Quote:
Originally Posted by jason955
Thanks Skaperen for your reply. I do have SSHD running and port forwarding set up to get through the firewall. I am running SSHD with password authentication (very complex password) on port 22 and running fail2ban. I was under the impression that this was a pretty secure setup.
|
It is generally secure if all the right steps are taken (like the complex passwords, or the use of SSH keys). There is some potential for a light DoS attack. Changing to another port number just avoids the "noise" in your logs, which makes it easy to see more legitimate security issues happening in those logs. It won't prevent even a DoS attack, but the attacker has to find your port number to do anything more than a traffic volume attack. Unless you are a particularly interesting target, they will just move on if port 22 (and a few other well known commonly exploitable ones) doesn't answer (they are more interested in finding another usable host to launch other kinds of attacks from).
Quote:
Originally Posted by jason955
How would I go about setting up the forwarding on the server so that I can access the other computers?
|
The server configuration needs to have forwarding allowed. Then on the client side, use the -L option for local forwarding where the client listens to other ports and the server makes the designated connections. Or use the -R option for remote forwarding where the server listens to other ports and the client makes the designated connections. These can also be configured in the config file. The man files for ssh and sshd have more details.
Quote:
Originally Posted by jason955
I did try running encryption on my router (ASUS WL500GP with OpenWRT firmware) using openvpn but my router doesn't have hardware encryption and gets taken to its knees running just a small amount of VPN traffic.
|
How unfortunate. The small SoC CPUs they put in these don't generally have that much power. Hardware encryption would add a few dollars cost, so they won't do that in a market were a couple dollars can make a consumer buying decision. For a lot more dollars a higher end router could support that.
Some people recycle their older server or desktop hardware into router duty and put in one of the special firewall distros. But a carefully configured Debian or Slackware can do just as well (depends on whether you want that as an opportunity to try another distro, or prefer to just keep things as much alike as possible). Add another ethernet port or two and you're good to go.
Or just push the crypto work off to your server, whether for SSH or for OpenVPN. Just open a port on the router to let that traffic through.
FYI, I'm using the Buffalo WZR-HP-AG300H firewall router which has DD-WRT Linux built in with their own customized web front end. It can be loaded with a public DD-WRT or other small firewall distro. But I haven't needed to. And I have not put it to crypto duties to see what it can do, either, since I am doing the SSH thing from internal server to external server (both forwarding and VPN concurrently).