D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] File Sharing

 

All good advice but I'd go one step further. Create a simple VPN back to your home network using another machine. That way all browsing, file transfers, etc, can be conducted securely without needing to tunnel over SSH. You have full access control, can set up and revoke if necessary a user account for each device, and you have the option to use your home internet connection on the road too. When connected remotely, your device will behave as though it's at home. Something like http://www.pivpn.io/ is a straightforward introduction to certificate based VPNs and while that's intended for a RPi, it can be run on any Linux box.

If you're particularly paranoid, you can also set up port knocking. That means you effectively visit a port of your choice which logs your IP address, adds it to a firewall rule for a temporary period, then you can access the remove services (the VPN in this case) over a different port. Unless you've knocked on the chosen port first, attempted connections to the VPN are rejected, providing another layer of security and obfuscation.


On 16/02/2018 14:26, leloft wrote:

On Fri, 16 Feb 2018 13:17:03 +0000
Roland Tarver via list <list@xxxxxxxxxxxxx> wrote:


So, erm, in terms of accessing data on your home (linux) network, when
*not* at home...

... what would be the best, safest and most secure way of doing so
please?

or, is this simply a bad idea? to be avoided.

thanks
roly.
Hi roly,
Firstly, read up on iptables, pam, ssh keys and scp.

At a minimum, I would say

On router:
1) close all ports on your router to outside
traffic except the one you will need for ssh (by default 22, but we're
going to change that in a minute) and block pinging

As root user, on all home computers that you will want to access:
2) change your /etc/ssh/sshd_config to use [new port number] and set
PermitRootLogin=no

3) configure /etc/security/access.conf to allow only authorized
users to login remotely and set /etc/pam.d/login to enforce this

4) set /etc/securetty to contain the word 'console' only

5) reboot each computer and try to ssh -vvvp [new port number]
user@IPaddress from the travelling computer. If the
firewall and pam are working correctly, you should not be able to and
your three v's should tell you why. If you can, you will need to do some
more reading up about firewalls and check your pam settings.

6) configure your firewall to allow NEW incoming tcp traffic on your
[new port number] only, and only ESTABLISHED, RELATED incoming traffic
otherwise.

7) When it's all working satisfactorily, change your root password to
something impossibly long and complicated, and your user password to
something marginally less so.  Then install ssh keys.

8) You can access your home files via ssh and copy them via scp.

  The above files are for debian-based distros, and i know that redhat
  based distros have some of them tucked away inside other folders.  But
  this should keep you out of mischief for a few days.  And make sure
  that you get it all working before you lock yourself out of your own
  machines.  Get it right on your least important one first and apply
  what you've learned to the next-least. Remember that humans are flawed
  machines at best and it's not a bad idea to write down what you've
  done.  This applies particularly to impossibly long and complicated
  passwords...

I have written this in a hurry, and haven't had a chance to check
details, but the principles are sound. No doubt, our senior
members will run their eyes over it, so i'd wait until they've had
their say.

Regards

fraser



--
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq