Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi all,
I just need your professional opinion regarding the possible threats if the enterprise firewall opens tunnel for ssh connection. While I'm traveling, I want be able to connect to my servers using mobile ssh client, but the security department in my organization completely disables any type of external connections except VPN.
Do you have an idea what the reason for such paranoid security??? The ssh is very safe as far as I know...
If you have vpn into the network why not open up a vpn session then use ssh (e.g. PuTTY) in your vpn protected setup?
Any protocol can be exploited even vpn and ssh. If they've opened up the firewall to allow for vpn why punch another hole in security by also opening ssh?
Those who do use ssh remotely often change to a nonstandard port (e.g. don't use 22) to help obfuscate the availability of ssh.
If your company allows you to create outbound connections as many do there ARE ways to setup your own tunnel but again I'd ask why not go ahead and use the vpn connection?
Thanks for responding,
I'm talking about the situations when I don't have access to the desktop (while I'm traveling). I don't have the ability to connect to the VPN from my smartphone. This is why I asked if I can use ssh client application to connect somehow to the server and got strictly negative answer...
You also mentioned that "If they've opened up the firewall to allow for vpn why punch another hole in security by also opening ssh?".
This exactly my question: What is the concern to open ssh tunnel???
well all you've said is "ssh" generically, if you are permitting password authentication, then you're open to all sorts of brute force attacks in theory.
Fundamentally, the fewer routes in the safer. You want to open up a port over which they will have no control? It doesn't sound at all unreasonable to me.
The concern is simply to minimize exposure. If you have one port open to the world that is the only port that can be used as a vector for attack. If you have two ports open then you've allowed another vector. The first rule of security is turn off unnecessary services to minimize exposure. As I noted before any protocol can be exploited (even vpn and ssh) with enough effort. Do a web search for "how to hack ssh" and you'll find many hits. Does this mean ssh is really insecure - no - does it mean you shouldn't open it without a valid need - YES!
If you have a requirement to regularly access the system from locations other than your home then you might want to ask your organization to give you a VPN enabled laptop rather than a desktop.
In my opinion, your IT department's policy is correct: the gateway to the outside should be VPN. And furthermore, access to that VPN portal should be by means of individually-issued digital certificates, uniquely issued to you by them and therefore uniquely revocable by them.
Within the VPN portal, access to other resources should be as they would be considered appropriate within the building's hard-wired and presumably isolated local network. e.g. If a particular resources is ssh-only accessible within the walls, it should remain so by those who, through VPN, have "come within the walls."
But ssh should not in my opinion be exposed directly to the outside world. Your IT department has a single, centrally managed and centrally manageable, "gateway to the outside world," and that is VPN. No other alternative should exist.
VPN with certificates will enable you, and only you, to obtain access from anywhere. Simply enter the encryption-key for the certificate they gave you, and more-or-less ignore the existence of the encryption layer.
Last edited by sundialsvcs; 12-06-2012 at 09:33 AM.
I agree that the opening ssh connectivity to the external world is not safe. Thanks for explanation. However, carrying on the the laptop is not always easy and the network is not always available... A few times I found myself thousands miles away from my servers and was not able to connect and fix some small problems. I was need to instruct somebody over the phone how to log in and what to do, and unfortunately was need to expose sensitive application passwords as well without the ability to change them until I came back to work...
May be this email communication solution the evgenyz wrote about is good alternative (especially if they provide encrypted communication)?
Again, in 95% of the cases I can establish VPN connection from the desktop, but I'm talking about 5% of the situations that can be critical...
Thanks any way!
Ok, thanks, this make sense... So I have to carry on VPN enabled laptop with me...
Yes. This is what I've done for years. That doesn't mean I carry it around all the time but if I'm going to be away from home at some distance or for an some extended time I do have the laptop in the trunk of my car so I'm never more than a few minutes from it.
I'd really hate to have to try to troubleshoot server issues from a smart phone. Not saying it isn't possible but I do believe it would take more effort than I'd want to have to make in the middle of whatever issue caused me to access the server in the first place.
Last edited by MensaWater; 12-10-2012 at 09:34 AM.
Note that there are plenty of ways to get a VPN to an insecure machine. Cisco, F5 and many others have vm based solutions which can deliver an entire desktop in jvm form to you via a browser connection. It's just all about playing by the corporate rules.
Yes. This is what I've done for years. That doesn't mean I carry it around all the time but if I'm going to be away from home at some distance or for an some extended time I do have the laptop in the trunk of my car so I'm never more than a few minutes from it.
I'd really hate to have to try to troubleshot server issues from a smart phone. Not saying it isn't possible but I do believe it would take more effort than I'd want to have to make in the middle of whatever issue caused me to access the server in the first place.
Yes, but this more personal preference rather than professional opinion. Personally, I would love to have an option to access the servers from smart phone. Just as an "extra" option which is nice to have when it available...
You may get it some day. I've heard buzz about BYOD (Bring Your Own Device) in recent months. Once companies realize they can save money by making you provide your own equipment they may be willing to setup the infrastructure that helps securely allow for it. (Or more frighteningly will simply do it without regard to security.)
You may get it some day. I've heard buzz about BYOD (Bring Your Own Device) in recent months. Once companies realize they can save money by making you provide your own equipment they may be willing to setup the infrastructure that helps securely allow for it. (Or more frighteningly will simply do it without regard to security.)
Or rather - "companies read somewhere and then get it into their read they can save money". YMMV!
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.