LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-12-2012, 11:14 PM   #1
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 8.04.1 desk; Red Hat 9.0 server
Posts: 298

Rep: Reputation: 30
Question employee@home


Hi--

A new employee, E, will be working from home. Production environment.

What is the most securce and elegant way to set up a network to allow E to log in to the server?

Main office: server is Ubuntu 12.04.1 LTS, serving up Samba shares to a half dozen Ubuntu 12.04.1 boxes and an Win XP Pro box. Desktops running LibreOffice and some vintage Windows things via Remmina. Connection is cable behind a router.

E's computer: will probably be Xubuntu 12.04 LTS. Connection is DSL behind a router.

I am thinking I want some sort of an ssh tunnel. I have done an ssh tunnel to a proxy server using tsocks, so I wonder if this would be similar?

Or is there a better way than ssh? Or in addition to ssh?

Thanks!
 
Old 12-13-2012, 04:05 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Well ssh is not the most secure or elegant, but it would probably work very well with just about zero setup, especially on the client side. The biggest issue on that side would be their identification and authentication. Can you / would you want to restrict them to known IP addresses? Only a few users? Enforce key based authentication? two factor?

Using the SSH transport, nx might be a good solution for remote desktop access.
 
Old 12-13-2012, 10:58 AM   #3
nikmit
Member
 
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178

Rep: Reputation: 34
The textbook solutiuon (and the most common one) is a VPN. Setting up a VPN between two Linux boxes is simple and costs nothing. It can put your remote machine on the same network as your office, so the remote user can work as if in the office as far as network connection is concerned.

I have found OpenVPN to be easier to configure than StronSwan, however the latter is standard based and can work with a larger range of devices, not just Linux computers.
 
Old 12-16-2012, 05:55 PM   #4
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 8.04.1 desk; Red Hat 9.0 server
Posts: 298

Original Poster
Rep: Reputation: 30
Question

acid_kewpie and nikmit--

Thanks for helping me!

Forgive me for being so long in getting back to you. I obviously need the help of an additional employee, since I was too busy to get back to you until now!

Wasn't aware of security issue with ssh. What's the thumbnail on that?

I generally try to make things as secure as I can. So yes, I would restrict to a particular ipaddress, and only one person would get in through the firewall.

By "key" I suspect you mean gpg, but that I have not figured out yet. Or perhaps you mean key generation under ssh (I see there is an ssh-keygen which looks like less of a learning curve than gpg)?

What do you mean by two factor?

I have kind of ruled out vpn, since that means we would need a dedicated machine in the office for the person to take over that desktop. VPN is only for controlling an "inside" desktop, yes?

Plus, I see vpn as just more computer overhead and slowing of the work through-put, because it goes through two computers. What I want is for E to pull the samba share files up on his computer, and work on them directly there, while the files stay on the server here.

Thanks acid_kewpie and nikmit!
 
Old 12-17-2012, 04:08 AM   #5
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
two factor is using a key fob or other one time password technique. Ideally you shouldn't be opening yourself up to brute force attacks, and if all accounts that are able to log in have constantly changing passwords, you'll never risk being subject to a brute force password attack. the simpler alternative over ssh is a preshared key, not gpg at all, which replaces the password with a digital signature, meaning it's impossible to log in without that key file on the client.

VPN's are absolutely NOT for taking over a machine, they are how you make a remote machine appear to be on a local network. The provide a direct network connection between two remote networks, and this would be the classic default way you would do what you want.
 
Old 12-17-2012, 09:07 AM   #6
evgenyz
Member
 
Registered: Sep 2012
Posts: 48

Rep: Reputation: Disabled
The most securce and elegant way to set up a network to allow E to log in to the server is definitely a VPN connection.
However, for one working from home it's happen to be out of his desk for a while (shopping, banking etc). From my experience I know that the most critical problems are happen when I'm out of my desk (Murphy's law).
I examine now email-to-application communication tool which allows men-to-application communication from any smart phone device using encrypted email messages.
Using such tool, you can react faster to system events or at least provide the "first line of response" until you came back to your desktop and establish VPN connection with the server.
 
Old 12-17-2012, 09:19 AM   #7
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
Quote:
Originally Posted by evgenyz View Post
The most securce and elegant way to set up a network to allow E to log in to the server is definitely a VPN connection.
However, for one working from home it's happen to be out of his desk for a while (shopping, banking etc). From my experience I know that the most critical problems are happen when I'm out of my desk (Murphy's law).
I examine now email-to-application communication tool which allows men-to-application communication from any smart phone device using encrypted email messages.
Using such tool, you can react faster to system events or at least provide the "first line of response" until you came back to your desktop and establish VPN connection with the server.
sounds pretty contrived. There are plenty of ssh clients for Android and the likes, just log in on your phone...
 
Old 12-17-2012, 09:34 AM   #8
evgenyz
Member
 
Registered: Sep 2012
Posts: 48

Rep: Reputation: Disabled
That's correct, but what you are going to do with mobile ssh client if your organization prevents ssh connection?
In the contrary, the email port is always open...
 
Old 12-17-2012, 09:36 AM   #9
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
smtp might be open, but having a dedicated system behind it to process email for this... blimey.
 
Old 12-17-2012, 09:45 AM   #10
evgenyz
Member
 
Registered: Sep 2012
Posts: 48

Rep: Reputation: Disabled
Quote:
smtp might be open, but having a dedicated system behind it to process email for this... blimey
It's not a dedicated system...
The configuration is pretty smart and not requires any smart phone client.
Again, it's not a replacement, it's just complementary way for inexpensive communication with the server side. Even if you have a Mercedes in your garage, some times you prefer to use bike...
I't just a matter of situation...
 
Old 12-17-2012, 11:21 AM   #11
doublequote
LQ Newbie
 
Registered: Dec 2012
Posts: 6

Rep: Reputation: Disabled
Just to mention a few email based tools: RECEME, RemoteByEmail, GCALDaemon and now this alessoft.
I agree with evgenyz: it's good complementary solution.
 
Old 12-17-2012, 11:19 PM   #12
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 8.04.1 desk; Red Hat 9.0 server
Posts: 298

Original Poster
Rep: Reputation: 30
Question

Wow folks! You are sending me back to the books to look into VPN, for sure.

I do not understand the email and smart phone stuff--perhaps because I do not have a smart phone and do not see the use of one for accessing a network and doing work on Libre Office or a spreadsheet. Seems cumbersome to me. Also sounds to me from your "the email port is always open" that E's machine would have to be set up to be an email server, which we would not do. (Which points up the necessity to lock down this machine strongly, too.)

For VPN, I had pictured how I use it: using remmina to login to a Win machine for an app not on Linux.

I like the idea of a pre-shared key, and I suppose you connect that with your key fob point, and give E a thumb drive with that key on it (wonder if there is a way to make that not able to be copied?), which if I can get E to remove it when not at the machine, would add a layer of security.

Thanks very much for all your help, acid_kewpie, evgenyz, and doublequote!
 
Old 12-17-2012, 11:24 PM   #13
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 8.04.1 desk; Red Hat 9.0 server
Posts: 298

Original Poster
Rep: Reputation: 30
Exclamation

Well that remote by mail stuff is scary!

I will need to make sure there is no email allowed in or out on the computer I provide to E. E can use E's own computer for email, which should not be necessary for E's work.

Thanks for putting me on to this!
 
Old 12-18-2012, 05:07 AM   #14
evgenyz
Member
 
Registered: Sep 2012
Posts: 48

Rep: Reputation: Disabled
It's scary only if you use the "home made" solution. If you use commercial tool it probably solves all seccurity and configuration issues.
But this is only one of a several ways. Just be aware of the existence of different access methods and choose what is right for you.
 
Old 12-18-2012, 10:47 PM   #15
dgermann
Member
 
Registered: Aug 2004
Distribution: Ubuntu 8.04.1 desk; Red Hat 9.0 server
Posts: 298

Original Poster
Rep: Reputation: 30
Question

Thanks, evgenyz!

I've got lots of reading to do on vpns!
 
  


Reply

Tags
employee, home, ssh, tunnel


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Monit - your best employee LXer Syndicated Linux News 0 06-12-2011 01:31 AM
LXer: Monit - your best employee LXer Syndicated Linux News 0 06-12-2011 12:40 AM
Hello from an Opera employee ruario LinuxQuestions.org Member Intro 3 01-05-2011 06:05 AM
Employee monitoring iamnotherbert Linux - Networking 11 04-05-2007 05:04 AM
An Ex-MS employee says... Hitboxx General 2 11-29-2006 04:40 PM


All times are GMT -5. The time now is 11:08 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration