On Tue, 2006-12-19 at 23:30 +0000, Jim Douglas wrote: > >From: Donald Tripp <dtripp@xxxxxxxxxx> > >Reply-To: For users of Fedora <fedora-list@xxxxxxxxxx> > >To: For users of Fedora <fedora-list@xxxxxxxxxx> > >Subject: Re: FC6 VPN > >Date: Tue, 19 Dec 2006 12:33:16 -1000 > > > >What exactly do you need to connect to on the linux server? Anytime you > >make a connection between two computers you are using a tcp/ip port. SSH > >allows you to forward any local port to any remote port. If you need to > >connect to, say a windows share (samba in linux world), you would forward > >your local port to the linux server through the ssh tunnel. Sure, this > >isn't a true vpn, where you would time // remote_server, but its still > >friendly to use and secure. > > > >On Dec 19, 2006, at 12:13 PM, Jim Douglas wrote: > > > >>>From: James Wilkinson <fedora@xxxxxxxxxxxxxxxxxx> > >>>Reply-To: For users of Fedora <fedora-list@xxxxxxxxxx> > >>>To: fedora-list@xxxxxxxxxx > >>>Subject: Re: FC6 VPN > >>>Date: Tue, 19 Dec:23:23 +0000 > >>> > >>>Jim Douglas wrote: > >>> > >>> > VPN w/ SSH is overkill I think, all I need is to securely access a > >>>remote > >>> > box...from Windows Client -> Linux Server. > >>> > >>>Very often that will involve PuTTY. PuTTY also makes tunnelling very > >>>easy, and is a *very* good terminal emulator. > >>> > >>> > I think I found the answer, > >>> > http://freenx.berlios.de/ > >>> > > >>> > I have SSH up and running, anyone have any good links to securing my > >>>SSH > >>> > configuration? > >>> > >>>1. Stick to SSH 2 (in /etc/ssh/sshd_config, use the Protocol keyword) > >>>2. Set up private keys and disable password-based logins > >>>3. Changing the port that SSH listens on will not deter a determined > >>> attacker, but may help you work out that you've got a determined > >>> attacker. > >>>4. Make sure you run yum update regularly. > >>>5. Use AllowUsers or AllowGroups to limit which users can log on > >>> remotely. Don't allow direct root logins -- get users to login as > >>> themselves and su - (this means attackers have to work out which > >>> usernames are valid). > >>>6. If you must use passwords, make sure they're not dictionary words and > >>> include at least one (better, several) numbers or symbols. > >>>7. Distribute the server public keys via trusted networks -- don't trust > >>> the client's ability to "learn" the server's key when it first > >>> connects, since you don't know that the remote computer really *is* > >>> your server. > >>> > >>>But really, there's not much securing needed with SSH. It's only really > >>>vulnerable to a security bug at either end, a dictionary attack, a > >>>man-in-the-middle attack during the first connection, or some new, > >>>unknown mathematics. > >>> > >>>Hope this helps, > >>> > >>>James. > >>> > >> > >>I saw PuTTY, it won't do everything I need....thanks for the feedback, > >> > >>One final question... > >> > >>I can connect to port 22 inside the firewall and I don't want to create > >>any holes. Can you see any problems with adding this to iptables? > >> > >>iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp --dport 22 --tcp- flags > >>SYN,RST,ACK SYN -j ACCEPT > I need to run Linux GUI apps with KDE, GNOME. I do that all the time simply via ssh2. Just make sure you "ssh -Y servername" to make sure your $DISPLAY gets forwarded. GUI apps you run on "servername" will put their displays on your local machine. ---------------------------------------------------------------------- - Rick Stevens, Senior Systems Engineer rstevens@xxxxxxxxxxxxxxx - - VitalStream, Inc. http://www.vitalstream.com - - - - Lottery: A tax on people who are bad at math. - ----------------------------------------------------------------------
