On Tuesday 23 December 2008 15:38:17 Warren Young wrote:
Michael Simpson wrote:
GRC reports that ports are stealthed
Try www.auditmypc.com or nmap-online.com rather than grc to look for open ports
What advantages do they have, in your opinion?
there a better way than opening port 143?
ssh tunnelling?
I agree, though the default CentOS sshd configuration requires some tightening down to trust it on Internet-facing servers, IMHO:
- In /etc/ssh/sshd_config, set "PasswordAuthentication no". No matter
how good your password, it isn't as good as using keys. Remember, forwarding ssh opens it to pounding 24x7 from any of the millions on zombie boxes on the Internet.
- On the machine(s) that you want to allow logins from, run "ssh-keygen
-t rsa" to generate a key pair, if you haven't already. Then copy the contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys on your home server. These keys are used to authenticate the remote system, in lieu of a password or physical token. You could put these keys on a USB stick instead, if you didn't want to keep them permanently on the remote hosts.
- Disable SSHv1 protocol support in /etc/ssh/sshd_config: "Protocol 2",
not "Protocol 2,1". SSHv1 has known weaknesses. Boggles my mind that it's still enabled by default....
- Same file, set "PermitRootLogin no" if it isn't already.
(Aside: I also like to set up sudo with one account allowed to do anything, then lock the root account, so the only way to get root access is to log in as a regular user then sudo up, reducing the risk of passwordless keys.)
Having done all this, you're ready to allow remote access:
- In your router, forward a high-numbered port to 22 on the server. If
it's not smart enough to use different port numbers on either side, you can change the sshd configuration so it listens on a different port instead. I like to use 22022 for this.
This is *not* security through obscurity. It's simply a way to reduce the amount of log spam you have to dig through when monitoring your system's behavior. Everything that appears in your logs should be *interesting*. Constant port knocking from worms and script kiddies is not interesting.
In case you've not done ssh tunelling, Anne, the command that does what you want, having done all the above is:
$ ssh -p22022 -L10143:my.server.com:143 anne@my.server.com
This sets up port 10143 on the local system to be redirected through the ssh session to the IMAP port on your home server. You don't want to redirect 143 to 143 because that would require you to run ssh as root. It also prevents you from using this on a system that itself has an IMAP server.
With the tunnel up, you can set up your mail client to connect to port 10143 on localhost, and you'll be looking at your remote mail server.
Hello again. You were kind enough to give me this advice last December. I've another holiday approaching and thought it was time that I got this sorted. Unfortunately, I'm not sure that I can do this, so I'm asking your opinion.
My router is a Netgear DG834G. I can create a service, tell it which ports to open, and say which local IP I want it sent to. However, I can't see any way to set the port to which it should be forwarded as anything other than the incoming port. IOW, I can enable the new service Ext-ssh, which accepts incoming traffic on port 22022, and direct it to my server on 192.168.0.40, but I can't see how to make it send that traffic to port 22 on the server.
Am I totally misunderstanding this? Really all I want is to be able to log in to the server if I get an email alert that there is a problem or security updates pending. If I can get this sorted, I'll look again at how to route the IMAP mail through the tunnel too.
Anne
On Mon, 2009-03-23 at 14:31 +0000, Anne Wilson wrote:
On Tuesday 23 December 2008 15:38:17 Warren Young wrote:
Michael Simpson wrote:
GRC reports that ports are stealthed
Try www.auditmypc.com or nmap-online.com rather than grc to look for open ports
What advantages do they have, in your opinion?
there a better way than opening port 143?
ssh tunnelling?
I agree, though the default CentOS sshd configuration requires some tightening down to trust it on Internet-facing servers, IMHO:
- In /etc/ssh/sshd_config, set "PasswordAuthentication no". No matter
how good your password, it isn't as good as using keys. Remember, forwarding ssh opens it to pounding 24x7 from any of the millions on zombie boxes on the Internet.
- On the machine(s) that you want to allow logins from, run "ssh-keygen
-t rsa" to generate a key pair, if you haven't already. Then copy the contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys on your home server. These keys are used to authenticate the remote system, in lieu of a password or physical token. You could put these keys on a USB stick instead, if you didn't want to keep them permanently on the remote hosts.
- Disable SSHv1 protocol support in /etc/ssh/sshd_config: "Protocol 2",
not "Protocol 2,1". SSHv1 has known weaknesses. Boggles my mind that it's still enabled by default....
- Same file, set "PermitRootLogin no" if it isn't already.
(Aside: I also like to set up sudo with one account allowed to do anything, then lock the root account, so the only way to get root access is to log in as a regular user then sudo up, reducing the risk of passwordless keys.)
Having done all this, you're ready to allow remote access:
- In your router, forward a high-numbered port to 22 on the server. If
it's not smart enough to use different port numbers on either side, you can change the sshd configuration so it listens on a different port instead. I like to use 22022 for this.
This is *not* security through obscurity. It's simply a way to reduce the amount of log spam you have to dig through when monitoring your system's behavior. Everything that appears in your logs should be *interesting*. Constant port knocking from worms and script kiddies is not interesting.
In case you've not done ssh tunelling, Anne, the command that does what you want, having done all the above is:
$ ssh -p22022 -L10143:my.server.com:143 anne@my.server.com
This sets up port 10143 on the local system to be redirected through the ssh session to the IMAP port on your home server. You don't want to redirect 143 to 143 because that would require you to run ssh as root. It also prevents you from using this on a system that itself has an IMAP server.
With the tunnel up, you can set up your mail client to connect to port 10143 on localhost, and you'll be looking at your remote mail server.
Hello again. You were kind enough to give me this advice last December. I've another holiday approaching and thought it was time that I got this sorted. Unfortunately, I'm not sure that I can do this, so I'm asking your opinion.
My router is a Netgear DG834G. I can create a service, tell it which ports to open, and say which local IP I want it sent to. However, I can't see any way to set the port to which it should be forwarded as anything other than the incoming port. IOW, I can enable the new service Ext-ssh, which accepts incoming traffic on port 22022, and direct it to my server on 192.168.0.40, but I can't see how to make it send that traffic to port 22 on the server.
Am I totally misunderstanding this? Really all I want is to be able to log in to the server if I get an email alert that there is a problem or security updates pending. If I can get this sorted, I'll look again at how to route the IMAP mail through the tunnel too.
--- http://kbserver.netgear.com/kb_web_files/n101145.asp http://kbserver.netgear.com/kb_web_files/n101145.asp#FR114PAnchor
JohnStanley
On Monday 23 March 2009 15:29:53 JohnS wrote:
On Mon, 2009-03-23 at 14:31 +0000, Anne Wilson wrote:
On Tuesday 23 December 2008 15:38:17 Warren Young wrote:
Michael Simpson wrote:
GRC reports that ports are stealthed
Try www.auditmypc.com or nmap-online.com rather than grc to look for open ports
What advantages do they have, in your opinion?
there a better way than opening port 143?
ssh tunnelling?
I agree, though the default CentOS sshd configuration requires some tightening down to trust it on Internet-facing servers, IMHO:
- In /etc/ssh/sshd_config, set "PasswordAuthentication no". No matter
how good your password, it isn't as good as using keys. Remember, forwarding ssh opens it to pounding 24x7 from any of the millions on zombie boxes on the Internet.
- On the machine(s) that you want to allow logins from, run
"ssh-keygen -t rsa" to generate a key pair, if you haven't already. Then copy the contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys on your home server. These keys are used to authenticate the remote system, in lieu of a password or physical token. You could put these keys on a USB stick instead, if you didn't want to keep them permanently on the remote hosts.
- Disable SSHv1 protocol support in /etc/ssh/sshd_config: "Protocol
2", not "Protocol 2,1". SSHv1 has known weaknesses. Boggles my mind that it's still enabled by default....
- Same file, set "PermitRootLogin no" if it isn't already.
(Aside: I also like to set up sudo with one account allowed to do anything, then lock the root account, so the only way to get root access is to log in as a regular user then sudo up, reducing the risk of passwordless keys.)
Having done all this, you're ready to allow remote access:
- In your router, forward a high-numbered port to 22 on the server.
If it's not smart enough to use different port numbers on either side, you can change the sshd configuration so it listens on a different port instead. I like to use 22022 for this.
This is *not* security through obscurity. It's simply a way to reduce the amount of log spam you have to dig through when monitoring your system's behavior. Everything that appears in your logs should be *interesting*. Constant port knocking from worms and script kiddies is not interesting.
In case you've not done ssh tunelling, Anne, the command that does what you want, having done all the above is:
$ ssh -p22022 -L10143:my.server.com:143 anne@my.server.com
This sets up port 10143 on the local system to be redirected through the ssh session to the IMAP port on your home server. You don't want to redirect 143 to 143 because that would require you to run ssh as root. It also prevents you from using this on a system that itself has an IMAP server.
With the tunnel up, you can set up your mail client to connect to port 10143 on localhost, and you'll be looking at your remote mail server.
Hello again. You were kind enough to give me this advice last December. I've another holiday approaching and thought it was time that I got this sorted. Unfortunately, I'm not sure that I can do this, so I'm asking your opinion.
My router is a Netgear DG834G. I can create a service, tell it which ports to open, and say which local IP I want it sent to. However, I can't see any way to set the port to which it should be forwarded as anything other than the incoming port. IOW, I can enable the new service Ext-ssh, which accepts incoming traffic on port 22022, and direct it to my server on 192.168.0.40, but I can't see how to make it send that traffic to port 22 on the server.
Am I totally misunderstanding this? Really all I want is to be able to log in to the server if I get an email alert that there is a problem or security updates pending. If I can get this sorted, I'll look again at how to route the IMAP mail through the tunnel too.
http://kbserver.netgear.com/kb_web_files/n101145.asp http://kbserver.netgear.com/kb_web_files/n101145.asp#FR114PAnchor
Sure, but those pages are very much like the router's doc pages. I don't see any info about forwarding to ports different from the incoming one.
Anne
On Mon, 2009-03-23 at 16:26 +0000, Anne Wilson wrote:
On Monday 23 March 2009 15:29:53 JohnS wrote:
On Mon, 2009-03-23 at 14:31 +0000, Anne Wilson wrote:
On Tuesday 23 December 2008 15:38:17 Warren Young wrote:
Michael Simpson wrote:
GRC reports that ports are stealthed
Try www.auditmypc.com or nmap-online.com rather than grc to look for open ports
What advantages do they have, in your opinion?
there a better way than opening port 143?
ssh tunnelling?
I agree, though the default CentOS sshd configuration requires some tightening down to trust it on Internet-facing servers, IMHO:
- In /etc/ssh/sshd_config, set "PasswordAuthentication no". No matter
how good your password, it isn't as good as using keys. Remember, forwarding ssh opens it to pounding 24x7 from any of the millions on zombie boxes on the Internet.
- On the machine(s) that you want to allow logins from, run
"ssh-keygen -t rsa" to generate a key pair, if you haven't already. Then copy the contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys on your home server. These keys are used to authenticate the remote system, in lieu of a password or physical token. You could put these keys on a USB stick instead, if you didn't want to keep them permanently on the remote hosts.
- Disable SSHv1 protocol support in /etc/ssh/sshd_config: "Protocol
2", not "Protocol 2,1". SSHv1 has known weaknesses. Boggles my mind that it's still enabled by default....
- Same file, set "PermitRootLogin no" if it isn't already.
(Aside: I also like to set up sudo with one account allowed to do anything, then lock the root account, so the only way to get root access is to log in as a regular user then sudo up, reducing the risk of passwordless keys.)
Having done all this, you're ready to allow remote access:
- In your router, forward a high-numbered port to 22 on the server.
If it's not smart enough to use different port numbers on either side, you can change the sshd configuration so it listens on a different port instead. I like to use 22022 for this.
This is *not* security through obscurity. It's simply a way to reduce the amount of log spam you have to dig through when monitoring your system's behavior. Everything that appears in your logs should be *interesting*. Constant port knocking from worms and script kiddies is not interesting.
In case you've not done ssh tunelling, Anne, the command that does what you want, having done all the above is:
$ ssh -p22022 -L10143:my.server.com:143 anne@my.server.com
This sets up port 10143 on the local system to be redirected through the ssh session to the IMAP port on your home server. You don't want to redirect 143 to 143 because that would require you to run ssh as root. It also prevents you from using this on a system that itself has an IMAP server.
With the tunnel up, you can set up your mail client to connect to port 10143 on localhost, and you'll be looking at your remote mail server.
Hello again. You were kind enough to give me this advice last December. I've another holiday approaching and thought it was time that I got this sorted. Unfortunately, I'm not sure that I can do this, so I'm asking your opinion.
My router is a Netgear DG834G. I can create a service, tell it which ports to open, and say which local IP I want it sent to. However, I can't see any way to set the port to which it should be forwarded as anything other than the incoming port. IOW, I can enable the new service Ext-ssh, which accepts incoming traffic on port 22022, and direct it to my server on 192.168.0.40, but I can't see how to make it send that traffic to port 22 on the server.
Am I totally misunderstanding this? Really all I want is to be able to log in to the server if I get an email alert that there is a problem or security updates pending. If I can get this sorted, I'll look again at how to route the IMAP mail through the tunnel too.
http://kbserver.netgear.com/kb_web_files/n101145.asp http://kbserver.netgear.com/kb_web_files/n101145.asp#FR114PAnchor
Sure, but those pages are very much like the router's doc pages. I don't see any info about forwarding to ports different from the incoming one.
--- Her's another example it will do what you want, your just misunderstanding it. I have 2 customers that use Netgear routers. I think your not setting up the Nat - Add Page. http://portforward.com/english/routers/port_forwarding/Netgear/DG834G/eMule.... One thing are you using it for the DSL or another modem/router for dsl? If your using two only one can be Natted and the other Main router in Bridged Mode. JohnStanley
On Monday 23 March 2009 16:57:45 JohnS wrote:
On Mon, 2009-03-23 at 16:26 +0000, Anne Wilson wrote:
On Monday 23 March 2009 15:29:53 JohnS wrote:
On Mon, 2009-03-23 at 14:31 +0000, Anne Wilson wrote:
On Tuesday 23 December 2008 15:38:17 Warren Young wrote:
Michael Simpson wrote:
> GRC reports that ports are stealthed
Try www.auditmypc.com or nmap-online.com rather than grc to look for open ports
What advantages do they have, in your opinion?
> there a better way than opening port 143?
ssh tunnelling?
I agree, though the default CentOS sshd configuration requires some tightening down to trust it on Internet-facing servers, IMHO:
- In /etc/ssh/sshd_config, set "PasswordAuthentication no". No
matter how good your password, it isn't as good as using keys. Remember, forwarding ssh opens it to pounding 24x7 from any of the millions on zombie boxes on the Internet.
- On the machine(s) that you want to allow logins from, run
"ssh-keygen -t rsa" to generate a key pair, if you haven't already. Then copy the contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys on your home server. These keys are used to authenticate the remote system, in lieu of a password or physical token. You could put these keys on a USB stick instead, if you didn't want to keep them permanently on the remote hosts.
- Disable SSHv1 protocol support in /etc/ssh/sshd_config:
"Protocol 2", not "Protocol 2,1". SSHv1 has known weaknesses. Boggles my mind that it's still enabled by default....
- Same file, set "PermitRootLogin no" if it isn't already.
(Aside: I also like to set up sudo with one account allowed to do anything, then lock the root account, so the only way to get root access is to log in as a regular user then sudo up, reducing the risk of passwordless keys.)
Having done all this, you're ready to allow remote access:
- In your router, forward a high-numbered port to 22 on the
server. If it's not smart enough to use different port numbers on either side, you can change the sshd configuration so it listens on a different port instead. I like to use 22022 for this.
This is *not* security through obscurity. It's simply a way to reduce the amount of log spam you have to dig through when monitoring your system's behavior. Everything that appears in your logs should be *interesting*. Constant port knocking from worms and script kiddies is not interesting.
In case you've not done ssh tunelling, Anne, the command that does what you want, having done all the above is:
$ ssh -p22022 -L10143:my.server.com:143 anne@my.server.com
This sets up port 10143 on the local system to be redirected through the ssh session to the IMAP port on your home server. You don't want to redirect 143 to 143 because that would require you to run ssh as root. It also prevents you from using this on a system that itself has an IMAP server.
With the tunnel up, you can set up your mail client to connect to port 10143 on localhost, and you'll be looking at your remote mail server.
Hello again. You were kind enough to give me this advice last December. I've another holiday approaching and thought it was time that I got this sorted. Unfortunately, I'm not sure that I can do this, so I'm asking your opinion.
My router is a Netgear DG834G. I can create a service, tell it which ports to open, and say which local IP I want it sent to. However, I can't see any way to set the port to which it should be forwarded as anything other than the incoming port. IOW, I can enable the new service Ext-ssh, which accepts incoming traffic on port 22022, and direct it to my server on 192.168.0.40, but I can't see how to make it send that traffic to port 22 on the server.
Am I totally misunderstanding this? Really all I want is to be able to log in to the server if I get an email alert that there is a problem or security updates pending. If I can get this sorted, I'll look again at how to route the IMAP mail through the tunnel too.
http://kbserver.netgear.com/kb_web_files/n101145.asp http://kbserver.netgear.com/kb_web_files/n101145.asp#FR114PAnchor
Sure, but those pages are very much like the router's doc pages. I don't see any info about forwarding to ports different from the incoming one.
Her's another example it will do what you want, your just misunderstanding it. I have 2 customers that use Netgear routers. I think your not setting up the Nat - Add Page. http://portforward.com/english/routers/port_forwarding/Netgear/DG834G/eMule .htm One thing are you using it for the DSL or another modem/router for dsl? If your using two only one can be Natted and the other Main router in Bridged Mode.
The router is also the DSL modem.
OK - I'm thick. I've looked at that page and seen only what I'm already familiar with. Please, in plain English, how do I set ssh to come in on port 22022 (service called ext-ssh already set up for that) to be forwarded to 192.168.0.xx port 22?
Anne
On Mar 23, 2009, at 2:37 PM, Anne Wilson wrote:
OK - I'm thick. I've looked at that page and seen only what I'm already familiar with. Please, in plain English, how do I set ssh to come in on port 22022 (service called ext-ssh already set up for that) to be forwarded to 192.168.0.xx port 22?
Anne,
if the router really isn't making it easy for you to forward from port 22022 to port 22, you could also solve this problem by having sshd listen on port 22022 on the server. do this by editing /etc/ssh/ sshd_config such that the following two lines *both* appear before any ListenAddress specification:
Port 22 Port 22022
if you're running a software firewall on the host, make sure you poke a hole so that traffic can pass from the router to port 22022 on the server. then configure the router to forward from external port 22022 to internal port 22022, and you're done.
-steve
-- If this were played upon a stage now, I could condemn it as an improbable fiction. - Fabian, Twelfth Night, III,v
On Monday 23 March 2009 18:59:51 Steve Huff wrote:
On Mar 23, 2009, at 2:37 PM, Anne Wilson wrote:
OK - I'm thick. I've looked at that page and seen only what I'm already familiar with. Please, in plain English, how do I set ssh to come in on port 22022 (service called ext-ssh already set up for that) to be forwarded to 192.168.0.xx port 22?
Anne,
if the router really isn't making it easy for you to forward from port 22022 to port 22, you could also solve this problem by having sshd listen on port 22022 on the server. do this by editing /etc/ssh/ sshd_config such that the following two lines *both* appear before any ListenAddress specification:
Port 22 Port 22022
if you're running a software firewall on the host, make sure you poke a hole so that traffic can pass from the router to port 22022 on the server. then configure the router to forward from external port 22022 to internal port 22022, and you're done.
That sounds much easier. I'll get to the server tomorrow and fix that. Thanks. Hopefully I'll get chance to test it on Wednesday.
Anne
On Monday 23 March 2009 18:59:51 Steve Huff wrote:
On Mar 23, 2009, at 2:37 PM, Anne Wilson wrote:
OK - I'm thick. I've looked at that page and seen only what I'm already familiar with. Please, in plain English, how do I set ssh to come in on port 22022 (service called ext-ssh already set up for that) to be forwarded to 192.168.0.xx port 22?
Anne,
if the router really isn't making it easy for you to forward from port 22022 to port 22, you could also solve this problem by having sshd listen on port 22022 on the server. do this by editing /etc/ssh/ sshd_config such that the following two lines *both* appear before any ListenAddress specification:
Port 22 Port 22022
if you're running a software firewall on the host, make sure you poke a hole so that traffic can pass from the router to port 22022 on the server. then configure the router to forward from external port 22022 to internal port 22022, and you're done.
-steve
Hopefully this is correctly set up now, but I can't test it until I go to somewhere with an open wifi. Thanks. It may be a couple of weeks before I can report back, but I'l let you know how I fared.
Anne
On Mon, 2009-03-23 at 18:37 +0000, Anne Wilson wrote:
Her's another example it will do what you want, your just misunderstanding it. I have 2 customers that use Netgear routers. I think your not setting up the Nat - Add Page. http://portforward.com/english/routers/port_forwarding/Netgear/DG834G/eMule .htm One thing are you using it for the DSL or another modem/router for dsl? If your using two only one can be Natted and the other Main router in Bridged Mode.
The router is also the DSL modem.
Ahh, and a warning about that. Make sure after you get the port fowarding working that the router is not wide open. Meaning every port open. Zyxel and Netgear are very similiar in design (software) and both of them have this problem. This only occurs when it is in the routing mode
OK - I'm thick. I've looked at that page and seen only what I'm already familiar with. Please, in plain English, how do I set ssh to come in on port 22022 (service called ext-ssh already set up for that) to be forwarded to 192.168.0.xx port 22?
If you can hold your horses I may can tell you in Plain Eng later on. At the moment I am not directly in front of one and the ones I have access to can not be accessed over the WAN. This would be later EST Time Tonight.
It gives you a choice of what ports you want the service to use. You simply have to enter the numbers into the empty boxes (choose Custom Service). IE; you will have to make a Custom Service.
Looking at your port choice from a Social Engineering Stand Point your defeating the purpose of port masking. Choosing port 22022 tells me that you have ssh running on a server. Non the less you can also do what Steve said.
JohnStanley
On Monday 23 March 2009 19:33:58 JohnS wrote:
On Mon, 2009-03-23 at 18:37 +0000, Anne Wilson wrote:
Her's another example it will do what you want, your just misunderstanding it. I have 2 customers that use Netgear routers. I think your not setting up the Nat - Add Page. http://portforward.com/english/routers/port_forwarding/Netgear/DG834G/e Mule .htm One thing are you using it for the DSL or another modem/router for dsl? If your using two only one can be Natted and the other Main router in Bridged Mode.
The router is also the DSL modem.
Ahh, and a warning about that. Make sure after you get the port fowarding working that the router is not wide open. Meaning every port open. Zyxel and Netgear are very similiar in design (software) and both of them have this problem. This only occurs when it is in the routing mode
As far as I can see it defaults to outward traffic being open, but inward traffic blocked apart from the rules I set.
OK - I'm thick. I've looked at that page and seen only what I'm already familiar with. Please, in plain English, how do I set ssh to come in on port 22022 (service called ext-ssh already set up for that) to be forwarded to 192.168.0.xx port 22?
If you can hold your horses I may can tell you in Plain Eng later on. At the moment I am not directly in front of one and the ones I have access to can not be accessed over the WAN. This would be later EST Time Tonight.
It's not hugely urgent - I'd like to get it set up and working before the end of the week. If you reply later today I'll see it tomorrow, and that is just fine.
It gives you a choice of what ports you want the service to use. You simply have to enter the numbers into the empty boxes (choose Custom Service). IE; you will have to make a Custom Service.
Looking at your port choice from a Social Engineering Stand Point your defeating the purpose of port masking. Choosing port 22022 tells me that you have ssh running on a server. Non the less you can also do what Steve said.
I'll look at both options, once I've seen your next reply. I'm aware that this is not locked-down security, just that it will deter the casual poke- around merchants. Once I'm convinced that I have it working it will be disabled except for the periods when I'm away from home. (I do know that works, because last time I was away I forgot to re-enable the imap service, and I couldn't get in.)
Anne
-
Anne Wilson -
JohnS -
Steve Huff