[SOLVED] Need to set up secure remote access to file server

aes canis · 10-03-2011, 04:29 AM

Ok, I know Google is supposed to be my friend and so on, but this time it hasn't helped much.

Here is the situation. For a small company, we have a server running Ubunut 10.04 Server. Last week, I set it up so that we can use it as a file store and printer share.

The idea is so that we have personal directoies (protected) and a Public drive that all can access.

One of our employees travels frequently, but still could do with accessing the public directory as well as his personal one. He has a Windows PC, so expects to use Windows Explorer for file managing.

The connection to the internet is via modem/router. The modem router also connects the offic e PCs and server.

I can set the modem for NAT &/or port forwarding.

What would be the best solution for this?

When I have looked ofr things like "VPN" I find tutorials for setting up spare PCs as VPN servers and so on. For remote file access, they seem to talk about using command line.

The set up should be someting like this:

Code:

    remote PC
        |
        |
     internet
        |
        |
   modem/router
    |     |  |
    |     |  |
  server  PC PC
  |    |
File  Printer
server

Can someone give me, at least a top level view o fthe set-up I ought to be using?

thanks

nkoplm · 10-03-2011, 10:12 PM

what program/protocol are you using to serve your files?

if you are using to serve your files?

if you are using sftp, which is a common one, there are a ton of sftp clients available for windows. Some of them probably even integrate into the windows shell if that is something you really desire.

I personally use winscp(.com) and am quite pleased with it.

the only tricky part might be opening up port 21... or is it 22... maybe both for sftp.. to the outside world.
but if you ever ssh into your server from outside the company, then it should be good to go already.

aes canis · 10-04-2011, 12:45 PM

I was fumbling in the dark yesterday (figuratively speaking, so stop sniggering at the back...

)

I hadn't a real clue as to what I should be doing. I only really knew what I wanted at the end of it.

OK, Here's the set-up now.

The server has some home directories, two private and two public.
The private ones can only be accessed by the respective users. The public ones can be accessed by any one. Configuring Samba through Webmin, I set the /home directory to be shared.

Using ssh://username@host_ip/home I can login to the personal folders from my laptop. Both the laptop and and server are behind the router modem.

I have just installed OpenVPN on the server.

Once this is up and running, should the router's port forwarding still be FTP on 22?

taylorkh · 10-05-2011, 08:59 AM

Hi aes canis,

I am not an expert at network design but I have done some and used many networks and security implementations. I also tend to be somewhat paranoid (anal?) when it comes to connecting to the Internet. With that strange intro let me add a couple of thoughts to the picture...

A VPN is an important piece of the solution. It will keep your traffic safe from prying eyes while it travels around the Internet.

Your Modem/Router also serves the function of FIREWALL. It serves to protect your Company network from the Internet. If you "poke a hole" in the firewall to allow VPN connections to your server you invite other malicious traffic to sneak in.

The "enterprise level" approach to dealing with this is to establish a "DMZ" and place a server there to allow the VPN clients to connect and authenticate on that server. The "DMZ" is a region which is not really part of the Internet and it is not part of your Company network. It allows connections FROM the Internet but prevents the connections from getting unrestricted access to the Company network. I believe that the VPN should connect to and authenticate with the server in the DMZ. Then, if the connection is approved it could be allowed some level of access to resources on the Company network.

As to a small company implementation... Your router probably provides the capability to create a DMZ. My $39 home router provides one. In the setup it states

Quote:

Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. There are security issues with doing this, so only do this if you're willing to risk open access. If you do not assign a Default DMZ Server, the router discards any incoming service requests which are undefined.

That said... The VPN server would not have to be a physical box. Perhaps a virtual server running under VMWare Player. The router could point DMZ traffic to the virtual server, it would do the VPN business and then allow approved traffic to the files on the physical server. The virtual server will need to be reasonably "hardened" from a security standpoint.

Another random thought... Of course you will need a static IP address from your ISP to make this work.

Ken

aes canis · 10-28-2011, 03:16 AM

Thanks for the advise & what not.
I have installed OpenVPN server on the host server and clients on the other PCs.
The VPN works now. Have different issue with Samba though...