[olug] Email a report on SSH
Christopher Cashell
topher-olug at zyp.org
Sat Apr 21 22:23:40 UTC 2012
On Fri, Apr 20, 2012 at 4:50 PM, David Cannon <medaveduh at gmail.com> wrote:
> Thanks for the great information! I have been using it as a proxy for my
> web traffic and most places block port 22, so I was running it on 443 so
> the traffic looks normal. Havent found a place that is blocking 443 yet.
> I will try the IP tables rules and see what I can get to work out. I will
> also see about fail2ban as well. Thanks again! I will let you all know
> how it goes.
> Dave
If you want, here's an alternate way of handling, securing, and
setting up a remote box which is used as a web proxy. It's a little
more work to setup, but it's easier to use and can offer some nice
security benefits and features.
1. On your Linux server, install OpenVPN and set it up as a VPN
server/concentrator. Use certificate based authentication (the
easy-rsa tools included with OpenVPN's software and documentation make
this almost trivial). To ensure you can get through firewalls, you
can run OpenVPN over TCP using port 80 or 443 (default ports are 1194
on UDP and TCP).
2. Install OpenVPN on your laptop or any other machine you want to be
able to access the web proxy box. Configure it to run at startup
(probably the default for *nix, run it as a Service on Windows).
3. Add an IPTables rule that blocks SSH (TCP Port 22) from anything
"external" (Internet sourced). (Optional step; with the rate limiting
IPTables rule I posted earlier, having ssh accessible to the Internet
doesn't greatly concern me. This allows for locking it down further,
though.)
4. Install Squid (or an alternate web proxy daemon) on the Linux
server to improve performance (caching) and simplify "routing" web
traffic through the web proxy box.
5. Install a second web browser or separate proxy config profile on
your laptop or other remote computer that is configured to proxy
web/ftp traffic to the Squid instance on your internet server. It
should be configured to point to the "internal" IP address that
corresponds to inside the VPN.
6. Enjoy the ease of use. Now, you start your laptop, and it
automatically connects to your Internet server via VPN. You can jump
through that VPN with SSH for management, without having SSH exposed
to the Internet. To browse the web without using the proxy, use a
browser/profile configured without the proxy. To use the proxy, use a
browser/profile configured to point to it.
Because you're now utilizing a full VPN, you also have access to other
services that might be available or running on your proxy box,
including file sharing, mail server, etc.
I have implemented the above setup myself, and it works great. If you
want to try it, I can give you sample configurations and answer any
questions you might have on it. I can also expand on the
descriptions, too.
--
Christopher
More information about the OLUG
mailing list