Brian Vagnoni on 30 Aug 2008 15:18:36 -0700 |
******* JP Vossen wrote; Huh? Are you suggesting that he open up administration of the WAP/FW/Router to the Internet?!? What the heck are you smoking?!? Or correct me if I misinterpreted... ******** Assuming he isn't going to be working on this fathers computer indefinitely 365/24/7. Assuming it is for a time limited event of, open remote admin ssl port, login(user name & password), make router changes, close admin port, connect to computer via opened ports. Assuming that his father is a residential cable customer with a dynamically changing ip address. Considering he didn't mention security in his requirements. No you haven't misinterpreted me. This isn't NASA, NSA, VISA, or even a POS system. Though not astronomical, with a dynamic ip, the fact that this is a residential computer(target benefit poor), the odds of penetration by a script kiddie and the time and effort it takes to exploit an up to date endpoint firewalled Linux based system with it's own set of login cred's in the time limited event window I've outlined above is indeed very close to astronomical. This isn't an AP connected to the internet running 24/7 with WEP. My experience tells me that this is extremely low risk event given the target, and the amount of time critical ports are open over an ssl connection. If this were a business connection I would choose otherwise but it's an admittedly technically challenged(no offense Casey to your father) senior Americans laptop(not on all the time). So I therefore wholly stand by my statement. -------------------------------------------------- Brian Vagnoni PGP Digital Fingerprint F076 6EEE 06E5 BEEF EBBD BD36 F29E 850D FC32 3955 -------------------------------------------------- ----- Original Message ----- From: [mailto:jp@jpsdomain.org] To: plug@lists.phillylinux.org Sent: Sat, 30 Aug 2008 17:14:47 -0400 Subject: Re: [PLUG] Question about Remote Desktop through a NAT > > Date: Sat, 30 Aug 2008 15:18:01 -0400 > > From: "Brian Vagnoni" <bvagnoni@v-system.net> > > Subject: Re: [PLUG] Question about Remote Desktop through a NAT > > <snip> > > However, if you Dad's wireless router is a Linksys that is from > this > > decade it no doubt has a remote admin port that simply needs to be > > activated so that you can connect and configure his device for him. > > Huh? Are you suggesting that he open up administration of the > WAP/FW/Router to the Internet?!? What the heck are you smoking?!? Or > > correct me if I misinterpreted... > > > +1 for the reverse SSH idea, it's really easy, and it will work great. > -1 for the OpenVPN idea, it's overkill and more complicated. > -8 (That's infinity, not eight) for opening up the FW to Internet > admin > > > OP already said he has a static IP on his side, so this couldn't be > easier. > > Dad's side, one time only [[NOT TESTED, but correct or very close, > remove leading tab for content]]: > vi ~/.ssh/config > Host tshoot > HostName {OP static IP here, or hostname> > Port 2222 > User {whatever} > Compression yes > ServerAliveInterval = 100 > RemoteForward {OP static IP here, or hostname>:5900 > localhost:5900 > > (Last 2 lines should be 1 line, it just wrapped) > > OP side, one time only: > Port forward 2222 to appropriate internal machine 22 [1]. > > > To use, have Dad run 'ssh -c ~/.ssh/config tshoot' and type in the > password. Yes, other people mentioned using SSH certs and you > certainly > can use them, but a plain old password is easier to get running up > front > and will avoid accidentally making the connection. And using SSH > certs > correctly (i.e. *with* a password and SSH Agent), is even more of a > pain, relatively speaking [2]. Make the command an icon (launcher) if > > you like [3]. Once he's make the connection to you, and has the VNC > server running on his side, you VNC to 'localhost' and that's it. > > You may or may not need the '-c ~/.ssh/config' part. When I was doing > > the opposite of this 2 weeks ago on Ubuntu 8.04 I needed it, but I > never > bothered to figure out why. There's probably a trivial way to make it > > unnecessary. Other distros may vary but OP mentioned Ubuntu. > > Later, > JP > > [1] Some will argue that using 2222 is "security by obscurity" and > thus > a bad idea. It isn't. It's simply an extra layer to keep a lot of > the > script kiddies away. The actual security is provided by SSH itself. > Also, 2222 is just an example, use whatever. > > [2] _bash Cookbook_ recipe 14.21 (pages 308-316, which gives you an > idea > of the "ease" of use issues) and/or Google for the 'keychain' script > originally in Gentoo, and/or Google for 'SSH Agent'. > > [3] Launcher: > gnome-terminal -x /usr/bin/ssh -c ~/.ssh/config tshoot > This will NOT do what you expect/want: > /usr/bin/ssh -c ~/.ssh/config tshoot > ----------------------------|:::======|------------------------------- > JP Vossen, CISSP |:::======| jp{at}jpsdomain{dot}org > My Account, My Opinions |=========| http://www.jpsdomain.org/ > ----------------------------|=========|------------------------------- > "Microsoft Tax" = the additional hardware & yearly fees for the add-on > software required to protect Windows from its own poorly designed and > implemented self, while the overhead incidentally flattens Moore's > Law. > ___________________________________________________________________________ > Philadelphia Linux Users Group -- > http://www.phillylinux.org > Announcements - > http://lists.phillylinux.org/mailman/listinfo/plug-announce > General Discussion -- > http://lists.phillylinux.org/mailman/listinfo/plug > ___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|