Re: Getting around corporate firewalls to access ssh server

On Thu, 16 Mar 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <pan.2006.03.16.23.43.06.589541@xxxxxxxxx>, General Schvantzkoph wrote:

We have home offices. I have a business DSL line with a single static IP
and a registered domain. I have a half dozen Linux machines which I use
for development and as file servers.

OK - look at the address you are using on that domain. If you do a DNS
lookup of the domain name, you get an IP address. If you then do a second
lookup - this time of the IP address, does it return your hostname, or
some generic stuff (generic defined as a hostname that contains the IP
address in some form such as 192.0.2.22 -> dsl-192-000-002-022.provider.com
or similar). Second, look up the IP address in the various RBL lists -
one way being http://www.TQMcube.com/rblcheck.htm (uses tables) and see
that the provider is clean. We've null-routed quite a number of providers
because of spam problems - some of them being quite large. In a couple of
cases, we've had to cut holes to "whitelist" some entity that has chosen
a poor provider. I know you can't get a direct assignment from an RIR, but
see if your provider will SWIP the address to you, or at least list you
on their rwhois server. That builds confidence not only in network
security types, but also mail administrators.

I have two dedicated servers that connect to the Internet though ssh. One
server, on port 22, is our CVS server. That server is accessed by my
partners and me and is used to collaborate on development. The only
machines that are authorized to connect to it (I use RSA authorization,
passwords are disabled) belong to me and my partners.

OK, with a single address, I can see your problem.

The other machine is my release server, which has ssh mapped to a high
port number.

Each customer has a user account on the release server. I place code
releases for them in their accounts.

I don't know what your threat model is, yada, yada, yada. You want to
separate the two SSH servers - that's fine. If all your customers can do
is download AND NOTHING ELSE, I'd suggest having a strong username and
password setup for each, set permissions so that they can't do anything
except download, and then leave it on 22. I'd have the CVS server using
the non-standard port number, as your people would be minimally
inconvenienced. That would appear more on the "up-and-up" to the paranoid
net security types.

The bit about "strong username" - do your customers have a frequent need
to be connecting? Would writing down the username and password be something
normal (mainly because of infrequent use)? If so, consider generating
usernames the way we _used_ to generate initial passwords. Either
'head -2 /dev/random | uuencode /dev/stdout' or 'head -2 /dev/random |
mimencode' and in either case, select a string that begins with a letter
consisting of letters and numbers only. Using mixed case would increase
security and is permitted by most systems, but probably should be avoided
to prevent confusing the users. While you're at it - there is also the
password a little further into the string.

I've also set the privileges on all accounts to 700 so that no
customer can see the content of any other customer's directory.

Do they _need_ to be writable by the customers?

For the startups this setup works fine. For the big companies this doesn't
work because their firewalls don't permit them to access my server. The
work around so far is that my customers at these companies have used their
home machines to access the server.

That doesn't work here - we don't allow _any_ access to the home systems
from our network. I can't say much more than that.

I've tried moving the port to 20 (FTP) figuring that a company is unlikely
to block FTP, but that didn't work.

You'd have to ask them why, but depending on your provider, I can't see
any reason why that wouldn't work. Of course if your address is in the
middle of SpammersRus.com, there would be problems.

Does anyone have any suggestions about a means for providing access to
releases to customers at big companies? My requirements are 1) Reasonably
straight forward access for my customers. 2) Good security for me. 3) Runs
on Linux.

From my view, clean address, resolves both ways, and a known port would
_probably_ get the best results. Security for you comes from having good
usernames. and running on up-to-date Linux (or similar).

Old guy
.

Relevant Pages

  • Re: outlook on server
    ... I make sure my customers understand up front that they are not ... using the server as a workstation is simply out of the question. ... > I have a client I've had for years now who wouldn't do any maintenance. ...
    (microsoft.public.windows.server.sbs)
  • Re: Remobjects v KBM
    ... >> client query components) follow from that. ... Then, connections can be created to say SQL Server, Oracle, Interbase and ... can then be created from the abstract dataset definition in 'customers' to ... implicitly - this makes your code not be database connection specific). ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: Only 1 MX record?
    ... We use only RBL's, and IMF if it doesn't cause trouble, with customers ... You are saying when you configure a SBS server for a Client. ... Imagine being the backup MX, ...
    (microsoft.public.windows.server.sbs)
  • Re: Public Namespace and Private Network
    ... On other comment - currently today, all my customers access my servers using ... I've learned a lot about DNS in the past week, ... >> I have set up a DNS server for mycompany.com and created a primary zone. ... >> Since most of our customers have Internet access already, ...
    (microsoft.public.windows.server.dns)
  • Re: sbs migration gurus
    ... I don't have any knowledge of a BR based IT Pro to do this work, ... > migration involves installing SBS fresh on the new server? ... I've asked a lot of my customers to be ... I'd actually offer to do the Swing Migration for Param from here. ...
    (microsoft.public.windows.server.sbs)