[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
If you're particularly paranoid, you can also set up port knocking. That means you effectively visit a port of your choice which logs your IP address, adds it to a firewall rule for a temporary period, then you can access the remove services (the VPN in this case) over a different port. Unless you've knocked on the chosen port first, attempted connections to the VPN are rejected, providing another layer of security and obfuscation.
On 16/02/2018 14:26, leloft wrote:
On Fri, 16 Feb 2018 13:17:03 +0000 Roland Tarver via list <list@xxxxxxxxxxxxx> wrote:So, erm, in terms of accessing data on your home (linux) network, when *not* at home... ... what would be the best, safest and most secure way of doing so please? or, is this simply a bad idea? to be avoided. thanks roly.Hi roly, Firstly, read up on iptables, pam, ssh keys and scp. At a minimum, I would say On router: 1) close all ports on your router to outside traffic except the one you will need for ssh (by default 22, but we're going to change that in a minute) and block pinging As root user, on all home computers that you will want to access: 2) change your /etc/ssh/sshd_config to use [new port number] and set PermitRootLogin=no 3) configure /etc/security/access.conf to allow only authorized users to login remotely and set /etc/pam.d/login to enforce this 4) set /etc/securetty to contain the word 'console' only 5) reboot each computer and try to ssh -vvvp [new port number] user@IPaddress from the travelling computer. If the firewall and pam are working correctly, you should not be able to and your three v's should tell you why. If you can, you will need to do some more reading up about firewalls and check your pam settings. 6) configure your firewall to allow NEW incoming tcp traffic on your [new port number] only, and only ESTABLISHED, RELATED incoming traffic otherwise. 7) When it's all working satisfactorily, change your root password to something impossibly long and complicated, and your user password to something marginally less so. Then install ssh keys. 8) You can access your home files via ssh and copy them via scp. The above files are for debian-based distros, and i know that redhat based distros have some of them tucked away inside other folders. But this should keep you out of mischief for a few days. And make sure that you get it all working before you lock yourself out of your own machines. Get it right on your least important one first and apply what you've learned to the next-least. Remember that humans are flawed machines at best and it's not a bad idea to write down what you've done. This applies particularly to impossibly long and complicated passwords... I have written this in a hurry, and haven't had a chance to check details, but the principles are sound. No doubt, our senior members will run their eyes over it, so i'd wait until they've had their say. Regards fraser
-- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq