Re: Getting around corporate firewalls to access ssh server
- From: General Schvantzkoph <schvantzkoph@xxxxxxxxx>
- Date: Thu, 16 Mar 2006 23:10:24 -0500
On Thu, 16 Mar 2006 20:54:25 -0600, Moe Trin wrote:
On Thu, 16 Mar 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <pan.2006.03.16.23.43.06.589541@xxxxxxxxx>, General Schvantzkoph
wrote:
We have home offices. I have a business DSL line with a single static IP
and a registered domain. I have a half dozen Linux machines which I use
for development and as file servers.
OK - look at the address you are using on that domain. If you do a DNS
lookup of the domain name, you get an IP address. If you then do a second
lookup - this time of the IP address, does it return your hostname, or
some generic stuff (generic defined as a hostname that contains the IP
address in some form such as 192.0.2.22 ->
dsl-192-000-002-022.provider.com or similar). Second, look up the IP
address in the various RBL lists - one way being
http://www.TQMcube.com/rblcheck.htm (uses tables) and see that the
provider is clean. We've null-routed quite a number of providers because
of spam problems - some of them being quite large. In a couple of cases,
we've had to cut holes to "whitelist" some entity that has chosen a poor
provider. I know you can't get a direct assignment from an RIR, but see
if your provider will SWIP the address to you, or at least list you on
their rwhois server. That builds confidence not only in network security
types, but also mail administrators.
I have two dedicated servers that connect to the Internet though ssh. One
server, on port 22, is our CVS server. That server is accessed by my
partners and me and is used to collaborate on development. The only
machines that are authorized to connect to it (I use RSA authorization,
passwords are disabled) belong to me and my partners.
OK, with a single address, I can see your problem.
The other machine is my release server, which has ssh mapped to a high
port number.
Each customer has a user account on the release server. I place code
releases for them in their accounts.
I don't know what your threat model is, yada, yada, yada. You want to
separate the two SSH servers - that's fine. If all your customers can do
is download AND NOTHING ELSE, I'd suggest having a strong username and
password setup for each, set permissions so that they can't do anything
except download, and then leave it on 22. I'd have the CVS server using
the non-standard port number, as your people would be minimally
inconvenienced. That would appear more on the "up-and-up" to the paranoid
net security types.
The bit about "strong username" - do your customers have a frequent need
to be connecting? Would writing down the username and password be
something normal (mainly because of infrequent use)? If so, consider
generating usernames the way we _used_ to generate initial passwords.
Either 'head -2 /dev/random | uuencode /dev/stdout' or 'head -2
/dev/random | mimencode' and in either case, select a string that begins
with a letter consisting of letters and numbers only. Using mixed case
would increase security and is permitted by most systems, but probably
should be avoided to prevent confusing the users. While you're at it -
there is also the password a little further into the string.
I've also set the privileges on all accounts to 700 so that no customer
can see the content of any other customer's directory.
Do they _need_ to be writable by the customers?
For the startups this setup works fine. For the big companies this
doesn't work because their firewalls don't permit them to access my
server. The work around so far is that my customers at these companies
have used their home machines to access the server.
That doesn't work here - we don't allow _any_ access to the home systems
from our network. I can't say much more than that.
I've tried moving the port to 20 (FTP) figuring that a company is
unlikely to block FTP, but that didn't work.
You'd have to ask them why, but depending on your provider, I can't see
any reason why that wouldn't work. Of course if your address is in the
middle of SpammersRus.com, there would be problems.
Does anyone have any suggestions about a means for providing access to
releases to customers at big companies? My requirements are 1) Reasonably
straight forward access for my customers. 2) Good security for me. 3)
Runs on Linux.
From my view, clean address, resolves both ways, and a known port would
_probably_ get the best results. Security for you comes from having good
usernames. and running on up-to-date Linux (or similar).
Old guy
I checked my IP address using rblcheck and it's clean. I can try swapping
the ports on the two servers and put the release server on 22. Do you
think the problem is due to the fact that I'm using a non-standard port?
.
- Follow-Ups:
- Re: Getting around corporate firewalls to access ssh server
- From: Moe Trin
- Re: Getting around corporate firewalls to access ssh server
- References:
- Getting around corporate firewalls to access ssh server
- From: General Schvantzkoph
- Re: Getting around corporate firewalls to access ssh server
- From: Grant
- Re: Getting around corporate firewalls to access ssh server
- From: General Schvantzkoph
- Re: Getting around corporate firewalls to access ssh server
- From: Moe Trin
- Re: Getting around corporate firewalls to access ssh server
- From: General Schvantzkoph
- Re: Getting around corporate firewalls to access ssh server
- From: Moe Trin
- Getting around corporate firewalls to access ssh server
- Prev by Date: Re: Getting around corporate firewalls to access ssh server
- Next by Date: Re: Getting around corporate firewalls to access ssh server
- Previous by thread: Re: Getting around corporate firewalls to access ssh server
- Next by thread: Re: Getting around corporate firewalls to access ssh server
- Index(es):
Relevant Pages
|
