Most secure remote access?

General Discussion of atomic repo and development projects.

Ask for help here with anything else not covered by other forums.
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Most secure remote access?

Unread post by faris »

I wonder if anybody has any opinions on the most secure way to allow remote access when away from home/office (i.e. not connecting from a known static IP).

I suppose you could temporarily open up ssh on a port other than 22 (as long as you are using a password-protected keyfile rather than a plaintext password) but I'm not massively keen on that idea by itself.

What about using something like OpenVPN, especially on a non-standard port? You are then using a nice big certificate on top of everything else, but then have an additional potential point of failure (bug in OpenVPN or related packages). Any opinions?

[And over in another topic, there are discussions about being able to whitelist a dynamic DNS address, and that sounds like an interesting option to use with OpenVPN]
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
scott
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
Posts: 8355
Joined: Wed Dec 31, 1969 8:00 pm
Location: earth
Contact:

Re: Most secure remote access?

Unread post by scott »

Well I for one use openvpn like crazy, if you're bouncing all over different IP's that might be the least amount of trouble to set up.
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Most secure remote access?

Unread post by prupert »

We make heavy use of SSH jumphosts and SSH tunneling.

We also use OpenVPN, but I wouldn't recommend it to everyone, because it will take a lot of effort to properly manage your OpenVPN cluster and your PKI in a good way (you'll need to run your own CA, preferably off-site).
Last edited by prupert on Tue Nov 04, 2014 4:48 pm, edited 1 time in total.
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Most secure remote access?

Unread post by faris »

Thanks all. OpenVPN it is then. I'm not terribly worried about the CA side -- if they can get into the server running OpenVPN they won't need the keys!
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Most secure remote access?

Unread post by prupert »

faris wrote:Thanks all. OpenVPN it is then. I'm not terribly worried about the CA side -- if they can get into the server running OpenVPN they won't need the keys!
There is a lot of nasty stuff they simply cannot do if they don't have the CA key. If the server is compromised, that surely is annoying, but your PKI is still intact, the breach is isolated and easier to deal with (revoke the server key).

Why have an OpenVPN setup at all then? If you just want to have a fixed client IP to log in remotely to your server might you not be better off using SSH jumphosts if you are looking for something solid and easy to maintain?

(But, if you do want to set up OpenVPN properly I am more than happy to point you in the right direction.)
Lemonbit Internet Dedicated Server Management
faris
Long Time Forum Regular
Long Time Forum Regular
Posts: 2321
Joined: Thu Dec 09, 2004 11:19 am

Re: Most secure remote access?

Unread post by faris »

I think I may be missing something important :-(

In my scenario, there would be a box (or two) running OpenVPN on an open but non-standard port. The IP of that box would be whitelisted in the firewalls of the servers I want to access remotely. Connections between my remote location, this OpenVPN box and the other servers would be via SSH (tunnelling through the VPN).
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>
prupert
Forum Regular
Forum Regular
Posts: 573
Joined: Tue Aug 01, 2006 2:45 pm
Location: Netherlands

Re: Most secure remote access?

Unread post by prupert »

faris wrote:I think I may be missing something important :-(

In my scenario, there would be a box (or two) running OpenVPN on an open but non-standard port. The IP of that box would be whitelisted in the firewalls of the servers I want to access remotely. Connections between my remote location, this OpenVPN box and the other servers would be via SSH (tunnelling through the VPN).
So you only will be using the VPN to tunnel your SSH connection? In that case you don't really need VPN in my opinion. You can just set up one or more SSH jumphosts. A jumphost is nothing more than a server with a user you can SSH into (really, nothing else!), and use as a stepping stone to connect to the next server (which has a firewall that only allows incoming SSH connections from your jumphosts).

Protip: you can make use of the SSH client configfile (~/.ssh/config) on your laptop to make things really easy:

Code: Select all

# Configure host you use for jumping
Host		jump
Hostname	myjumphost.mycompany
User		myuser
ForwardAgent	yes

# One of your secured hosts
Host		mysecureserver
Hostname	mysecureserver.mycompany
User		myadminuser
ProxyCommand    ssh jump nc %h %p

# Another one of your secured hosts
Host		mysecureserver2
Hostname	mysecureserver2.mycompany
User		myadminuser
ProxyCommand    ssh jump nc %h %p
Next time you log in from your laptop from a tropical beach you simply type "ssh mysecureserver2", which will connect you automatically through your jumphost to that server even though your remote IP is not allowed to connect to this server. Hooray!

Further reading about this and similar cool things you can do with SSH: http://en.wikibooks.org/wiki/OpenSSH/Co ... Jump_Hosts
Lemonbit Internet Dedicated Server Management
Post Reply