Re: FC6 VPN
- From: Rick Stevens <rstevens@xxxxxxxxxxxxxxx>
- Date: Tue, 19 Dec 2006 16:52:46 -0800
On Tue, 2006-12-19 at 23:30 +0000, Jim Douglas wrote:
From: Donald Tripp <dtripp@xxxxxxxxxx>I need to run Linux GUI apps with KDE, GNOME.
Reply-To: For users of Fedora <fedora-list@xxxxxxxxxx>
To: For users of Fedora <fedora-list@xxxxxxxxxx>
Subject: Re: FC6 VPN
Date: Tue, 19 Dec 2006 12:33:16 -1000
What exactly do you need to connect to on the linux server? Anytime you
make a connection between two computers you are using a tcp/ip port. SSH
allows you to forward any local port to any remote port. If you need to
connect to, say a windows share (samba in linux world), you would forward
your local port to the linux server through the ssh tunnel. Sure, this
isn't a true vpn, where you would time // remote_server, but its still
friendly to use and secure.
On Dec 19, 2006, at 12:13 PM, Jim Douglas wrote:
From: James Wilkinson <fedora@xxxxxxxxxxxxxxxxxx>
Reply-To: For users of Fedora <fedora-list@xxxxxxxxxx>
To: fedora-list@xxxxxxxxxx
Subject: Re: FC6 VPN
Date: Tue, 19 Dec:23:23 +0000
Jim Douglas wrote:
VPN w/ SSH is overkill I think, all I need is to securely access aremote
box...from Windows Client -> Linux Server.
Very often that will involve PuTTY. PuTTY also makes tunnelling very
easy, and is a *very* good terminal emulator.
I think I found the answer,SSH
http://freenx.berlios.de/
I have SSH up and running, anyone have any good links to securing my
configuration?
1. Stick to SSH 2 (in /etc/ssh/sshd_config, use the Protocol keyword)
2. Set up private keys and disable password-based logins
3. Changing the port that SSH listens on will not deter a determined
attacker, but may help you work out that you've got a determined
attacker.
4. Make sure you run yum update regularly.
5. Use AllowUsers or AllowGroups to limit which users can log on
remotely. Don't allow direct root logins -- get users to login as
themselves and su - (this means attackers have to work out which
usernames are valid).
6. If you must use passwords, make sure they're not dictionary words and
include at least one (better, several) numbers or symbols.
7. Distribute the server public keys via trusted networks -- don't trust
the client's ability to "learn" the server's key when it first
connects, since you don't know that the remote computer really *is*
your server.
But really, there's not much securing needed with SSH. It's only really
vulnerable to a security bug at either end, a dictionary attack, a
man-in-the-middle attack during the first connection, or some new,
unknown mathematics.
Hope this helps,
James.
I saw PuTTY, it won't do everything I need....thanks for the feedback,
One final question...
I can connect to port 22 inside the firewall and I don't want to create
any holes. Can you see any problems with adding this to iptables?
iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 22 --tcp- flags
SYN,RST,ACK SYN -j ACCEPT
I do that all the time simply via ssh2. Just make sure you "ssh -Y
servername" to make sure your $DISPLAY gets forwarded. GUI apps you
run on "servername" will put their displays on your local machine.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer rstevens@xxxxxxxxxxxxxxx -
- VitalStream, Inc. http://www.vitalstream.com -
- -
- Lottery: A tax on people who are bad at math. -
----------------------------------------------------------------------
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- References:
- Re: FC6 VPN
- From: Jim Douglas
- Re: FC6 VPN
- Prev by Date: re: Install FC6 but not successful, dead loop
- Next by Date: kudos to the packagers
- Previous by thread: Re: FC6 VPN
- Next by thread: Re: FC6 VPN
- Index(es):
Relevant Pages
|
