[gentoo-user] Reaching my network over the internet

[gentoo-user] Reaching my network over the internet

[Grant]

Hello, I'd like to ssh into my network over the internet.  Do I need
to set up VPN for that?  Can anyone point me in the right direction?

- Grant

-- 
gentoo-user@gentoo.org mailing list

[gentoo-user] Re: Reaching my network over the internet

[Gabriel M. Beddingfield]

Grant wrote:

> Hello, I'd like to ssh into my network over the internet.  Do I need
> to set up VPN for that?  Can anyone point me in the right direction?

It depends on what you're trying to do.

If you just want to ssh into a machine on your network... then no.  From a
shell session on that machine you can access the other hosts on your
network.

If you want to "ssh into your network" and have your computer connected as
if you were actually on the network... then yes you will need VPN for that.

What sort of network access are you wanting?

-Gabriel


-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Reaching my network over the internet

[Grant]

> > Hello, I'd like to ssh into my network over the internet.  Do I need
> > to set up VPN for that?  Can anyone point me in the right direction?
>
> It depends on what you're trying to do.
>
> If you just want to ssh into a machine on your network... then no.  From a
> shell session on that machine you can access the other hosts on your
> network.
>
> If you want to "ssh into your network" and have your computer connected as
> if you were actually on the network... then yes you will need VPN for that.
>
> What sort of network access are you wanting?
>
> -Gabriel

Hi Gabriel,

Basically I have a network back home with a couple Gentoo systems
connected and I'd like to have ssh (and maybe vnc) access to them from
my Gentoo laptop no matter where I am.  What do you think?

- Grant

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Reaching my network over the internet

[John Jolet]

On Sunday 16 October 2005 13:01, Grant wrote:
> > > Hello, I'd like to ssh into my network over the internet.  Do I need
> > > to set up VPN for that?  Can anyone point me in the right direction?
> >
> > It depends on what you're trying to do.
> >
> > If you just want to ssh into a machine on your network... then no.  From
> > a shell session on that machine you can access the other hosts on your
> > network.
> >
> > If you want to "ssh into your network" and have your computer connected
> > as if you were actually on the network... then yes you will need VPN for
> > that.
> >
> > What sort of network access are you wanting?
> >
> > -Gabriel
>
> Hi Gabriel,
>
> Basically I have a network back home with a couple Gentoo systems
> connected and I'd like to have ssh (and maybe vnc) access to them from
> my Gentoo laptop no matter where I am.  What do you think?
>
> - Grant
if you just need ssh, you don't need a vpn, just a port forward on your 
router.  for vnc, I'd use openvpn.
-- 
John Jolet
Your On-Demand IT Department
512-762-0729
www.jolet.net
john@jolet.net
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Reaching my network over the internet

[Jonathan Wright]

John Jolet wrote:
>>Basically I have a network back home with a couple Gentoo systems
>>connected and I'd like to have ssh (and maybe vnc) access to them from
>>my Gentoo laptop no matter where I am.  What do you think?
> 
> if you just need ssh, you don't need a vpn, just a port forward on your 
> router.  for vnc, I'd use openvpn.

Why do though all the hassle of setting up a VPN when you can use SSH to
provide a secure tunnel into the network and use that instead? Works
fine for me.

# ssh -L5900:hostname:5900 username@hostname.tld
# vncviewer localhost:0

-- 
 Jonathan Wright                           ~ mail at djnauk.co.uk
                                           ~ www.djnauk.co.uk
--
 2.6.12-gentoo-r10-djnauk-b3 Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz
 up 2 min,  1 user,  load average: 1.68, 0.87, 0.33
--
 "People sometimes think I'm gay because I once played a  gay  in  a
 movie. It's funny. Audiences don't think you're a murderer  if  you
 play a murderer, but they do think you're gay if you play a gay."

                                                        ~ Perry King
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Reaching my network over the internet

[John Jolet]

On Sunday 16 October 2005 15:44, Jonathan Wright wrote:
> John Jolet wrote:
> >>Basically I have a network back home with a couple Gentoo systems
> >>connected and I'd like to have ssh (and maybe vnc) access to them from
> >>my Gentoo laptop no matter where I am.  What do you think?
> >
> > if you just need ssh, you don't need a vpn, just a port forward on your
> > router.  for vnc, I'd use openvpn.
>
> Why do though all the hassle of setting up a VPN when you can use SSH to
> provide a secure tunnel into the network and use that instead? Works
> fine for me.
>
> # ssh -L5900:hostname:5900 username@hostname.tld
> # vncviewer localhost:0
Okay, now show me the instance where you want box->internet->box->vnc server.
If you set up openvpn on your ssh server, you easily can tunnel across it.  
Doing that with ssh would add another tunnel.  Takes 5 minutes to set up.
>
> --
>  Jonathan Wright                           ~ mail at djnauk.co.uk
>                                            ~ www.djnauk.co.uk
> --
>  2.6.12-gentoo-r10-djnauk-b3 Intel(R) Pentium(R) 4 Mobile CPU 1.80GHz
>  up 2 min,  1 user,  load average: 1.68, 0.87, 0.33
> --
>  "People sometimes think I'm gay because I once played a  gay  in  a
>  movie. It's funny. Audiences don't think you're a murderer  if  you
>  play a murderer, but they do think you're gay if you play a gay."
>
>                                                         ~ Perry King

-- 
John Jolet
Your On-Demand IT Department
512-762-0729
www.jolet.net
john@jolet.net
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Nick Rout]

no, you just type:

ssh my.network.com

Depending on your setup you will probably need to set your
firewall/router to forward port 22 to the machine you want to log into.
Also make sure your ssh server is set up securely.


On Sun, 16 Oct 2005 09:59:53 -0700
Grant wrote:

> Hello, I'd like to ssh into my network over the internet.  Do I need
> to set up VPN for that?  Can anyone point me in the right direction?
> 
> - Grant
> 
> -- 
> gentoo-user@gentoo.org mailing list

-- 
Nick Rout <nick@rout.co.nz>

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Dave Nebinger]

On Sunday 16 October 2005 09:18 pm, Nick Rout wrote:
> no, you just type:
>
> ssh my.network.com
>
> Depending on your setup you will probably need to set your
> firewall/router to forward port 22 to the machine you want to log into.
> Also make sure your ssh server is set up securely.

This last statement really needs to be highlighted for all of the newbies out 
there...

Just opening port 22 will expose your system to attempted break-ins.  If you 
look at your authorize.log (or relevant log depending upon your syslog 
config), you'll see after a couple of days different systems accessing ssh an 
trying to log in as root and/or other users.

Unless you really feel comfortable with your own security infrastructure, your 
best bet is to edit your /etc/ssh/sshd_config file and change the port number 
to only something you'd think of in the higher range of port numbers.

It will still be open, you'll still be able to hit the box from anywhere 
outside your network, but the different port number ensures that random port 
scans and breakin attempts will be significantly lower than if you just tried 
to use standard port #22.
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Nick Rout]

On Sun, 16 Oct 2005 21:27:22 -0400
Dave Nebinger wrote:

> On Sunday 16 October 2005 09:18 pm, Nick Rout wrote:
> > no, you just type:
> >
> > ssh my.network.com
> >
> > Depending on your setup you will probably need to set your
> > firewall/router to forward port 22 to the machine you want to log into.
> > Also make sure your ssh server is set up securely.
> 
> This last statement really needs to be highlighted for all of the newbies out 
> there...
> 
> Just opening port 22 will expose your system to attempted break-ins.  If you 
> look at your authorize.log (or relevant log depending upon your syslog 
> config), you'll see after a couple of days different systems accessing ssh an 
> trying to log in as root and/or other users.
> 
> Unless you really feel comfortable with your own security infrastructure, your 
> best bet is to edit your /etc/ssh/sshd_config file and change the port number 
> to only something you'd think of in the higher range of port numbers.

Yes or just leave it where it is on that box and get your firewall to
forward your high port to port 22 on the machine you want to log into.

> 
> It will still be open, you'll still be able to hit the box from anywhere 
> outside your network, but the different port number ensures that random port 
> scans and breakin attempts will be significantly lower than if you just tried 
> to use standard port #22.
> -- 
> gentoo-user@gentoo.org mailing list

-- 
Nick Rout <nick@rout.co.nz>

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Heinz Sporn]

Am Sonntag, den 16.10.2005, 21:27 -0400 schrieb Dave Nebinger:
> On Sunday 16 October 2005 09:18 pm, Nick Rout wrote:
> > no, you just type:
> >
> > ssh my.network.com
> >
> > Depending on your setup you will probably need to set your
> > firewall/router to forward port 22 to the machine you want to log into.
> > Also make sure your ssh server is set up securely.
> 
> This last statement really needs to be highlighted for all of the newbies out 
> there...
> 
> Just opening port 22 will expose your system to attempted break-ins.  If you 
> look at your authorize.log (or relevant log depending upon your syslog 
> config), you'll see after a couple of days different systems accessing ssh an 
> trying to log in as root and/or other users.

Just wanted to second that strongly. I'm hooking up firewalls to the net
pretty much on a daily base. The average time it takes until the first
random port scan hits a brand new box is 15 seconds - at least within
the areas my customers reside. BTW my highscore is 2 seconds ;-)

So running SSH on high-ports plus using RSA for me is pretty much a
must. Anyway - the preferred way to remotely access a box should be via
VPN IMHO.

> 
> Unless you really feel comfortable with your own security infrastructure, your 
> best bet is to edit your /etc/ssh/sshd_config file and change the port number 
> to only something you'd think of in the higher range of port numbers.
> 
> It will still be open, you'll still be able to hit the box from anywhere 
> outside your network, but the different port number ensures that random port 
> scans and breakin attempts will be significantly lower than if you just tried 
> to use standard port #22.
-- 
Mit freundlichen Grüßen

Heinz Sporn

SPORN it-freelancing

Mobile:  ++43 (0)699 / 127 827 07
Email:   heinz.sporn@sporn-it.com
         heinz.sporn@utanet.at
Website: http://www.sporn-it.com
Snail:   Steyrer Str. 20
         A-4540 Bad Hall
         Austria / Europe

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Neil Bothwick]

[-- Attachment #1: Type: text/plain, Size: 455 bytes --]

On Sun, 16 Oct 2005 21:27:22 -0400, Dave Nebinger wrote:

> Unless you really feel comfortable with your own security
> infrastructure, your best bet is to edit your /etc/ssh/sshd_config file
> and change the port number to only something you'd think of in the
> higher range of port numbers.

Disabling password logins will also help, although it is not practical
for everyone.


-- 
Neil Bothwick

How is it possible to have a civil war?

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-user] Re: Reaching my network over the internet

[Jonathan Wright]

John Jolet wrote:
>>Why do though all the hassle of setting up a VPN when you can use SSH to
>>provide a secure tunnel into the network and use that instead? Works
>>fine for me.
>>
>># ssh -L5900:hostname:5900 username@hostname.tld
>># vncviewer localhost:0
> 
> Okay, now show me the instance where you want box->internet->box->vnc server.

That does provide a tunnel between two boxes. It's quick and simple to 
setup and can be used by any ssh client, regardless of the system. 
Whether you're on Unix or Linux. You can even do it using Windows using 
PuTTY.

It's good to know in case if you need access but don't have a box that 
can't do VPN, or there's a problem with the VPN.

If you want to open it up for some reason to another box, you can use 
the gateway switch (-g) and SSH will listed to all incoming connections 
on that port on the remote computer.

# ssh -g -L5900:remote:5900 username@server:port

> If you set up openvpn on your ssh server, you easily can tunnel across it.  
> Doing that with ssh would add another tunnel.  Takes 5 minutes to set up.

I'm not disagreeing with you, but a VPN can add a whole level of 
complexity and setup, whereas if you just want to remotely access a VNC 
server across the Internet, SSH works great and has added security built in.

If you want to access more than VPN, i.e. SMB, or need the remote 
computer to 'appear' on the local network for some reason, VPN is fine - 
go ahead and use it.

KISS - keep it short and simple.

-- 
  Jonathan Wright                           ~ mail at djnauk.co.uk
                                            ~ www.djnauk.co.uk
--
  2.6.13-gentoo-r3-djnauk-b2 AMD Athlon(tm) XP 2100+
  up 1 day, 21:39,  0 users,  load average: 0.64, 0.46, 0.33
--
  "My mother took me to a psychiatrist when I was fifteen  because
  she thought I was a latent homosexual. There was nothing  latent
  about it."

                                                   ~ Amanda Bearse
-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Reaching my network over the internet

[Grant]

> >>Why do though all the hassle of setting up a VPN when you can use SSH to
> >>provide a secure tunnel into the network and use that instead? Works
> >>fine for me.
> >>
> >># ssh -L5900:hostname:5900 username@hostname.tld
> >># vncviewer localhost:0
> >
> > Okay, now show me the instance where you want box->internet->box->vnc server.
>
> That does provide a tunnel between two boxes. It's quick and simple to
> setup and can be used by any ssh client, regardless of the system.
> Whether you're on Unix or Linux. You can even do it using Windows using
> PuTTY.
>
> It's good to know in case if you need access but don't have a box that
> can't do VPN, or there's a problem with the VPN.
>
> If you want to open it up for some reason to another box, you can use
> the gateway switch (-g) and SSH will listed to all incoming connections
> on that port on the remote computer.
>
> # ssh -g -L5900:remote:5900 username@server:port
>
> > If you set up openvpn on your ssh server, you easily can tunnel across it.
> > Doing that with ssh would add another tunnel.  Takes 5 minutes to set up.
>
> I'm not disagreeing with you, but a VPN can add a whole level of
> complexity and setup, whereas if you just want to remotely access a VNC
> server across the Internet, SSH works great and has added security built in.
>
> If you want to access more than VPN, i.e. SMB, or need the remote
> computer to 'appear' on the local network for some reason, VPN is fine -
> go ahead and use it.
>
> KISS - keep it short and simple.
>
> --
>   Jonathan Wright                           ~ mail at djnauk.co.uk

Ok, thanks for the help everyone!

- Grant

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Grant]

> > Hello, I'd like to ssh into my network over the internet.  Do I need
> > to set up VPN for that?  Can anyone point me in the right direction?
> >
> > - Grant
>
> no, you just type:
>
> ssh my.network.com
>
> Depending on your setup you will probably need to set your
> firewall/router to forward port 22 to the machine you want to log into.
> Also make sure your ssh server is set up securely.

I really don't have any idea where to start here.  Does anyone know of
an online guide (preferrably in Gentoo context) that would help?

- Grant

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Stroller]

On 29 Dec 2005, at 17:28, Grant wrote:
>> ... you just type:
>>
>> ssh my.network.com
>>
>> Depending on your setup you will probably need to set your
>> firewall/router to forward port 22 to the machine you want to log  
>> into.
>> Also make sure your ssh server is set up securely.
>
> I really don't have any idea where to start here.  Does anyone know of
> an online guide (preferrably in Gentoo context) that would help?


How is your network connected to the internet?

http://www.google.com/search?ie=utf8&oe=utf8&q=port+forwarding

The first link looks fairly useful.

Stroller.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Robin]

If you are looking to reach your gentoo computer, consider sshd.  You
can search the gentoo wiki for help docs for setup and usuage.

http://www.gentoo-wiki.com



On 12/29/05, Stroller <stroller@stellar.eclipse.co.uk> wrote:
>
> On 29 Dec 2005, at 17:28, Grant wrote:
> >> ... you just type:
> >>
> >> ssh my.network.com
> >>
> >> Depending on your setup you will probably need to set your
> >> firewall/router to forward port 22 to the machine you want to log
> >> into.
> >> Also make sure your ssh server is set up securely.
> >
> > I really don't have any idea where to start here.  Does anyone know of
> > an online guide (preferrably in Gentoo context) that would help?
>
>
> How is your network connected to the internet?
>
> http://www.google.com/search?ie=utf8&oe=utf8&q=port+forwarding
>
> The first link looks fairly useful.
>
> Stroller.
>
> --
> gentoo-user@gentoo.org mailing list
>
>

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Grant]

> >> ... you just type:
> >>
> >> ssh my.network.com
> >>
> >> Depending on your setup you will probably need to set your
> >> firewall/router to forward port 22 to the machine you want to log
> >> into.
> >> Also make sure your ssh server is set up securely.
> >
> > I really don't have any idea where to start here.  Does anyone know of
> > an online guide (preferrably in Gentoo context) that would help?
>
>
> How is your network connected to the internet?
>
> http://www.google.com/search?ie=utf8&oe=utf8&q=port+forwarding
>
> The first link looks fairly useful.
>
> Stroller.

That helped a lot.  I have a high-number port on the router forwarding
to one of my systems.  How can I access the forwarded-to service from
a random point on the Internet?  I need something static to represent
my router on the Internet.  I've tried using the IP address that is
used for me externally when I'm browsing but it doesn't work.  I use
cable internet service and I think that IP address is used for many
different customers.

- Grant

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Stroller]

On 29 Dec 2005, at 22:30, Grant wrote:
>>
>> How is your network connected to the internet?
>>
>> http://www.google.com/search?ie=utf8&oe=utf8&q=port+forwarding
>>
>> The first link looks fairly useful.
>>
>> Stroller.
>
> That helped a lot.  I have a high-number port on the router forwarding
> to one of my systems.  How can I access the forwarded-to service from
> a random point on the Internet?  I need something static to represent
> my router on the Internet.  I've tried using the IP address that is
> used for me externally when I'm browsing but it doesn't work.  I use
> cable internet service and I think that IP address is used for many
> different customers.

I have heard of ISPs NATting their customers, but I think it would be  
pretty unusual these days. Does the high-port forwad to port 22 on  
your PC? Or is the PC listening for ssh? See /etc/ssh/sshd_config for  
that one.

How are you testing ssh'ing to your external IP address? Doing so  
from inside the LAN won't work - you're better port-scanning yourself  
by visiting Shields Up! at http://grc.com

You can get a hostname which will resolve to your dynamic IP at  
http://dyndns.com - there are some free utilities which you can run  
to do the updating.

Stroller.

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Grant]

> >> How is your network connected to the internet?
> >>
> >> http://www.google.com/search?ie=utf8&oe=utf8&q=port+forwarding
> >>
> >> The first link looks fairly useful.
> >>
> >> Stroller.
> >
> > That helped a lot.  I have a high-number port on the router forwarding
> > to one of my systems.  How can I access the forwarded-to service from
> > a random point on the Internet?  I need something static to represent
> > my router on the Internet.  I've tried using the IP address that is
> > used for me externally when I'm browsing but it doesn't work.  I use
> > cable internet service and I think that IP address is used for many
> > different customers.
>
> I have heard of ISPs NATting their customers, but I think it would be
> pretty unusual these days. Does the high-port forwad to port 22 on
> your PC? Or is the PC listening for ssh? See /etc/ssh/sshd_config for
> that one.
>
> How are you testing ssh'ing to your external IP address? Doing so
> from inside the LAN won't work - you're better port-scanning yourself
> by visiting Shields Up! at http://grc.com
>
> You can get a hostname which will resolve to your dynamic IP at
> http://dyndns.com - there are some free utilities which you can run
> to do the updating.
>
> Stroller.

I had that screwed up.  I was using /etc/ssh/ssh_config instead of
sshd_config.  So I should leave ssh_config alone?

Working great now!

- Grant

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Grant]

> >> How is your network connected to the internet?
> >>
> >> http://www.google.com/search?ie=utf8&oe=utf8&q=port+forwarding
> >>
> >> The first link looks fairly useful.
> >>
> >> Stroller.
> >
> > That helped a lot.  I have a high-number port on the router forwarding
> > to one of my systems.  How can I access the forwarded-to service from
> > a random point on the Internet?  I need something static to represent
> > my router on the Internet.  I've tried using the IP address that is
> > used for me externally when I'm browsing but it doesn't work.  I use
> > cable internet service and I think that IP address is used for many
> > different customers.
>
> I have heard of ISPs NATting their customers, but I think it would be
> pretty unusual these days. Does the high-port forwad to port 22 on
> your PC? Or is the PC listening for ssh? See /etc/ssh/sshd_config for
> that one.
>
> How are you testing ssh'ing to your external IP address? Doing so
> from inside the LAN won't work - you're better port-scanning yourself
> by visiting Shields Up! at http://grc.com
>
> You can get a hostname which will resolve to your dynamic IP at
> http://dyndns.com - there are some free utilities which you can run
> to do the updating.
>
> Stroller.

Also, what should I do about securing ssh?  I'm using a high port
number.  Is there other special configuration I should be using?  I'm
using the standard sshd_config except for the high port number
specification.

- Grant

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Re: Reaching my network over the internet

[Ryan Viljoen]

> KISS - keep it short and simple.

Doesnt that also stand for "keep it simple stupid"!?

You can also use port knocking for additional security for SSH. I dont
know anything about VPN so I wont comment.

--
Ryan Viljoen Bsc(Eng) (Electrical)

"When you say "I wrote a program that crashed Windows", people just
stare at you blankly and say "Hey, I got those with the system, for
free". - Linus Torvalds, 1995

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Ryan Viljoen]

> You can get a hostname which will resolve to your dynamic IP at
> http://dyndns.com - there are some free utilities which you can run
> to do the updating.

There is also no-ip.com  both no-ip and dyndns update clients are in
the portage tree so now worries there. Sorry for the repetitive mail.

--
Ryan Viljoen Bsc(Eng) (Electrical)

"When you say "I wrote a program that crashed Windows", people just
stare at you blankly and say "Hey, I got those with the system, for
free". - Linus Torvalds, 1995

-- 
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Reaching my network over the internet

[Stroller]

On 29 Dec 2005, at 23:18, Grant wrote:
>
> Also, what should I do about securing ssh?  I'm using a high port
> number.  Is there other special configuration I should be using?  I'm
> using the standard sshd_config except for the high port number
> specification.

Using a high port number isn't terribly helpful - it's just security  
through obscurity and if someone were to port-scan you with all  
nmap's options turned on they'd surely figure out you were running  
ssh on that port.

Since SSH is encrypted there's not much you need to do to secure it.  
I disable root logins via ssh with "PermitRootLogin no" to save the  
password of one known account from being guessable or brute forced.  
If you want to be paranoid you can restrict logins to known keys, I  
think. A but of homework will tell you more about that - I usually  
just add known secure machines to ~/.ssh/authorized_keys2 to save me  
typing a password when shelling around my LAN & stuff.

Stroller.
-- 
gentoo-user@gentoo.org mailing list