LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 06-28-2019, 10:05 PM   #16
battlestationX
LQ Newbie
 
Registered: Jun 2019
Posts: 16

Rep: Reputation: Disabled

^ Yes just follow the OpenVPN guides I posted, or whatever doucmentation you're reading. There are other options (like SSH), but OpenVPN would be the best. Dont worry about opening up ports that will leave you vulnerable.. OpenVPN has tls-auth (certificates) for authentication, and SSH (if you want to do that) has keys for authentication..

Edit: Disreguard the tinyhardfirewall link I posted, as that's only a VPN client for other private VPN servers that you dont own, and it's pay-to-play.. A VPN concentrator is a device that's dedicated to act as a VPN server.. VPN clients from the outside connect to that, and then the concentrator decrypts the traffic and passes it though the network. Here's a link on how that works
https://www.youtube.com/watch?v=sxBQZQM-RNk

Last edited by battlestationX; 06-28-2019 at 11:14 PM.
 
1 members found this post helpful.
Old 06-29-2019, 03:25 AM   #17
ondoho
LQ Addict
 
Registered: Dec 2013
Posts: 12,471
Blog Entries: 9

Rep: Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377Reputation: 3377
Not sure if I'm stating the obvious here, but...
To some extent you are always compromising security if you open your machine to r/w access over the net.
The accepted way to minimalise this seems to be SSH with SSH keys, no root or password login, and some other measures to harden it.
 
1 members found this post helpful.
Old 06-29-2019, 03:36 AM   #18
Doug Hutcheson
Member
 
Registered: Jun 2009
Location: Queensland
Distribution: Fedora 30; HP Pavilion 8Gb and Acer Aspire 16Gb; both Intel Core-i7
Posts: 282

Original Poster
Rep: Reputation: 22
You are certainly not stating the obvious to me and I thank you very much for your advice. Hardening SSH may be my easiest, thus best, course for remote backup and admin. I will keep studying VPN documentation for a solution to how to run something like VNC in order to watch and control the client session.

I am extremely grateful for all the advice. At going on 70 years of age, what was once simple to understand seems more baffling as the days go by! :-D

Kind regards
Doug
 
Old 06-29-2019, 01:45 PM   #19
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,952

Rep: Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814
Quote:
Originally Posted by Doug Hutcheson View Post
You are certainly not stating the obvious to me and I thank you very much for your advice. Hardening SSH may be my easiest, thus best, course for remote backup and admin. I will keep studying VPN documentation for a solution to how to run something like VNC in order to watch and control the client session.

I am extremely grateful for all the advice. At going on 70 years of age, what was once simple to understand seems more baffling as the days go by!
Honestly, VPN isn't hard to set up at all any longer, and there are lots of easy-to-follow guides (such as this one for openSUSE: https://en.opensuse.org/SDB:OpenVPN_...tion_and_Setup), that not only tell you the tools to use, how to use them, but how to load the client software. Having VPN is (in my opinion), better than just using SSH alone, simply because it's a 'known' value. Most firewalls/appliances have templates or instructions for how to allow VPN traffic through. Once that tunnel is established, you can run anything you'd like, since you're essentially on the same network as the other machines.

Please, don't use VNC. There is absolutely no reason you need an entire desktop session to perform server administration. You can enable X forwarding on your SSH server, and run "ssh -X user@server", and that's it. Any GUI based application you run (like Chrome for example, but it could be ANYTHING), will show up on your desktop locally. That's it....VNC opens security holes that just don't need to be opened, and it can make logging in on the console flakly at times.
 
1 members found this post helpful.
Old 06-29-2019, 02:04 PM   #20
Doug Hutcheson
Member
 
Registered: Jun 2009
Location: Queensland
Distribution: Fedora 30; HP Pavilion 8Gb and Acer Aspire 16Gb; both Intel Core-i7
Posts: 282

Original Poster
Rep: Reputation: 22
Quote:
Originally Posted by TB0ne View Post
oHonestly, VPN isn't hard to set up at all any longer
Thank you, thank you, thank you! Those instructions you linked to are exactly what I needed to see how it all works.

As the :server's in each case will be one of my remote users, who are not particularly computer literate, what is the best way for me to watch what they are doing and use my mouse and keyboard to show them how to fix their problem?

Kind regards
Doug.
 
Old 06-29-2019, 05:37 PM   #21
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,952

Rep: Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814
Quote:
Originally Posted by Doug Hutcheson View Post
Thank you, thank you, thank you! Those instructions you linked to are exactly what I needed to see how it all works.
There are other such tutorials for whatever version/distro of Linux you're using, so it'd be best to follow those...that one is for what I use, so it may be different in some ways for you. The installation commands could be different, such as "yum install openvpn" rather than "zypper install", etc. Those are basics.
Quote:
As the :server's in each case will be one of my remote users, who are not particularly computer literate, what is the best way for me to watch what they are doing and use my mouse and keyboard to show them how to fix their problem?
For Linux, you don't 'watch' what they're doing...even RDC on Windows doesn't let you do that. What you *CAN* do is restrict what they can do/touch using sudo. Linux has privilege separation, so a 'regular' user can't just arbitrarily mess the system up.

However, given this new piece of information, it seems like you don't need to admin servers, but are providing tech-support for desktop machines. You don't need VPN for that, or SSH, but what you CAN use is Teamviewer. That will give you remote 'secured' access to their machines, and give you remote control. Works on Linux and Windows.
 
1 members found this post helpful.
Old 06-29-2019, 07:40 PM   #22
Doug Hutcheson
Member
 
Registered: Jun 2009
Location: Queensland
Distribution: Fedora 30; HP Pavilion 8Gb and Acer Aspire 16Gb; both Intel Core-i7
Posts: 282

Original Poster
Rep: Reputation: 22
Once again, many thanks. I have to do two things: 1) backup their machines to my external drive and 2) do remote tech support. VPN and SSH will allow the former, but I only ever have used VNC on a LAN to do tech support.

Last edited by Doug Hutcheson; 06-29-2019 at 11:55 PM. Reason: Stupid little keyboard on my phone! ��
 
Old 06-30-2019, 09:16 AM   #23
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 21,952

Rep: Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814Reputation: 5814
Quote:
Originally Posted by Doug Hutcheson View Post
Once again, many thanks. I have to do two things:
1) backup their machines to my external drive
Why? There is zero problem if they have an external hard drive plugged in to THEIR machine. Should something get deleted, just copy it back. Doing a full backup of a WAN is going to be agonizingly slow, and restores won't be any better, either. If you're supporting someone who is technically challenged, they should have no problems with "Plug this in to the back of your machine and don't touch it". You can then connect to their machines, use whatever software you'd like to back up their files to the external drive (which will be MUCH faster), and you're done. Also, Teamviewer will allow you to copy files back and forth over the connection.
Quote:
and 2) do remote tech support. VPN and SSH will allow the former, but I only ever have used VNC on a LAN to do tech support.
Again, you can use Teamviewer on both Linux and Windows. It will give you full remote-desktop capabilities, controlling their session as if you were sitting in front of the machine. And the fact that you've only ever used VNC doesn't mean you can't (or shouldn't) learn something new. I'm not exactly young either, but I'm not going to continue to do what I've always done, if there's better ways to do things.

If all you're looking to do is remote tech-support and doing backups for people, then get them external drives and get them to load Teamviewer. You're then done.

Last edited by TB0ne; 06-30-2019 at 09:17 AM.
 
1 members found this post helpful.
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Whick Desktop Environment best follows K.I.S.S. without compromising on features? lupusarcanus Linux - General 5 01-11-2010 07:12 AM
Increase speed without compromising anonymity???? Southpaw76 Linux - Networking 3 09-05-2009 11:31 PM
How to remotely administer RedHat 7.2 using Windows 2000 Daemen Linux - Newbie 2 06-04-2004 02:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration