FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 05-05-2011, 09:14 PM
George
 
Default OT: Safe to access SSH server from work?

I have a computer at home that I'm doing some research on and I set up
an SSH server on it so I can access it from other computers at home. I
haven't opened up the network to the internet yet though, as I'm not
confident enough that it is safe.

What are the configuration steps that I will need to do on the server
and the client to be able to work access the computer from my
workplace?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTinFavrwh5NcWFcdJCE8+M-ja5=UXw@mail.gmail.com">http://lists.debian.org/BANLkTinFavrwh5NcWFcdJCE8+M-ja5=UXw@mail.gmail.com
 
Old 05-05-2011, 09:31 PM
David Sanders
 
Default OT: Safe to access SSH server from work?

On May 5, 2011 10:15 PM, "George" <pinkisntwell@gmail.com> wrote:

>

> I have a computer at home that I'm doing some research on and I set up

> an SSH server on it so I can access it from other computers at home. I

> haven't opened up the network to the internet yet though, as I'm not

> confident enough that it is safe.

>

> What are the configuration steps that I will need to do on the server

> and the client to be able to work access the computer from my

> workplace?

>

>

Forward port 22. Disable password based login to SSH. Install denyhosts. Run ssh-keygen on your work computer and copy the public key securely into authorized_keys on your home PC.


For starters that should be fairly secure.


David

> --

> To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

> Archive: http://lists.debian.org/BANLkTinFavrwh5NcWFcdJCE8+M-ja5=UXw@mail.gmail.com

>
 
Old 05-05-2011, 09:43 PM
Jochen Schulz
 
Default OT: Safe to access SSH server from work?

George:
>
> I have a computer at home that I'm doing some research on and I set up
> an SSH server on it so I can access it from other computers at home. I
> haven't opened up the network to the internet yet though, as I'm not
> confident enough that it is safe.

If you only allowing key-based authentication and install security
patches in a timely manner, the risk from running a public OpenSSH
server is low. Expect brute-force attempts to login using weak
passwords, though. If you only allow key logins, you can ignore that.

> What are the configuration steps that I will need to do on the server

You probably need to configure a port forwarding on your router to port
22 on the server running OpenSSH. Additionally, you may want to use a
service like dyndns.com so that you can connect to your machine using a
stable hostname instead of a dynamically changing IP address.

> and the client to be able to work access the computer from my
> workplace?

On a Windows system, I recommend using PuTTY. You don't need any special
configuration.

Be aware that using SSH from an untrusted host is a bad idea. If you
don't trust your employer, don't put your private key file one of his
systems and don't enter your passphrase either.

J.
--
I wish I was gay.
[Agree] [Disagree]
<http://www.slowlydownward.com/NODATA/data_enter2.html>
 
Old 05-05-2011, 09:47 PM
Jerome BENOIT
 
Default OT: Safe to access SSH server from work?

Hello List,

On 05/05/11 23:14, George wrote:

I have a computer at home that I'm doing some research on and I set up
an SSH server on it so I can access it from other computers at home. I
haven't opened up the network to the internet yet though, as I'm not
confident enough that it is safe.

What are the configuration steps that I will need to do on the server
and the client to be able to work access the computer from my
workplace?



Very briefly, on your home box:
0] install appropriate harden Debian packages;
1] set up a firewall (e.g, firehol Debian package);
2] in /etc/hosts.allow limit access to sshd accordingly (sshd: <WORKPLACE IP>);
3] configure the /etc/ssh/sshd_config to allow only a small set of users (sshd_config AllowUsers),
basically only you;
4] use public keys rather than passwords.

I guess that the list is incomplete, but it is certainly a good start.

hth,
Jerome


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4DC31AEA.3080103@rezozer.net">http://lists.debian.org/4DC31AEA.3080103@rezozer.net
 
Old 05-05-2011, 09:50 PM
Jerome BENOIT
 
Default OT: Safe to access SSH server from work?

On 05/05/11 23:43, Jochen Schulz wrote:

George:


I have a computer at home that I'm doing some research on and I set up
an SSH server on it so I can access it from other computers at home. I
haven't opened up the network to the internet yet though, as I'm not
confident enough that it is safe.


If you only allowing key-based authentication and install security
patches in a timely manner, the risk from running a public OpenSSH
server is low. Expect brute-force attempts to login using weak
passwords, though. If you only allow key logins, you can ignore that.


What are the configuration steps that I will need to do on the server


You probably need to configure a port forwarding on your router to port
22 on the server running OpenSSH. Additionally, you may want to use a
service like dyndns.com so that you can connect to your machine using a
stable hostname instead of a dynamically changing IP address.



see ddclient Debain package:
http://packages.debian.org/squeeze/ddclient





and the client to be able to work access the computer from my
workplace?


On a Windows system, I recommend using PuTTY. You don't need any special
configuration.

Be aware that using SSH from an untrusted host is a bad idea. If you
don't trust your employer, don't put your private key file one of his
systems and don't enter your passphrase either.

J.


--
Jerome BENOIT
jgmbenoit-at+rezozer*dot_net


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4DC31BA3.90905@rezozer.net">http://lists.debian.org/4DC31BA3.90905@rezozer.net
 
Old 05-05-2011, 10:01 PM
George
 
Default OT: Safe to access SSH server from work?

On 5/6/11, Jochen Schulz <ml@well-adjusted.de> wrote:

> If you only allowing key-based authentication and install security
> patches in a timely manner, the risk from running a public OpenSSH
> server is low. Expect brute-force attempts to login using weak
> passwords, though. If you only allow key logins, you can ignore that.
>

What exactly is a key login? The computer that needs to be accessed is
running Windows and I have installed WinSSHD on it. I see a "DSA host
key" on its configuration screen, accompanied by an MD5 fingerprint.
When I connected to it from my Debian box I received the
aforementioned fingerprint. Is this process the "key login" you're
referring to? I'm asking because in the configuration screen of
WinSSHD there's also an indication of "No RSA host key is currently
employed". What is the difference between the two keys? Do I need to
use both of them to be safe when accessing from the Internet?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: BANLkTi=qGuM0ibNXhnaSwwZFdu7D1pzR0Q@mail.gmail.com ">http://lists.debian.org/BANLkTi=qGuM0ibNXhnaSwwZFdu7D1pzR0Q@mail.gmail.com
 
Old 05-05-2011, 10:09 PM
Brian
 
Default OT: Safe to access SSH server from work?

On Fri 06 May 2011 at 00:14:36 +0300, George wrote:

> I have a computer at home that I'm doing some research on and I set up
> an SSH server on it so I can access it from other computers at home. I
> haven't opened up the network to the internet yet though, as I'm not
> confident enough that it is safe.

You can be confident that the default Debian install of openssh-server
has a configuration which is very safe. There is nothing for you to do.

> What are the configuration steps that I will need to do on the server
> and the client to be able to work access the computer from my
> workplace?

Use a strong password or ssh keys for access to the server. The question
is whether you trust the machine you use at work.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110505220902.GF13057@desktop">http://lists.debian.org/20110505220902.GF13057@desktop
 
Old 05-05-2011, 10:24 PM
 
Default OT: Safe to access SSH server from work?

On Thursday 5 May, 2011 14:43:13 Jochen Schulz wrote:
> Expect brute-force attempts to login using weak
> passwords, though. If you only allow key logins, you can ignore that.

And how is that done? When I set /etc/ssh/sshd_config|PasswordAuthentication no I get 'Connection reset by server'.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201105051524.13252.CACook@quantum-sci.com">http://lists.debian.org/201105051524.13252.CACook@quantum-sci.com
 
Old 05-05-2011, 10:46 PM
 
Default OT: Safe to access SSH server from work?

On Thursday 5 May, 2011 15:09:02 Brian wrote:
> Use a strong password or ssh keys for access to the server. The question
> is whether you trust the machine you use at work.

OK, say you -don't- trust your machine at work. Workarounds?


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201105051546.27573.CACook@quantum-sci.com">http://lists.debian.org/201105051546.27573.CACook@quantum-sci.com
 
Old 05-05-2011, 10:52 PM
Jerome BENOIT
 
Default OT: Safe to access SSH server from work?

come with your own machine, presumably a laptop ?

On 06/05/11 00:46, CACook@quantum-sci.com wrote:

On Thursday 5 May, 2011 15:09:02 Brian wrote:

Use a strong password or ssh keys for access to the server. The question
is whether you trust the machine you use at work.


OK, say you -don't- trust your machine at work. Workarounds?





--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4DC32A38.5050504@rezozer.net">http://lists.debian.org/4DC32A38.5050504@rezozer.net
 

Thread Tools




All times are GMT. The time now is 08:02 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org