FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 02-03-2008, 03:59 PM
Grant Edwards
 
Default {OT} CUPS alternative?

On 2008-02-03, Dan Farrell <dan@spore.ath.cx> wrote:

>> So you're saying ssh running on an unusual port is good
>> enough?

For some value of "good enough", yes.

> I'm no expert, but from my logs: SSH attempts (from bots in
> Shanghai and the like) on port 22 number in the thousands,
> unexpected SSH attempts on the nonstandard ports I run SSH on
> (actually it's firewall-level port forwarding) have not yet
> been logged.

I usually run ssh on non-standard ports. It does cut down a
lot on breaking attempts. It's still an open port, and you
still need to make sure ssh/openssl is kept updated.
Blacklisting a source IP after multiple failed attempts within
a time period is probably a good idea regardless.

--
Grant Edwards grante Yow! Yow! I just went
at below the poverty line!
visi.com

--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-03-2008, 04:03 PM
Grant Edwards
 
Default {OT} CUPS alternative?

On 2008-02-03, Grant <emailgrant@gmail.com> wrote:

>> I can imagine situations where you'd want to print invoices
>> and the like at front offices or even remote storefronts and
>> locations, but wouldn't you want a VPN up between your remote
>> offices anyway?
>
> That's more or less what I'm trying to do. Is setting up a
> VPN between my remote server and local network overkill?

It sounds like the right thing to do to me. Once you've got a
VPN set up, then everything else "just works". You'll probably
end up spending less time seting up one well-secured
general-purpose connection (VPN) than you would futzing around
with various security wrappers and kludges for various
clients/servers.

> I think the only thing I'd use it for is to hide the sending
> of these printouts.

Once it's up, they're be other things you'll use it for.

--
Grant Edwards grante Yow! Yow! I want my nose
at in lights!
visi.com

--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-03-2008, 07:25 PM
Grant
 
Default {OT} CUPS alternative?

> >> I can imagine situations where you'd want to print invoices
> >> and the like at front offices or even remote storefronts and
> >> locations, but wouldn't you want a VPN up between your remote
> >> offices anyway?
> >
> > That's more or less what I'm trying to do. Is setting up a
> > VPN between my remote server and local network overkill?
>
> It sounds like the right thing to do to me. Once you've got a
> VPN set up, then everything else "just works". You'll probably
> end up spending less time seting up one well-secured
> general-purpose connection (VPN) than you would futzing around
> with various security wrappers and kludges for various
> clients/servers.
>
> > I think the only thing I'd use it for is to hide the sending
> > of these printouts.
>
> Once it's up, they're be other things you'll use it for.

Ok, no RSA certs, no non-standard port numbers, just use openvpn?

So I would set up openvpn on my remote server and connect to it from:

1. my local print server for printing

2. my laptop for ssh and imap

Could I also only allow access to my website's admin pages through openvpn?

- Grant
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-04-2008, 05:08 AM
Dan Farrell
 
Default {OT} CUPS alternative?

On Sun, 3 Feb 2008 12:25:25 -0800
Grant <emailgrant@gmail.com> wrote:

> So I would set up openvpn on my remote server and connect to it from:

here's a few ideas about the subject, some options to think about.

> 1. my local print server for printing

Look into routed vpn networks. If I were in your case I would probably
set up a VPN server on (one of) my firewall(s) and then either
route/allow :641 traffic to the remote print server through the VPN or
simply redirect :641 connections through the VPN, just like port
forwarding for NATed servers behind firewalls. in this configuration,
the remote print server is really a VPN client rather than a server.

> 2. my laptop for ssh and imap

I like to allow myself, with my laptop, to connect to my SOHO-sized
server setup through a VPN. To this end I tell the gateways on select
subnets to route throught to the VPN, and tell the VPN server to route
to those subnets' gateways. That way I can configure any computer
(through the vpn, of course) without having to worry about opening it
to external connections. If you wanted to make the VPN transparent,
you could NAT the VPN traffic instead, and make it look like it came
from the VPN server itself.

I cringe at the idea of having to use a VPN for imap, however.

> Could I also only allow access to my website's admin pages through
> openvpn?

You could, but it might be a little tricky, depending on your setup.
If it were my goal, I would probably put the server pages in a
directory and control access to that directory to only VPN addresses
(Again, this assumes a routed vpn). Or you could put it on a different
server entirely.

However, I would do no such thing. I would want to use an entirely
different access scheme for website admin, using a user login to
perhaps an ssl protected webpage, or if I were really concerned, HTTP
authentication. . I would not want my web admins, who likely enjoy the
ease with which they can manipulate their web pages, to be allowed on
the VPN, and wouldn't want to set it up on their computers or worry
about them getting viruses and the like. It's hard for a virus to
transmit in a meaningful fashion over FTP and access to webpages, but
trojans on a VPN client give the trojan controller the same access to
the VPN -- and a copy of the client's certificates. I am not quick to
pass out trusted certs for my vpn.

In short, better uses of the VPN in this case would probalby be remote
access to the corp. network from your laptop and secure access to
remote print servers from whatever the number of hosts.

> - Grant
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-11-2008, 01:23 PM
Grant
 
Default {OT} CUPS alternative?

> > So I would set up openvpn on my remote server and connect to it from:
>
> here's a few ideas about the subject, some options to think about.
>
> > 1. my local print server for printing
>
> Look into routed vpn networks. If I were in your case I would probably
> set up a VPN server on (one of) my firewall(s) and then either
> route/allow :641 traffic to the remote print server through the VPN or
> simply redirect :641 connections through the VPN, just like port
> forwarding for NATed servers behind firewalls. in this configuration,
> the remote print server is really a VPN client rather than a server.

That sounds good.

> > 2. my laptop for ssh and imap
>
> I like to allow myself, with my laptop, to connect to my SOHO-sized
> server setup through a VPN. To this end I tell the gateways on select
> subnets to route throught to the VPN, and tell the VPN server to route
> to those subnets' gateways. That way I can configure any computer
> (through the vpn, of course) without having to worry about opening it
> to external connections. If you wanted to make the VPN transparent,
> you could NAT the VPN traffic instead, and make it look like it came
> from the VPN server itself.

Can't say I understand this but I have some reading to do about VPN.

> I cringe at the idea of having to use a VPN for imap, however.

Why? Would you say the same of using it for SMTP?

> > Could I also only allow access to my website's admin pages through
> > openvpn?
>
> You could, but it might be a little tricky, depending on your setup.
> If it were my goal, I would probably put the server pages in a
> directory and control access to that directory to only VPN addresses
> (Again, this assumes a routed vpn). Or you could put it on a different
> server entirely.
>
> However, I would do no such thing. I would want to use an entirely
> different access scheme for website admin, using a user login to
> perhaps an ssl protected webpage, or if I were really concerned, HTTP
> authentication. . I would not want my web admins, who likely enjoy the
> ease with which they can manipulate their web pages, to be allowed on
> the VPN, and wouldn't want to set it up on their computers or worry
> about them getting viruses and the like. It's hard for a virus to
> transmit in a meaningful fashion over FTP and access to webpages, but
> trojans on a VPN client give the trojan controller the same access to
> the VPN -- and a copy of the client's certificates. I am not quick to
> pass out trusted certs for my vpn.

I was thinking authentication + VPN, but maybe that's overkill. I
kinda like the idea of everything non-public going through the VPN.
Nobody should be in there but me so there's no trust problem. Is that
too much?

There are only three machines involved here:

1. remote web/mail server, print client
2. local firewall/router/print server
3. local web/mail/print client

I think it would make sense to make machine #2 the VPN server, but it
is not nearly as reliable as machine #1 in terms of the internet
connection and the hardware (machine #2 is getting old). I would hate
to be out of town and lose access to all email services because
machine #2 goes down. Machine #1 basically never goes down. Could I
make #1 the VPN server to maximize reliability and have everything
work the way I want it to?

- Grant


> In short, better uses of the VPN in this case would probalby be remote
> access to the corp. network from your laptop and secure access to
> remote print servers from whatever the number of hosts.
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-11-2008, 01:51 PM
Dan Farrell
 
Default {OT} CUPS alternative?

On Mon, 11 Feb 2008 06:23:23 -0800
Grant <emailgrant@gmail.com> wrote:

> > I cringe at the idea of having to use a VPN for imap, however.
>
> Why? Would you say the same of using it for SMTP?

I read email rather compulsively I guess, and would hate to be bothered
with VPNs, then use an encrypted mail session anyway.

> I was thinking authentication + VPN, but maybe that's overkill. I
> kinda like the idea of everything non-public going through the VPN.
> Nobody should be in there but me so there's no trust problem. Is that
> too much?

No, especially not if you don't have other admins to deal with.

> There are only three machines involved here:
>
> 1. remote web/mail server, print client
> 2. local firewall/router/print server
> 3. local web/mail/print client
>
> I think it would make sense to make machine #2 the VPN server, but it
> is not nearly as reliable as machine #1 in terms of the internet
> connection and the hardware (machine #2 is getting old). I would hate
> to be out of town and lose access to all email services because
> machine #2 goes down. Machine #1 basically never goes down. Could I
> make #1 the VPN server to maximize reliability and have everything
> work the way I want it to?
>

Yes, any of the computers can be the server. I would put it on the
connection with best upload speeds myself, but your considerations here
seem relevant.
--
gentoo-user@lists.gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 06:29 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org