store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Tue Oct 22, 2019 2:31 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 7 posts ] 
Author Message
 Post subject: Most secure remote access?
Unread postPosted: Mon Nov 03, 2014 6:11 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I wonder if anybody has any opinions on the most secure way to allow remote access when away from home/office (i.e. not connecting from a known static IP).

I suppose you could temporarily open up ssh on a port other than 22 (as long as you are using a password-protected keyfile rather than a plaintext password) but I'm not massively keen on that idea by itself.

What about using something like OpenVPN, especially on a non-standard port? You are then using a nice big certificate on top of everything else, but then have an additional potential point of failure (bug in OpenVPN or related packages). Any opinions?

[And over in another topic, there are discussions about being able to whitelist a dynamic DNS address, and that sounds like an interesting option to use with OpenVPN]

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Most secure remote access?
Unread postPosted: Mon Nov 03, 2014 8:35 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin

Joined: Wed Dec 31, 1969 8:00 pm
Posts: 8329
Location: earth
Well I for one use openvpn like crazy, if you're bouncing all over different IP's that might be the least amount of trouble to set up.


Top
 Profile  
Reply with quote  
 Post subject: Re: Most secure remote access?
Unread postPosted: Tue Nov 04, 2014 10:14 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
We make heavy use of SSH jumphosts and SSH tunneling.

We also use OpenVPN, but I wouldn't recommend it to everyone, because it will take a lot of effort to properly manage your OpenVPN cluster and your PKI in a good way (you'll need to run your own CA, preferably off-site).

_________________
Lemonbit Internet Dedicated Server Management


Last edited by prupert on Tue Nov 04, 2014 4:48 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
 Post subject: Re: Most secure remote access?
Unread postPosted: Tue Nov 04, 2014 1:42 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
Thanks all. OpenVPN it is then. I'm not terribly worried about the CA side -- if they can get into the server running OpenVPN they won't need the keys!

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Most secure remote access?
Unread postPosted: Tue Nov 04, 2014 4:39 pm 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
faris wrote:
Thanks all. OpenVPN it is then. I'm not terribly worried about the CA side -- if they can get into the server running OpenVPN they won't need the keys!


There is a lot of nasty stuff they simply cannot do if they don't have the CA key. If the server is compromised, that surely is annoying, but your PKI is still intact, the breach is isolated and easier to deal with (revoke the server key).

Why have an OpenVPN setup at all then? If you just want to have a fixed client IP to log in remotely to your server might you not be better off using SSH jumphosts if you are looking for something solid and easy to maintain?

(But, if you do want to set up OpenVPN properly I am more than happy to point you in the right direction.)

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
 Post subject: Re: Most secure remote access?
Unread postPosted: Wed Nov 05, 2014 8:13 pm 
Offline
Long Time Forum Regular
Long Time Forum Regular

Joined: Thu Dec 09, 2004 11:19 am
Posts: 2321
I think I may be missing something important :-(

In my scenario, there would be a box (or two) running OpenVPN on an open but non-standard port. The IP of that box would be whitelisted in the firewalls of the servers I want to access remotely. Connections between my remote location, this OpenVPN box and the other servers would be via SSH (tunnelling through the VPN).

_________________
--------------------------------
<advert>
If you want to rent a UK-based VPS that comes with friendly advice and support from a fellow ART fan, please get in touch.
</advert>


Top
 Profile  
Reply with quote  
 Post subject: Re: Most secure remote access?
Unread postPosted: Thu Nov 06, 2014 5:45 am 
Offline
Forum Regular
Forum Regular

Joined: Tue Aug 01, 2006 2:45 pm
Posts: 573
Location: Netherlands
faris wrote:
I think I may be missing something important :-(

In my scenario, there would be a box (or two) running OpenVPN on an open but non-standard port. The IP of that box would be whitelisted in the firewalls of the servers I want to access remotely. Connections between my remote location, this OpenVPN box and the other servers would be via SSH (tunnelling through the VPN).


So you only will be using the VPN to tunnel your SSH connection? In that case you don't really need VPN in my opinion. You can just set up one or more SSH jumphosts. A jumphost is nothing more than a server with a user you can SSH into (really, nothing else!), and use as a stepping stone to connect to the next server (which has a firewall that only allows incoming SSH connections from your jumphosts).

Protip: you can make use of the SSH client configfile (~/.ssh/config) on your laptop to make things really easy:

Code:
# Configure host you use for jumping
Host      jump
Hostname   myjumphost.mycompany
User      myuser
ForwardAgent   yes

# One of your secured hosts
Host      mysecureserver
Hostname   mysecureserver.mycompany
User      myadminuser
ProxyCommand    ssh jump nc %h %p

# Another one of your secured hosts
Host      mysecureserver2
Hostname   mysecureserver2.mycompany
User      myadminuser
ProxyCommand    ssh jump nc %h %p


Next time you log in from your laptop from a tropical beach you simply type "ssh mysecureserver2", which will connect you automatically through your jumphost to that server even though your remote IP is not allowed to connect to this server. Hooray!

Further reading about this and similar cool things you can do with SSH: http://en.wikibooks.org/wiki/OpenSSH/Co ... Jump_Hosts

_________________
Lemonbit Internet Dedicated Server Management


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Google [Bot] and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group