[SLE] Security, ssh/vpn into a network
I ssh through a port I have forwarded from my firewall to my internal server. That server is my server with over a terabyte of space on it. Is there a better way to do this with out having a 3rd computer that needs to be on all the time? Thinking of some sort of chroot or vmware for ssh to run in on my server, or even my IPCop firewall. Or using some kidn of Web/SSL VPN . Anyone know of any good open source Web/SSL VPN? I usually only use ssh, web, and VNC remotely. Thanks -Cody -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Monday 24 July 2006 19:48, Cody Nelson wrote:
I ssh through a port I have forwarded from my firewall to my internal server. That server is my server with over a terabyte of space on it.
Is there a better way to do this with out having a 3rd computer that needs to be on all the time? Thinking of some sort of chroot or vmware for ssh to run in on my server, or even my IPCop firewall.
Or using some kidn of Web/SSL VPN . Anyone know of any good open source Web/SSL VPN?
I usually only use ssh, web, and VNC remotely.
Hi Cody, You're a little unclear, but what I think you're asking is, givin the current setup: Server | IPCop Firewall | {Internet} | Roaming machine Can you get rid of the IPCop machine? If I've understood you correctly, then yes you can. You can place multiple NIC's in the server, allocate the security appropriately for each NIC using YaST, and make the server the gateway machine. However this does reduce your security to a degree, as you lose "defense in depth". You'd want to ensure only SSH or VPN with pre-shared keys is running on the "External Interface". Remove password only access, as you'd be susceptable to script-kiddies trawling for common and/or slack passwords. Theoretically you could put a firewall in a vmware machine, but I don't think vmware takes over the NIC at the hardware level, so you still need to protect the servers "External Interface" as it will be active in bridged mode. As to chroot, I don't know it all, so can't help in truth, but I suspect it would again boil down to the ability to isolate the NIC to the server in the chrooted environment. -- Steve Boddy -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Ok right now it is Remote PC's - {internet} - IPCop(firewall) - Server My server is running several services, the only ones accesable outside are http and ssh. ssh is how I connect into my network remotely, and I use things like VNC, Squid, etc through that. I don't want to remove the firewall. I just want another layer of security with out adding another machine that only does ssh. Some how make it so my servers ssh is not open to the outside, because this is a server that has data I don't want to lose. Infact I would rather protect that than my PC. Have a web/ssl VPN tunnel would be one way.(you would be in the network, but not on my server yet) or chroot/virtual machine is another. On 7/24/06, Stephen Boddy <stephen.boddy@btinternet.com> wrote:
On Monday 24 July 2006 19:48, Cody Nelson wrote:
I ssh through a port I have forwarded from my firewall to my internal server. That server is my server with over a terabyte of space on it.
Is there a better way to do this with out having a 3rd computer that needs to be on all the time? Thinking of some sort of chroot or vmware for ssh to run in on my server, or even my IPCop firewall.
Or using some kidn of Web/SSL VPN . Anyone know of any good open source Web/SSL VPN?
I usually only use ssh, web, and VNC remotely.
Hi Cody,
You're a little unclear, but what I think you're asking is, givin the current setup:
Server | IPCop Firewall | {Internet} | Roaming machine
Can you get rid of the IPCop machine?
If I've understood you correctly, then yes you can. You can place multiple NIC's in the server, allocate the security appropriately for each NIC using YaST, and make the server the gateway machine. However this does reduce your security to a degree, as you lose "defense in depth". You'd want to ensure only SSH or VPN with pre-shared keys is running on the "External Interface". Remove password only access, as you'd be susceptable to script-kiddies trawling for common and/or slack passwords.
Theoretically you could put a firewall in a vmware machine, but I don't think vmware takes over the NIC at the hardware level, so you still need to protect the servers "External Interface" as it will be active in bridged mode.
As to chroot, I don't know it all, so can't help in truth, but I suspect it would again boil down to the ability to isolate the NIC to the server in the chrooted environment.
-- Steve Boddy
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Monday 24 July 2006 22:26, Cody Nelson wrote:
Ok right now it is Remote PC's - {internet} - IPCop(firewall) - Server
My server is running several services, the only ones accesable outside are http and ssh. ssh is how I connect into my network remotely, and I use things like VNC, Squid, etc through that.
I don't want to remove the firewall. I just want another layer of security with out adding another machine that only does ssh.
Some how make it so my servers ssh is not open to the outside, because this is a server that has data I don't want to lose. Infact I would rather protect that than my PC.
Have a web/ssl VPN tunnel would be one way.(you would be in the network, but not on my server yet) or chroot/virtual machine is another.
Ahhh. OK, got you now. In that case then, either would work. It would make most sense to set up the VPN stuff on IPCop. (Don't ask, I don't know. I had to move away from IPCop before I wrestled with that little conundrum.) Then your remote machine will have an interface on your home network. You could run a VPN server or ssh on a virtual machine on your server, but any issues with the firewall, server or virtual machine would knock out your access. Better to set up the IPCop VPN. Then you only have one machine to worry about, and that is very specialized and less likely to have issues. -- Steve Boddy -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Monday 24 July 2006 13:26, Cody Nelson wrote:
I don't want to remove the firewall. I just want another layer of security with out adding another machine that only does ssh.
Why not just forward port 22 (or some less obvious port) thru the fire wall to port 22 on the server? That way you simply ssh to the firewall and arrive at the server. Look at it this way: With all the exploits of http, why in hell would you worry about ssh? Any other solution you think of will take more open ports and more software, and potentially be at risk for more exploits. Once ssh is up and running, you can tunnel anything else you need thru it. -- _____________________________________ John Andersen
I do forward port 22. I just want another level of protection so I don't even have to have port 22 open. I was looking for suggestions to do this, and I gave 3 examples: 1. Web VPN 2. chroot (having ssh running inside) 3. vmware(having ssh running inside another lightweight linux install) AM I doing that bad of a job explaining what it is I am doing, and what it is I want to do? Currently I ssh to my network, I VNC and everything I need to through that SSH tunnel. I don't like this because I am forwarding ports from outside to this box. I want to keep my access to my network, but have the same functionality. Here are some points. 1. Add another level of security because my server has 1.5 terabytes of data I don't want to lose. Rather have them hack into something else before they get to that box, rather than have that box open to the world. 2. have a client less or nearly client less way into the network. 3. Server is a celeron 600 w/ 256 mb ram. So resources are not unlimited. I think ideally would be some kind of Web VPN like what Cisco has on the ASA's. Anyone played with any open source ones yet? (SSL-Explorer) Also I use IP Cop on a standlong firewall and have squid installed on the server, I am looking at some other firewall that might work out better. Astaro Security Linux has my eye right now, but there are a lot out there. On 7/25/06, John Andersen <jsa@pen.homeip.net> wrote:
On Monday 24 July 2006 13:26, Cody Nelson wrote:
I don't want to remove the firewall. I just want another layer of security with out adding another machine that only does ssh.
Why not just forward port 22 (or some less obvious port) thru the fire wall to port 22 on the server? That way you simply ssh to the firewall and arrive at the server.
Look at it this way: With all the exploits of http, why in hell would you worry about ssh?
Any other solution you think of will take more open ports and more software, and potentially be at risk for more exploits.
Once ssh is up and running, you can tunnel anything else you need thru it.
-- _____________________________________ John Andersen
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Wednesday 26 July 2006 13:16, Cody Nelson wrote:
Currently I ssh to my network, I VNC and everything I need to through that SSH tunnel. I don't like this because I am forwarding ports from outside to this box.
That's what I don't understand. You are "forwarding these ports" thru the ssh tunnel. Don't you see that that is the MOST SECURE setup you could possibly have? Anything else you do will be less secure than what you already are doing. Are you SURE you understand what it means to tunnel other traffic thru ssh? You DO KNOW, don't you, that every bit of ssh traffic is encrypted? Even login? You do know that all the tunneled traffic (forwarded ports) is also encrypted and hidden from the world, and CAN'T be accessed from any where else? You DO know that you can have VNC on the server to listen only to 127.0.0.1 and these then can ONLY be accessed from an ssh connection into the server? Any other "layer" you add will be worse than what you already have. You will open MORE ports with LESS secure software. I think you need to to read up on the capabilities of SSH. The mere fact that you can forward a port from your home workstation to your server thru the ssh tunnel does NOT make that a security risk. Those ports are not available to anyone else. -- _____________________________________ John Andersen
You are completely miss-understanding me and are calling me an idiot. How many times do I have to say: "I am forwarding ssh/22 and http/80 from my firewall to my server. Everything else is tunneled through ssh. (yes that means encrypted)" Want me to cut and paste every time I have said that? Here is one from my previous message: "My server is running several services, the only ones accesable outside are http and ssh. ssh is how I connect into my network remotely, and I use things like VNC, Squid, etc through that." Again, ports 5900 is not open to the outside, neither is any of the other ports/services. Only http/ssh is open from outside my network. I will secure up Apache as much as I can. But that will be a later topic, but then most likely not here. Yes, I know every bit is encrypted, but it is possible to brute force / get lucky and get into my box. I don't think I'll get hacked because of an exploit from ssh. Or that someone will sniff my traffic. I want to add another level. There is nothing enlightening in the post other than the fact you keep calling me an idiot indirectly. I know that I can use putty to ssh in, and create tunnels so if I connect to localhost I can get inside my network. I do this for a lot of things, such as my squid, vnc, etc. This is nothing new. Right now if someone got lucky and got into ssh they would automatically have access to my server. If I move it to vmware or find some way to chroot it, no ports have been opened, I only put in a layer. Or if I add WebVPN so you would have a ssl into my network. And I would have port 22 closed from the outside. I am surprised there have been no one to come forward who is a security Nazi and could help me. Instead I get attacks from people miss understanding what I have stated. So let me state again. I am forwarding port 80 and 22 through my firewall. I ssh to my server and VNC, proxy and all other things are not being forwarded on the firewall but through the ssh tunnel. Am I still unclear on this? I appreciate the effort used to reply to me, but you are grossly misunderstanding what I am stating/asking. I have stated it many times. I do not want to open more ports. I want to put in another level of protection. (vmware, chroot, webvpn/closing prots) On 7/27/06, John Andersen <jsa@pen.homeip.net> wrote:
On Wednesday 26 July 2006 13:16, Cody Nelson wrote:
Currently I ssh to my network, I VNC and everything I need to through that SSH tunnel. I don't like this because I am forwarding ports from outside to this box.
That's what I don't understand.
You are "forwarding these ports" thru the ssh tunnel. Don't you see that that is the MOST SECURE setup you could possibly have? Anything else you do will be less secure than what you already are doing.
Are you SURE you understand what it means to tunnel other traffic thru ssh?
You DO KNOW, don't you, that every bit of ssh traffic is encrypted? Even login?
You do know that all the tunneled traffic (forwarded ports) is also encrypted and hidden from the world, and CAN'T be accessed from any where else?
You DO know that you can have VNC on the server to listen only to 127.0.0.1 and these then can ONLY be accessed from an ssh connection into the server?
Any other "layer" you add will be worse than what you already have. You will open MORE ports with LESS secure software.
I think you need to to read up on the capabilities of SSH.
The mere fact that you can forward a port from your home workstation to your server thru the ssh tunnel does NOT make that a security risk. Those ports are not available to anyone else.
-- _____________________________________ John Andersen
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
HI, What do you think of port-knocking? Sorry if this has already been suggested, I didn't quite follow the discussion from the start. -Stathis On Thursday 27 July 2006 17:46, Cody Nelson wrote:
You are completely miss-understanding me and are calling me an idiot. How many times do I have to say: "I am forwarding ssh/22 and http/80 from my firewall to my server. Everything else is tunneled through ssh. (yes that means encrypted)"
Want me to cut and paste every time I have said that? Here is one from my previous message:
"My server is running several services, the only ones accesable outside are http and ssh. ssh is how I connect into my network remotely, and I use things like VNC, Squid, etc through that."
Again, ports 5900 is not open to the outside, neither is any of the other ports/services. Only http/ssh is open from outside my network. I will secure up Apache as much as I can. But that will be a later topic, but then most likely not here.
Yes, I know every bit is encrypted, but it is possible to brute force / get lucky and get into my box. I don't think I'll get hacked because of an exploit from ssh. Or that someone will sniff my traffic. I want to add another level.
There is nothing enlightening in the post other than the fact you keep calling me an idiot indirectly. I know that I can use putty to ssh in, and create tunnels so if I connect to localhost I can get inside my network. I do this for a lot of things, such as my squid, vnc, etc. This is nothing new.
Right now if someone got lucky and got into ssh they would automatically have access to my server. If I move it to vmware or find some way to chroot it, no ports have been opened, I only put in a layer.
Or if I add WebVPN so you would have a ssl into my network. And I would have port 22 closed from the outside.
I am surprised there have been no one to come forward who is a security Nazi and could help me. Instead I get attacks from people miss understanding what I have stated.
So let me state again. I am forwarding port 80 and 22 through my firewall. I ssh to my server and VNC, proxy and all other things are not being forwarded on the firewall but through the ssh tunnel.
Am I still unclear on this? I appreciate the effort used to reply to me, but you are grossly misunderstanding what I am stating/asking. I have stated it many times.
I do not want to open more ports. I want to put in another level of protection. (vmware, chroot, webvpn/closing prots)
On 7/27/06, John Andersen <jsa@pen.homeip.net> wrote:
On Wednesday 26 July 2006 13:16, Cody Nelson wrote:
Currently I ssh to my network, I VNC and everything I need to through that SSH tunnel. I don't like this because I am forwarding ports from outside to this box.
That's what I don't understand.
You are "forwarding these ports" thru the ssh tunnel. Don't you see that that is the MOST SECURE setup you could possibly have? Anything else you do will be less secure than what you already are doing.
Are you SURE you understand what it means to tunnel other traffic thru ssh?
You DO KNOW, don't you, that every bit of ssh traffic is encrypted? Even login?
You do know that all the tunneled traffic (forwarded ports) is also encrypted and hidden from the world, and CAN'T be accessed from any where else?
You DO know that you can have VNC on the server to listen only to 127.0.0.1 and these then can ONLY be accessed from an ssh connection into the server?
Any other "layer" you add will be worse than what you already have. You will open MORE ports with LESS secure software.
I think you need to to read up on the capabilities of SSH.
The mere fact that you can forward a port from your home workstation to your server thru the ssh tunnel does NOT make that a security risk. Those ports are not available to anyone else.
-- _____________________________________ John Andersen
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Thursday 27 July 2006 06:46, Cody Nelson wrote:
Right now if someone got lucky and got into ssh they would automatically have access to my server. If I move it to vmware or find some way to chroot it, no ports have been opened, I only put in a layer.
Or if I add WebVPN so you would have a ssl into my network. And I would have port 22 closed from the outside.
So you close 22 and open up ssl? How does that help? SSL is no more secure than ssh. Probably less so. How do you envision someone "Getting Lucky"? If you don't allow password authentication via ssh and generate keys longer than 1024 they would have to use all your available bandwidth to brute force an attack, which is a self limiting situation, and one you would certainly detect since it will take several years with supercomputers. Chroots are scoffed at. They are easily broken. Vmware is not that secure either. Certainly no more secure than the underlying OS. Install SELinux, and stop ranting. -- _____________________________________ John Andersen
participants (4)
-
Cody Nelson -
John Andersen -
rouvas -
Stephen Boddy