Comments on: Secure Remote Access from Your Desktop http://www.linux-mag.com/id/4523/ Open Source, Open Standards Sat, 05 Oct 2013 13:48:18 +0000 hourly 1 http://wordpress.org/?v=3.1 By: mbaker1020 http://www.linux-mag.com/id/4523/#comment-4882 mbaker1020 Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4882 Thanks - clear and to the point Thanks – clear and to the point

]]> By: donatello http://www.linux-mag.com/id/4523/#comment-4883 donatello Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4883 Most home networks that connect to the internet via broadband ISPs (at least in India) these days seem to be behind IP masquerading gateways. So, there is no real way to connect to connect to your home network right? Most home networks that connect to the internet via broadband ISPs (at least in India) these days seem to be behind IP masquerading gateways. So, there is no real way to connect to connect to your home network right?

]]> By: tirili http://www.linux-mag.com/id/4523/#comment-4884 tirili Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4884 donatello, if you look at my article at <a href="http://inhalt.serviert.de/wissen/security/ssh/reverse_tunnel" rel="nofollow">inhalt.serviert.de</a><br /> you see that this might not be a restriction if you use the feature of SSH Reverse Tunneling.<br /> Any further Questions via <a href="www.tiri.li" rel="nofollow">tiri.li - our company</a>. donatello, if you look at my article at inhalt.serviert.de
you see that this might not be a restriction if you use the feature of SSH Reverse Tunneling.
Any further Questions via tiri.li – our company.

]]> By: gsruiz http://www.linux-mag.com/id/4523/#comment-4885 gsruiz Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4885 To prevent brute force attacks on the SSH server, I would recommend to change the default port 22 to something like, for example, port 2002. Also, you need to make sure that root access is disabled via ssh and use public/private key pair authentication instead of encrypted plain passwords to access the server remotely... My two cents... To prevent brute force attacks on the SSH server, I would recommend to change the default port 22 to something like, for example, port 2002. Also, you need to make sure that root access is disabled via ssh and use public/private key pair authentication instead of encrypted plain passwords to access the server remotely… My two cents…

]]> By: sigmon http://www.linux-mag.com/id/4523/#comment-4886 sigmon Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4886 When I allow SSH into by Debian box every once in a while, it only takes 8 hours before the brute force attacks show up. I'd very very learly opening up 22. I like the idea of changing the port to something else. The bad guys will eventually find it, but if you only need it for a couple of days..... When I allow SSH into by Debian box every once in a while, it only takes 8 hours before the brute force attacks show up. I’d very very learly opening up 22. I like the idea of changing the port to something else. The bad guys will eventually find it, but if you only need it for a couple of days…..

]]> By: srart http://www.linux-mag.com/id/4523/#comment-4887 srart Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4887 for you folks with brute force attacks on you ssh servers, try a nice little program called denyhosts it's a python program, very easy to setup, and it's aptitude (or apt-get) gettable from debian's main repository<br /> <br /> Description: an utility to help sys admins thwart ssh hackers<br /> DenyHosts is a program that automatically blocks ssh brute-force attacks by<br /> adding entries to /etc/hosts.deny. It will also inform Linux administrators<br /> about offending hosts, attacked users and suspicious logins. <br /> <br /> Syncronization with a central server is possible too. <br /> <br /> Differently from other software that do same work, denyhosts doesn't need<br /> support for packet filtering or any other kind of firewall in your kernel<br /> <br /> Tags: admin::configuring, admin::logging, implemented-in::python,<br /> interface::daemon, protocol::ssh, role::program, scope::utility,<br /> security::forensics for you folks with brute force attacks on you ssh servers, try a nice little program called denyhosts it’s a python program, very easy to setup, and it’s aptitude (or apt-get) gettable from debian’s main repository

Description: an utility to help sys admins thwart ssh hackers
DenyHosts is a program that automatically blocks ssh brute-force attacks by
adding entries to /etc/hosts.deny. It will also inform Linux administrators
about offending hosts, attacked users and suspicious logins.

Syncronization with a central server is possible too.

Differently from other software that do same work, denyhosts doesn’t need
support for packet filtering or any other kind of firewall in your kernel

Tags: admin::configuring, admin::logging, implemented-in::python,
interface::daemon, protocol::ssh, role::program, scope::utility,
security::forensics

]]> By: geertvc http://www.linux-mag.com/id/4523/#comment-4888 geertvc Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4888 Title of Figure Three should be:<br /> <br /> "How to configure a session in Putty", not "FreeNx".<br /> <br /> Next to this, it would have been nice if there was also explained how to set up a public/private key using Putty and Puttygen (the app from the Putty suite that allows you to generate both the private and public keys).<br /> <br /> Otherwise, nice article and overview! Title of Figure Three should be:

“How to configure a session in Putty”, not “FreeNx”.

Next to this, it would have been nice if there was also explained how to set up a public/private key using Putty and Puttygen (the app from the Putty suite that allows you to generate both the private and public keys).

Otherwise, nice article and overview!

]]> By: xjlittle http://www.linux-mag.com/id/4523/#comment-4889 xjlittle Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4889 donatello,<br /> <br /> I am firewalled with masquerading using iptables. Most firewalls allow port forwarding. Simply forward the ssh port that you are using to the ssh server to which you want to connect. That way you can log into your network and then ssh to any of the other computers that you need to access. donatello,

I am firewalled with masquerading using iptables. Most firewalls allow port forwarding. Simply forward the ssh port that you are using to the ssh server to which you want to connect. That way you can log into your network and then ssh to any of the other computers that you need to access.

]]> By: wcw http://www.linux-mag.com/id/4523/#comment-4890 wcw Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4890 Thanks! It's very useful. Thanks! It’s very useful.

]]> By: kuri0s http://www.linux-mag.com/id/4523/#comment-4891 kuri0s Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4891 Hi,<br /> <br /> About changing the port number... Is there a real threat in brute-force atacks trhough ssh? I mean if you have a strong md5 password, nobody knows your username and root access is denied... By the other side, unless you have tons of ports opened (which is the least probable in a secured system) you can figure out the ssh port in less than a minute. In my opinion, that is pointless.<br /> <br /> By the way, I use<br /> <br /> x11vnc -usepw -display :0<br /> <br /> to stablish a tunneled vnc connection to my default KDM opened X-session.<br /> <br /> Thank you, very nice article. Hi,

About changing the port number… Is there a real threat in brute-force atacks trhough ssh? I mean if you have a strong md5 password, nobody knows your username and root access is denied… By the other side, unless you have tons of ports opened (which is the least probable in a secured system) you can figure out the ssh port in less than a minute. In my opinion, that is pointless.

By the way, I use

x11vnc -usepw -display :0

to stablish a tunneled vnc connection to my default KDM opened X-session.

Thank you, very nice article.

]]> By: yossis http://www.linux-mag.com/id/4523/#comment-4892 yossis Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4892 Thx All Very Useful Thx All Very Useful

]]> By: verinux http://www.linux-mag.com/id/4523/#comment-4893 verinux Wed, 30 Nov -0001 00:00:00 +0000 http://www.linux-mag.com/id/4523/#comment-4893 Here is the script that I use to connect to my client.<br /> <br /> #!/bin/sh<br /> <br /> # $REMOTE_HOST is the name of the remote system<br /> CLIENT=linux.client.com<br /> <br /> # $REMOTE_PORT is the remote port number that will be used to tunnel<br /> # back to this system<br /> REMOTE_PORT=5000<br /> <br /> # $COMMAND is the command used to create the reverse ssh tunnel<br /> COMMAND="ssh -N -R $REMOTE_PORT:localhost:22 $CLIENT"<br /> <br /> # Is the tunnel up? Perform two tests:<br /> <br /> # 1. Check for relevant process ($COMMAND)<br /> pgrep -f -x "$COMMAND" || $COMMAND<br /> <br /> # 2. Test tunnel by looking at "netstat" output on $CLIENT<br /> ssh $CLIENT netstat -an | egrep "tcp.*:$CLIENT.*LISTEN" \<br /> > /dev/null 2>&1<br /> if [ $? -ne 0 ] ; then<br /> pkill -f -x "$COMMAND"<br /> $COMMAND<br /> fi Here is the script that I use to connect to my client.

#!/bin/sh

# $REMOTE_HOST is the name of the remote system
CLIENT=linux.client.com

# $REMOTE_PORT is the remote port number that will be used to tunnel
# back to this system
REMOTE_PORT=5000

# $COMMAND is the command used to create the reverse ssh tunnel
COMMAND=”ssh -N -R $REMOTE_PORT:localhost:22 $CLIENT”

# Is the tunnel up? Perform two tests:

# 1. Check for relevant process ($COMMAND)
pgrep -f -x “$COMMAND” || $COMMAND

# 2. Test tunnel by looking at “netstat” output on $CLIENT
ssh $CLIENT netstat -an | egrep “tcp.*:$CLIENT.*LISTEN” \
> /dev/null 2>&1
if [ $? -ne 0 ] ; then
pkill -f -x “$COMMAND”
$COMMAND
fi

]]>