FC6 VPN
Donald Tripp
dtripp at hawaii.edu
Tue Dec 19 22:33:16 UTC 2006
What exactly do you need to connect to on the linux server? Anytime
you make a connection between two computers you are using a tcp/ip
port. SSH allows you to forward any local port to any remote port. If
you need to connect to, say a windows share (samba in linux world),
you would forward your local port to the linux server through the ssh
tunnel. Sure, this isn't a true vpn, where you would time //
remote_server, but its still friendly to use and secure.
- Donald Tripp
dtripp at hawaii.edu
----------------------------------------------
HPC Systems Administrator
High Performance Computing Center
University of Hawai'i at Hilo
200 W. Kawili Street
Hilo, Hawaii 96720
http://www.hpc.uhh.hawaii.edu
On Dec 19, 2006, at 12:13 PM, Jim Douglas wrote:
>> From: James Wilkinson <fedora at aprilcottage.co.uk>
>> Reply-To: For users of Fedora <fedora-list at redhat.com>
>> To: fedora-list at redhat.com
>> Subject: Re: FC6 VPN
>> Date: Tue, 19 Dec:23:23 +0000
>>
>> Jim Douglas wrote:
>>
>> > VPN w/ SSH is overkill I think, all I need is to securely access
>> a remote
>> > box...from Windows Client -> Linux Server.
>>
>> Very often that will involve PuTTY. PuTTY also makes tunnelling very
>> easy, and is a *very* good terminal emulator.
>>
>> > I think I found the answer,
>> > http://freenx.berlios.de/
>> >
>> > I have SSH up and running, anyone have any good links to
>> securing my SSH
>> > configuration?
>>
>> 1. Stick to SSH 2 (in /etc/ssh/sshd_config, use the Protocol keyword)
>> 2. Set up private keys and disable password-based logins
>> 3. Changing the port that SSH listens on will not deter a determined
>> attacker, but may help you work out that you've got a determined
>> attacker.
>> 4. Make sure you run yum update regularly.
>> 5. Use AllowUsers or AllowGroups to limit which users can log on
>> remotely. Don't allow direct root logins -- get users to login as
>> themselves and su - (this means attackers have to work out which
>> usernames are valid).
>> 6. If you must use passwords, make sure they're not dictionary
>> words and
>> include at least one (better, several) numbers or symbols.
>> 7. Distribute the server public keys via trusted networks -- don't
>> trust
>> the client's ability to "learn" the server's key when it first
>> connects, since you don't know that the remote computer really
>> *is*
>> your server.
>>
>> But really, there's not much securing needed with SSH. It's only
>> really
>> vulnerable to a security bug at either end, a dictionary attack, a
>> man-in-the-middle attack during the first connection, or some new,
>> unknown mathematics.
>>
>> Hope this helps,
>>
>> James.
>>
>> --
>> E-mail: james@ | For every complex problem, there is a
>> solution that is
>> aprilcottage.co.uk | simple, neat, and wrong.
>>
>> --
>> fedora-list mailing list
>> fedora-list at redhat.com
>> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
>
>
> I saw PuTTY, it won't do everything I need....thanks for the feedback,
>
> One final question...
>
> I can connect to port 22 inside the firewall and I don't want to
> create any holes. Can you see any problems with adding this to
> iptables?
>
> iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 22 --tcp-
> flags SYN,RST,ACK SYN -j ACCEPT
>
> _________________________________________________________________
> Fixing up the home? Live Search can help http://imagine-
> windowslive.com/search/kits/default.aspx?kit=improve&locale=en-
> US&source=hmemailtaglinenov06&FORM=WLMTAG
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20061219/aa289495/attachment-0001.htm>
More information about the fedora-list
mailing list