remote login to only certain boxes behind firewall

matc · n00b Joined: 04 Aug 2005 Posts: 29

I have a Gentoo Linux box and a Windows box at home, connected to my DSL line and to each other with a firewall/router (Netgear FR114P). My Internet IP Address is provided dynamically by my ISP. I can use SSH and Putty to log on to my Linux box from the Windows machine. I would like to be able to do this remotely from other Windows computers (e.g. at friends' and relatives' homes or in hotels). I would like to set this up in such a way that only my Linux box, but not the Windows one, is accessible from the outside. (I suppose this would be easier if only Linux boxes were involved, but that's not the reality for me!)

I've read man pages, searched the forums and Googled for help on this topic and have found a lot of info that will likely prove useful, but am not really seeing the big picture of how to do this. I figure that at the least this could involve changes to the setup of my SSH, firewall and possibly my DSL modem, and maybe some special configuration of Putty (or similar) on whatever remote Windows machine I'm using at the moment.

Can anybody please recommend a source or sources of instructions on how I can achieve my desired setup?

bin-doph · Guru Joined: 23 May 2003 Posts: 302

the only thing to do is setup your netgear-thingy. it should forward all traffic via port 22 to your linux-box, thats basically it. you should also be aware of the fact that if you get ip-adresses from your provider dynamically you wont know it, if your "at friends" or whereever. therefore you should check dyndns.org or something like that (I know routers which also provide a functionality for this, maybe yours can do that too -> rtfm). also you should consider that the internet is bad and if your able to connect to your box from all over the world, everybody else can do. If your using passwordauthentification, drop that and create a private key + configure sshd to PasswordAuthentification no

hth
_________________
perl -e '$_=q;4a75737420616e6f74686572205065726c204861636b65720as;;for(s;s;s;s;s;s;s;s;s;s;s;s){s;(..)s?;qq qprint chr 0x$1 and \161 ssq;excess;}'

matc · n00b Joined: 04 Aug 2005 Posts: 29

Thank you! That helps me get moving in the right direction.

I appreciate your cautions regarding security and will proceed very carefully.

NeddySeagoon · Posted: Fri Dec 22, 2006 10:47 am Post subject:

matc,

Be sure to turn off root logins in /etc/ssh/sshd_config.
There are lots of user/password guessing bots on the big bad internet, so don't give them a valid user name.
If you need remote root access, add your user to the wheel group, so you can su to root.

Better, turn off password logins altogether and permit only key based authentication.
You will need to carry your half of the key pair with you to gain remote access
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.

matc · n00b Joined: 04 Aug 2005 Posts: 29

bubbl07 · Posted: Fri Dec 22, 2006 3:11 pm Post subject:

Akhouk · Posted: Sat Dec 23, 2006 12:03 pm Post subject:

You can also use iptables to detect and block ssh brute force attacks.
_________________
AMD 64 3500+, 2Gb RAM DDR400, 2 x 180Gb SATA, 256Mb Nvidia