I wonder if anybody has any opinions on the most secure way to allow remote access when away from home/office (i.e. not connecting from a known static IP).
I suppose you could temporarily open up ssh on a port other than 22 (as long as you are using a password-protected keyfile rather than a plaintext password) but I'm not massively keen on that idea by itself.
What about using something like OpenVPN, especially on a non-standard port? You are then using a nice big certificate on top of everything else, but then have an additional potential point of failure (bug in OpenVPN or related packages). Any opinions?
[And over in another topic, there are discussions about being able to whitelist a dynamic DNS address, and that sounds like an interesting option to use with OpenVPN]
Most secure remote access?
Most secure remote access?
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
-
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Re: Most secure remote access?
Well I for one use openvpn like crazy, if you're bouncing all over different IP's that might be the least amount of trouble to set up.
Re: Most secure remote access?
We make heavy use of SSH jumphosts and SSH tunneling.
We also use OpenVPN, but I wouldn't recommend it to everyone, because it will take a lot of effort to properly manage your OpenVPN cluster and your PKI in a good way (you'll need to run your own CA, preferably off-site).
We also use OpenVPN, but I wouldn't recommend it to everyone, because it will take a lot of effort to properly manage your OpenVPN cluster and your PKI in a good way (you'll need to run your own CA, preferably off-site).
Last edited by prupert on Tue Nov 04, 2014 4:48 pm, edited 1 time in total.
Lemonbit Internet Dedicated Server Management
Re: Most secure remote access?
Thanks all. OpenVPN it is then. I'm not terribly worried about the CA side -- if they can get into the server running OpenVPN they won't need the keys!
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: Most secure remote access?
There is a lot of nasty stuff they simply cannot do if they don't have the CA key. If the server is compromised, that surely is annoying, but your PKI is still intact, the breach is isolated and easier to deal with (revoke the server key).faris wrote:Thanks all. OpenVPN it is then. I'm not terribly worried about the CA side -- if they can get into the server running OpenVPN they won't need the keys!
Why have an OpenVPN setup at all then? If you just want to have a fixed client IP to log in remotely to your server might you not be better off using SSH jumphosts if you are looking for something solid and easy to maintain?
(But, if you do want to set up OpenVPN properly I am more than happy to point you in the right direction.)
Lemonbit Internet Dedicated Server Management
Re: Most secure remote access?
I think I may be missing something important
In my scenario, there would be a box (or two) running OpenVPN on an open but non-standard port. The IP of that box would be whitelisted in the firewalls of the servers I want to access remotely. Connections between my remote location, this OpenVPN box and the other servers would be via SSH (tunnelling through the VPN).
In my scenario, there would be a box (or two) running OpenVPN on an open but non-standard port. The IP of that box would be whitelisted in the firewalls of the servers I want to access remotely. Connections between my remote location, this OpenVPN box and the other servers would be via SSH (tunnelling through the VPN).
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
Re: Most secure remote access?
So you only will be using the VPN to tunnel your SSH connection? In that case you don't really need VPN in my opinion. You can just set up one or more SSH jumphosts. A jumphost is nothing more than a server with a user you can SSH into (really, nothing else!), and use as a stepping stone to connect to the next server (which has a firewall that only allows incoming SSH connections from your jumphosts).faris wrote:I think I may be missing something important
In my scenario, there would be a box (or two) running OpenVPN on an open but non-standard port. The IP of that box would be whitelisted in the firewalls of the servers I want to access remotely. Connections between my remote location, this OpenVPN box and the other servers would be via SSH (tunnelling through the VPN).
Protip: you can make use of the SSH client configfile (~/.ssh/config) on your laptop to make things really easy:
Code: Select all
# Configure host you use for jumping
Host jump
Hostname myjumphost.mycompany
User myuser
ForwardAgent yes
# One of your secured hosts
Host mysecureserver
Hostname mysecureserver.mycompany
User myadminuser
ProxyCommand ssh jump nc %h %p
# Another one of your secured hosts
Host mysecureserver2
Hostname mysecureserver2.mycompany
User myadminuser
ProxyCommand ssh jump nc %h %p
Further reading about this and similar cool things you can do with SSH: http://en.wikibooks.org/wiki/OpenSSH/Co ... Jump_Hosts
Lemonbit Internet Dedicated Server Management