LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-06-2012, 07:26 AM   #1
doublequote
LQ Newbie
 
Registered: Dec 2012
Posts: 6

Rep: Reputation: Disabled
ssh over firewall


Hi all,
I just need your professional opinion regarding the possible threats if the enterprise firewall opens tunnel for ssh connection. While I'm traveling, I want be able to connect to my servers using mobile ssh client, but the security department in my organization completely disables any type of external connections except VPN.
Do you have an idea what the reason for such paranoid security??? The ssh is very safe as far as I know...

Thanks in advance.
 
Old 12-06-2012, 07:47 AM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,943
Blog Entries: 5

Rep: Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753
If you have vpn into the network why not open up a vpn session then use ssh (e.g. PuTTY) in your vpn protected setup?

Any protocol can be exploited even vpn and ssh. If they've opened up the firewall to allow for vpn why punch another hole in security by also opening ssh?

Those who do use ssh remotely often change to a nonstandard port (e.g. don't use 22) to help obfuscate the availability of ssh.

If your company allows you to create outbound connections as many do there ARE ways to setup your own tunnel but again I'd ask why not go ahead and use the vpn connection?
 
Old 12-06-2012, 08:12 AM   #3
doublequote
LQ Newbie
 
Registered: Dec 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Thanks for responding,
I'm talking about the situations when I don't have access to the desktop (while I'm traveling). I don't have the ability to connect to the VPN from my smartphone. This is why I asked if I can use ssh client application to connect somehow to the server and got strictly negative answer...
You also mentioned that "If they've opened up the firewall to allow for vpn why punch another hole in security by also opening ssh?".
This exactly my question: What is the concern to open ssh tunnel???

Thanks!
 
Old 12-06-2012, 08:38 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
well all you've said is "ssh" generically, if you are permitting password authentication, then you're open to all sorts of brute force attacks in theory.

Fundamentally, the fewer routes in the safer. You want to open up a port over which they will have no control? It doesn't sound at all unreasonable to me.
 
1 members found this post helpful.
Old 12-06-2012, 08:42 AM   #5
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,943
Blog Entries: 5

Rep: Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753
The concern is simply to minimize exposure. If you have one port open to the world that is the only port that can be used as a vector for attack. If you have two ports open then you've allowed another vector. The first rule of security is turn off unnecessary services to minimize exposure. As I noted before any protocol can be exploited (even vpn and ssh) with enough effort. Do a web search for "how to hack ssh" and you'll find many hits. Does this mean ssh is really insecure - no - does it mean you shouldn't open it without a valid need - YES!

If you have a requirement to regularly access the system from locations other than your home then you might want to ask your organization to give you a VPN enabled laptop rather than a desktop.
 
1 members found this post helpful.
Old 12-06-2012, 08:56 AM   #6
doublequote
LQ Newbie
 
Registered: Dec 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Ok, thanks, this make sense... So I have to carry on VPN enabled laptop with me...
 
Old 12-06-2012, 09:32 AM   #7
sundialsvcs
Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 5,231

Rep: Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071Reputation: 1071
In my opinion, your IT department's policy is correct: the gateway to the outside should be VPN. And furthermore, access to that VPN portal should be by means of individually-issued digital certificates, uniquely issued to you by them and therefore uniquely revocable by them.

Within the VPN portal, access to other resources should be as they would be considered appropriate within the building's hard-wired and presumably isolated local network. e.g. If a particular resources is ssh-only accessible within the walls, it should remain so by those who, through VPN, have "come within the walls."

But ssh should not in my opinion be exposed directly to the outside world. Your IT department has a single, centrally managed and centrally manageable, "gateway to the outside world," and that is VPN. No other alternative should exist.

VPN with certificates will enable you, and only you, to obtain access from anywhere. Simply enter the encryption-key for the certificate they gave you, and more-or-less ignore the existence of the encryption layer.

Last edited by sundialsvcs; 12-06-2012 at 09:33 AM.
 
2 members found this post helpful.
Old 12-06-2012, 11:35 AM   #8
doublequote
LQ Newbie
 
Registered: Dec 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
I agree that the opening ssh connectivity to the external world is not safe. Thanks for explanation. However, carrying on the the laptop is not always easy and the network is not always available... A few times I found myself thousands miles away from my servers and was not able to connect and fix some small problems. I was need to instruct somebody over the phone how to log in and what to do, and unfortunately was need to expose sensitive application passwords as well without the ability to change them until I came back to work...
May be this email communication solution the evgenyz wrote about is good alternative (especially if they provide encrypted communication)?
Again, in 95% of the cases I can establish VPN connection from the desktop, but I'm talking about 5% of the situations that can be critical...
Thanks any way!
 
Old 12-07-2012, 08:24 AM   #9
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,943
Blog Entries: 5

Rep: Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753
Quote:
Originally Posted by doublequote View Post
Ok, thanks, this make sense... So I have to carry on VPN enabled laptop with me...
Yes. This is what I've done for years. That doesn't mean I carry it around all the time but if I'm going to be away from home at some distance or for an some extended time I do have the laptop in the trunk of my car so I'm never more than a few minutes from it.

I'd really hate to have to try to troubleshoot server issues from a smart phone. Not saying it isn't possible but I do believe it would take more effort than I'd want to have to make in the middle of whatever issue caused me to access the server in the first place.

Last edited by MensaWater; 12-10-2012 at 09:34 AM.
 
Old 12-07-2012, 08:44 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
Note that there are plenty of ways to get a VPN to an insecure machine. Cisco, F5 and many others have vm based solutions which can deliver an entire desktop in jvm form to you via a browser connection. It's just all about playing by the corporate rules.
 
Old 12-07-2012, 02:03 PM   #11
doublequote
LQ Newbie
 
Registered: Dec 2012
Posts: 6

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by MensaWater View Post
Yes. This is what I've done for years. That doesn't mean I carry it around all the time but if I'm going to be away from home at some distance or for an some extended time I do have the laptop in the trunk of my car so I'm never more than a few minutes from it.

I'd really hate to have to try to troubleshot server issues from a smart phone. Not saying it isn't possible but I do believe it would take more effort than I'd want to have to make in the middle of whatever issue caused me to access the server in the first place.
Yes, but this more personal preference rather than professional opinion. Personally, I would love to have an option to access the servers from smart phone. Just as an "extra" option which is nice to have when it available...
 
Old 12-10-2012, 09:37 AM   #12
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,943
Blog Entries: 5

Rep: Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753Reputation: 753
You may get it some day. I've heard buzz about BYOD (Bring Your Own Device) in recent months. Once companies realize they can save money by making you provide your own equipment they may be willing to setup the infrastructure that helps securely allow for it. (Or more frighteningly will simply do it without regard to security.)
 
Old 12-10-2012, 11:30 AM   #13
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,373

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
Quote:
Originally Posted by MensaWater View Post
You may get it some day. I've heard buzz about BYOD (Bring Your Own Device) in recent months. Once companies realize they can save money by making you provide your own equipment they may be willing to setup the infrastructure that helps securely allow for it. (Or more frighteningly will simply do it without regard to security.)
Or rather - "companies read somewhere and then get it into their read they can save money". YMMV!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
SSH behind firewall kamransoomro84 Linux - General 9 06-22-2009 11:32 PM
ssh firewall sanjibgupta Linux - Security 1 09-23-2005 09:59 AM
ssh firewall jumbled Linux - Security 6 04-11-2005 09:01 AM
Ssh behind a firewall muneebs Linux - Newbie 3 02-03-2005 07:36 PM
SSH behind a firewall fedenini Linux - Networking 4 08-26-2004 11:57 AM


All times are GMT -5. The time now is 11:18 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration