 May 2005 12:50 pm, Mark A. Taff wrote:
See network map pdf at http://www.marktaff.com/network.map.pdf
Too complex to do what you want. What's the model number of the D-Link Wireless Router? Does it not have 4 or more 10/100 Ethernet switch ports? If it does then drop the 10bT hub, connect liberty1-external to the D-Link. How are all the other workstations and printer connecting to the D-Link? All wireless? Is liberty1-internal a wireless NIC? Which NICs are wired if any?
Thanks for the help. I understand that if I can access liberty1 from the internet, then I can access every other host on my internal network. Here is what I want to be able to accomplish:
Liberty1 will be running sshd, apache, mysql, postgresql, subversion, possibly a mail server, and maybe from time to time remote X (just cause it impresses windows users ;-). It will also serve as a file server (using fish/ssh in KDE). Liberty1 is to be a development server.
Here's the issue: I will be hanging lots of stuff on this box, with many layers of abstraction. At the base, I need to be able to connect with the same connection string, regardless of whether I am at work, at home, or traveling. I also need full access to the internal network from liberty1, hence the reason I put liberty1-int in the machine.
This is because liberty1 serves as my backup machine, i.e. if something goes wrong with my laptop, I like having liberty1 be fully functional to help me fix my laptop.
Then you need to secure it better. If this is the bread winner, why are you connecting it in the DMZ or rather directly to the Internet? Comcast isn't doing any security filtering for you so this machine is wide open to the internet. Don't see any mention of a firewall, Intrusion Detection System, etc running on Liberty1... IF you secure this box better then it could be left in the DMZ but its your main machine! Why expose it to the big, bad Internet if you really don't have to?
Currently, I have liberty1-int and liberty1-ext defined in /etc/hosts with the internal and external ip addresses, respectively. So at home I need ssh root@liberty1-int, and at work ssh root@liberty1-ext.
I hope this is just an example and not what you really do because I'm going to shout here. NEVER allow external root access, especially on your golden-egg-laying goose of a server. Shut that down now. ONLY ssh/VPN in as a normal user and then use sux or su to do root work only as needed and then get out of it.
Just forwarding all ports on the router to point to liberty1 can be done, but then I lose the ability to host any services on any of the other machines on my network. Further, the router has unreasonable limitations built in, such as max of 10 (I think) firewall rules (not counting the default deny).
Maybe you should consider a Linksys WRT54G (or whatever those model numbers are) that has the ability to use different flash ROM updates with real firewall/router capabilities, Linux based even. That would be much more flexible for what you really want to do here and give you more control and security. I even advocate using one of Liberty2-5 as an internal firewall/router with external/internal NICs and put that between the D-Link and Liberty1-5. 2 firewalls are better than none or one. That D-Link is more an obscurity device than a real security device. If you know that then you can use it accordingly. I'd still advocate another firewall/router device after it and before Liberty1-5 though.
I really don't care if I have to access liberty1 via liberty1-int when I'm at home and via liberty1-ext when elsewhere, PROVIDED I can always use the same connection parameters, and don't have to tell the computer I'm at home.
Not sure what the concern here is in using the 'same connection parameters'. You should want to use a more secure method from outside your LAN than inside. ssh/VPN can be setup to be similar for both ways as in your example above. "ssh -X -p any-high-number-other-than-22 user@24.22.190.86" gives you X capabilities, connects to a high number port at the D-Link which then sends this to whichever system you can setup in the D-Link at whichever port. Having port 22 open on the D-Link will have tons of bots trying all kinds of common user names like root, guest, etc. Once they get a response then they can try dictionary attacks on the password since they know a valid user name. 3 password attempts per user name, wait x amount of time, try 3 more. Don't connect Liberty1 direct to the Internet... Are you thinking about default ssh parameters to cut down the number of failed attempts, amount of time to wait for a password, etc?
Perhaps my logic is flawed. Certainly wouldn't be the first time. ;-)
Your diagram shows a huge security hole coming through Liberty1, IMNSHO obviously... Otherwise it looks good!
Thanks again for all your help. Mark A. Taff
Stan
liberty3 and liberty5 are wireless. The rest are wired. I don't know the router model off the top off my head (at work). It's one of the 54Mbps "extreme" ones, and it has wired connectors, but I'm not sure if they are a hub or a switch. This router will eventually be replaced with a wl access point and a separate router/firewall(probably liberty4). Maybe now is the time to implement this... As for remote root access, that was for example. Obscurity may be weak, but no reason to make it even easier for attackers, right? Can I specify a port for KIO_Fish? Or will it always use port 22? Thanks for all your help. At least you like my Kivio skills. :o) -- Mark A. Taff