Remotely connecting to a Linux server

jjmax

Hi,

I've just setup a Debian server for a client.
The server is on the network in their offices, and is using an IP address for their LAN.
Their broadband connection is provided by Eircom.
Is it possible for me to remotely monitor this server?
I'd also like to install Remote Connectivity software (like "tightvnc"), will this work in this setup?
I'm sorry if this is a bit vague, but I'm at a loss about how to do this.
Thaks for any help.

dubhthach

jjmax wrote:

Hi,

I've just setup a Debian server for a client.
The server is on the network in their offices, and is using an IP address for their LAN.
Their broadband connection is provided by Eircom.
Is it possible for me to remotely monitor this server?
I'd also like to install Remote Connectivity software (like "tightvnc"), will this work in this setup?
I'm sorry if this is a bit vague, but I'm at a loss about how to do this.
Thaks for any help.

Well you could just use SSH for remote manangment, as long as you have relevant port open (22) in the firewall shouldn't be a problem. VNC only comes into if you are running X11, and if's a server not much need to have that installed.

jjmax

cheers dubhthach,

I have enabled SSH on the server.
I found this whitepaper on the web that seems to outline what I'd like to do.
http://www.hentzenwerke.com/wp/remoteaccessviassh.pdf
To connect from XP I have downloaded "PuTTY"
The bit I'm confused about now, (and it's one of the first steps ), is what ip address to use to access the server over the internet.
I know the servers internal ip, and I can get the ip of the DSL router.
Do I need to combine these two to get to the server remotely?
Thanks again for your help so far.

Syth

You would need to tell the DSL router to forward port 22 to the internal IP of the machine (which is probably a reverseved IP address like 192.168.x.x). You can then ssh into that machine using the router's IP address. If you're not sure about your IP, use some online service like whatismyip.com. You might have a dynamic IP address from your broadband provider, i.e. the IP address will change every now and then. You can use a free service like dyndns to get a domain name for your broadband router. This means you wouldn't have to put in an IP address into PuTTY, but an easily remembered domainname.

jjmax

Thanks for all the help folks,

I'll give this a try tomorrow or over the weekend, and hopefully get this sorted out.
Let you know how I get on.

Take care

SouperComputer

probably the best way to do it would be to setup a VPN, login to the network and use SSH then.

Personally, I would be against leaving port 22 open unless it was a server\computer I dont give a castlemaine XXXX about.

BobTheBeat

SouperComputer wrote:

probably the best way to do it would be to setup a VPN, login to the network and use SSH then.

Personally, I would be against leaving port 22 open unless it was a server\computer I dont give a castlemaine XXXX about.

Just beat me to it!, would avoid at all costs opening any unnecessary ports if you have a firewall in place. Like Souper said, a VPN is the way to go. I use OpenVPN on BSD for remote access. This uses digital certs/passwords for authentication on the remote side.
Something worth considering would be dialup access, hang a regular PSTN off one of your boxes in the remote site. SSH has very little overhead, so it would be fast over modem. I use it over dialup for backup access to remote site routers.

Syth

Disclaimer: I don't know anything about VPN. Why shouldn't he (or anyone) use ssh? Is VPN more secure than ssh? If so how? OpenSSH is developed by lots of OpenBSD folk, they seem to have a great attitude to security.

ssh can be locked down more. You can prevent root from logging in, only allow certain users from logging in (even only allow them to log in from a certain IP), and force the use of ssh keys (ie force no passwords). Why would this not be very secure?

SouperComputer

its not a choice of VPN or SSH as such. VPN would be an added layer of security for your SSH tunnel.

NutJob

as i seem to be pimping this alot lately hamachi.cc

just take a look may be a simple ish solution for vpn

solves the problem of openvpn with dyndns to use it with dynamic ips

deimos

Why not just leave the pinhole on the router running on some obscure port like 54132. Nobody will pick that up while doing ip range scans.... and if he/she has a decent password on the machine then all should be safe. It's rare to hear of any sshd exploits.

Syth

deimos wrote:

Why not just leave the pinhole on the router running on some obscure port like 54132. Nobody will pick that up while doing ip range scans.... and if he/she has a decent password on the machine then all should be safe. It's rare to hear of any sshd exploits.

Security through obscurity is no security at all.

If someone can type 10 characters ("-p 0-65535") that totally gets around your 'security' than, that's not security, only a false sence of security.

deimos

Syth wrote:

Security through obscurity is no security at all.

If someone can type 10 characters ("-p 0-65535") that totally gets around your 'security' than, that's not security, only a false sence of security.

Meh, it's not really "Security through obscurity" to my reckoning. Like if ssh is the only method to gain access to the machine she/he can run ssh tunnels for vnc or samba or whatever suits his/her fancy. I just find using this setup quite easy (and secure).... besides that I would be a big fan of openvpn.

Like if somebody does discover that 54132 is open, and they realise it's a opensshd server, well what are they going to do? Are they going to try every password combination (no script kiddie/hacker would be bothered unless the server had something very interesting on it), and to my knowledge exploits in the newer versions of openssh are non existant.