Connecting to a server from an insecure environment
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Connecting to a server from an insecure environment
Hello,
I would like to know how I'd need to secure my server to be able to connect to it from a host that is considered to be insecure.
Basically, I am working on a project in my CS lessons where they are using Windows desktops.
This project has grown to a scale where I need a multi-user database (previously used SQLite3) and a Redis storage, which requires a full-blown Linux system instead of Cygwin which I used beforehand.
Luckily I have two Linux VPSs to which I have full access to and both are easily capable of handling what I am developing.
Now, the thing is that those desktops are using Reborn cards to reset their state on boot - they're essentially running year-old software, leaving an open gateway for trojans and the likes.
Of course I know how this sounds and that this is in no way appropriate for an educational environment or any environment really, but sadly I'm unable to change this at the moment.
My problem is that I am really unsure about how I should connect to one of my VPSs under this circumstances to not risk getting them compromised.
I thought of adding a new user with another key-pair in a chroot jail, but I'm not sure if that is enough as I'll essentially need a MariaDB, redis and Ruby instance running 24/7 in that jail with the ability to spawn other Ruby processes, as well as allow both in- and outgoing connections (to a specific list of hosts).
Despite the connections, the web server will not be public and will run in development mode on localhost, which is why I plan to access it using an SSH tunnel.
I know that this is a pretty bad idea and can have severe repercussions, but at the moment it appears to be the only thing I could do to continue working.
If anyone has any experience on how to setup something like this or has a reasonable alternative, then I'd be very happy if you'd be able to share it.
Well - the simplest explanation for this that i can think of, would be to secure RDP an unchangeable/static windows VM that can only run putty, then putty from there into the VPS. Or if you are on windows, then VNC to a linux desktop and ssh from there. And of course use chroot jails, good permissions, firewall and selinux rules.
The amount of things a virus would have to know to spread through an SRDP session, run itself remotely somehow, then copy itself through ssh and run itself is pretty specific.
edit: OR, set up a web based ssh emulator on the VPS box and do your tasks through the web console. That way, only text can get through.
Last edited by szboardstretcher; 02-28-2014 at 12:12 PM.
[...] secure RDP an unchangeable/static windows VM that can only run putty, then putty from there into the VPS. Or if you are on windows, then VNC to a linux desktop and ssh from there [...]
That is a pretty great idea I didn't even think of, but as I mentioned in the first post the machines do not save any changes - which means I'd need to run a portable VM from an USB drive.
Now while I have experience with VMs, I do not have any with portable ones, although according to a quick Google search those do exist, but are comparably slow.
Quote:
Originally Posted by szboardstretcher
[...] set up a web based ssh emulator on the VPS box and do your tasks through the web console [...]
Of what I've read before, web-based terminals are horribly insecure, partly because browsers are also a very big attack vector, which is why I'd prefer to refrain from setting up such a shell.
I guess I'd be fine doing that, at least with a mature and protected web-shell.
Still, I am pretty sure that I won't be able to establish a tunnel to the server that way,
which is necessary for accessing the Ruby web server running in development mode (bound to localhost),
meaning that I might be forced to go the way of the portable VM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.