LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-27-2019, 05:33 PM   #1
Doug Hutcheson
Member
 
Registered: Jun 2009
Location: Queensland
Distribution: Fedora 30; HP Pavilion 8Gb and Acer Aspire 16Gb; both Intel Core-i7
Posts: 282

Rep: Reputation: 22
How to remotely backup and administer over the net without compromising security?


This is my first post to the security forum. I hope I am in the right place.

I have an imminent need to be able to backup and administer two WinXX and one Linux machine - 3 separate sites.

What is the best way to do this without opening the remote sites to attack?

Kind regards,
Doug.
 
Old 06-27-2019, 05:38 PM   #2
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,960

Rep: Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827
Quote:
Originally Posted by Doug Hutcheson View Post
This is my first post to the security forum. I hope I am in the right place.

I have an imminent need to be able to backup and administer two WinXX and one Linux machine - 3 separate sites.

What is the best way to do this without opening the remote sites to attack?

Kind regards,
Doug.
For the Linux system, you can easily set up OpenVPN, and make a secure connection that way. Would never, EVER, allow root logins via network, nor would I allow VNC, but your standard SSH with X forwarding will let you get pretty much everything done.

No ideas about Windows, or even if it's possible to load OpenVPN on it, though I'd imagine it could be done. Which only leaves you with being able to use RDC, which is yet another enormous security hole. But those are better questions for a Windows forum.
 
2 members found this post helpful.
Old 06-27-2019, 05:41 PM   #3
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
I would suggest a VPN personally. Assuming you have firewalls at each site. Do these have VPN capability?
 
3 members found this post helpful.
Old 06-27-2019, 05:47 PM   #4
scasey
Senior Member
 
Registered: Feb 2013
Location: Tucson, AZ, USA
Distribution: CentOS 7.6
Posts: 3,812

Rep: Reputation: 1281Reputation: 1281Reputation: 1281Reputation: 1281Reputation: 1281Reputation: 1281Reputation: 1281Reputation: 1281Reputation: 1281
I can't speak to the Windows machines, but we use passwordless ssh to the Linux server for both administration and backup.
Backup using rsnapshot ssh and sftp for administration, although we also use Webmin for some admin tasks.

"without opening the remote sites to attack" -- attacks are going to happen. The challenge is to have them always be unsuccessful.

Edit: OH! Didn't think about VPN. Good points there!

Last edited by scasey; 06-27-2019 at 05:50 PM.
 
1 members found this post helpful.
Old 06-27-2019, 05:50 PM   #5
Doug Hutcheson
Member
 
Registered: Jun 2009
Location: Queensland
Distribution: Fedora 30; HP Pavilion 8Gb and Acer Aspire 16Gb; both Intel Core-i7
Posts: 282

Original Poster
Rep: Reputation: 22
Quote:
Originally Posted by sevendogsbsd View Post
I would suggest a VPN personally. Assuming you have firewalls at each site. Do these have VPN capability?
Hmmm ... You are talking to a VPN newbie. I suspected this would be the way to go, but have never set one up. Another exciting learning curve looms ...

I have no idea if the firewalls are VPN aware, but they are whatever comes with Fedora 30.

Thank you for your helpful reply.
 
Old 06-27-2019, 05:53 PM   #6
Doug Hutcheson
Member
 
Registered: Jun 2009
Location: Queensland
Distribution: Fedora 30; HP Pavilion 8Gb and Acer Aspire 16Gb; both Intel Core-i7
Posts: 282

Original Poster
Rep: Reputation: 22
Quote:
Originally Posted by TB0ne View Post
For the Linux system, you can easily set up OpenVPN, and make a secure connection that way. Would never, EVER, allow root logins via network, nor would I allow VNC, but your standard SSH with X forwarding will let you get pretty much everything done.

No ideas about Windows, or even if it's possible to load OpenVPN on it, though I'd imagine it could be done. Which only leaves you with being able to use RDC, which is yet another enormous security hole. But those are better questions for a Windows forum.
Very helpful information - thanks for the prompt resplies everyone!
 
Old 06-27-2019, 08:27 PM   #7
battlestationX
LQ Newbie
 
Registered: Jun 2019
Posts: 16

Rep: Reputation: Disabled
There's a tool called Duplicity which is for "encrypted bandwidth-efficient backup using the rsync algorithm", and the Linux foundation endorses it.. So you dont need to use a VPN, as Duplicity uses GPG..

See https://www.linux.com/learn/managing...x-part-1%20%20 and https://www.linux.com/learn/backing-linux-duplicity

If you want to setup OpenVPN see
https://youtu.be/XcsQdtsCS1U
https://openvpn.net/community-resour...vpn-quickstart
https://help.ubuntu.com/lts/serverguide/openvpn.html

The linked Hak5 video follows these guides.

Last edited by battlestationX; 06-27-2019 at 08:46 PM.
 
1 members found this post helpful.
Old 06-28-2019, 06:47 AM   #8
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,960

Rep: Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827Reputation: 5827
Quote:
Originally Posted by battlestationX View Post
There's a tool called Duplicity which is for "encrypted bandwidth-efficient backup using the rsync algorithm", and the Linux foundation endorses it.. So you dont need to use a VPN, as Duplicity uses GPG..

See https://www.linux.com/learn/managing...x-part-1%20%20 and https://www.linux.com/learn/backing-linux-duplicity

If you want to setup OpenVPN see
https://youtu.be/XcsQdtsCS1U
https://openvpn.net/community-resour...vpn-quickstart
https://help.ubuntu.com/lts/serverguide/openvpn.html

The linked Hak5 video follows these guides.
Duplicity would work, but only if the OP needed to back up over a LAN/WAN link, and the OP mentioned they have to administer the systems too. For backup only that would work fine, but it doesn't address the administration part.
 
Old 06-28-2019, 07:04 AM   #9
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
Quote:
Originally Posted by Doug Hutcheson View Post
Hmmm ... You are talking to a VPN newbie. I suspected this would be the way to go, but have never set one up. Another exciting learning curve looms ...

I have no idea if the firewalls are VPN aware, but they are whatever comes with Fedora 30.

Thank you for your helpful reply.
So no hardware firewall? That question is driven by my paranoid nature: I have a small business hardware firewall appliance running pfsense protecting my home lan. I personally would never expose any computer system to the Internet using only the OS firewall, but again, I am a paranoid security guy so to each his/her own. The exception to this is of course mobile device, because they don't site behind a network infrastructure we can control.
 
Old 06-28-2019, 07:20 AM   #10
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 18,144

Rep: Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935
Say what ?.
In what conceivable sense is pfsense NOT an O/S firewall ?. We all run on hardware.

FWIW I found recovery from duplicity more work than it should be - and I refuse to use it as a consequence. But it was years ago.
 
Old 06-28-2019, 08:30 AM   #11
sevendogsbsd
Member
 
Registered: Sep 2017
Distribution: FreeBSD, OpenSUSE
Posts: 968

Rep: Reputation: Disabled
Sigh. What I mean is a network infrastructure in FRONT of the workstation/PC/server. Of course pfsense is a firewall and the pc is hardware, I meant a separate piece of hardware for the firewall. Heck, even a ISP router with FW capability is better than nothing.

Businesses and large organizations never run any assets without a network infrastructure. I am apparently the odd man out since I have a entire network infrastructure (fw, switches, router).
 
1 members found this post helpful.
Old 06-28-2019, 06:03 PM   #12
battlestationX
LQ Newbie
 
Registered: Jun 2019
Posts: 16

Rep: Reputation: Disabled
Quote:
Originally Posted by TB0ne View Post
Duplicity would work, but only if the OP needed to back up over a LAN/WAN link, and the OP mentioned they have to administer the systems too. For backup only that would work fine, but it doesn't address the administration part.
Missed that admin part, in that case for the OP I recommend for him setting up a VPN concentrator (using hardware from https://www.gl-inet.com; all OpenWRT based), or buying one from http://www.tinyhardwarefirewall.com/.

As a side note some motherboards come with an RJ-45 IMPI LAN port for remote management, or you can use https://shop.hak5.org/products/lan-turtle

Last edited by battlestationX; 06-28-2019 at 06:12 PM.
 
Old 06-28-2019, 06:11 PM   #13
battlestationX
LQ Newbie
 
Registered: Jun 2019
Posts: 16

Rep: Reputation: Disabled
Quote:
Originally Posted by sevendogsbsd View Post
The exception to this is of course mobile device, because they don't site behind a network infrastructure we can control.
Unless you're using public wifi, then you will still want a travel router, with ethernet go from your laptop to the router..

Last edited by battlestationX; 06-28-2019 at 06:13 PM.
 
Old 06-28-2019, 06:33 PM   #14
syg00
LQ Veteran
 
Registered: Aug 2003
Location: Australia
Distribution: Lots ...
Posts: 18,144

Rep: Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935Reputation: 2935
Quote:
Originally Posted by sevendogsbsd View Post
I am apparently the odd man out since I have a entire network infrastructure (fw, switches, router).
Not quite - I use a pi3 to isolate the house. Hence I have a somewhat jaundiced view of the "pfsense will save the world" mantra I so often hear.
Maybe I was a bit curt.
 
1 members found this post helpful.
Old 06-28-2019, 09:57 PM   #15
Doug Hutcheson
Member
 
Registered: Jun 2009
Location: Queensland
Distribution: Fedora 30; HP Pavilion 8Gb and Acer Aspire 16Gb; both Intel Core-i7
Posts: 282

Original Poster
Rep: Reputation: 22
Thanks again for all the help everyone.

I will be using local WiFi at each site, not public.

My major concern is how to open the firewall at my client sites without rendering them vulnerable to attack.

VPN sounds good on the surface, but I am still waiting through documentation about how it all works.

I just want a secure tunnel to my client sites - is VPN the right fit for this task, or am I barking up the wrong tree?

Kind regards,
Doug.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Whick Desktop Environment best follows K.I.S.S. without compromising on features? lupusarcanus Linux - General 5 01-11-2010 07:12 AM
Increase speed without compromising anonymity???? Southpaw76 Linux - Networking 3 09-05-2009 11:31 PM
How to remotely administer RedHat 7.2 using Windows 2000 Daemen Linux - Newbie 2 06-04-2004 02:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:44 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration