[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 16/02/18 14:42, Mark Williams wrote: > All good advice but I'd go one step further. Create a simple VPN back to > your home network using another machine. That way all browsing, file > transfers, etc, can be conducted securely without needing to tunnel over > SSH. You have full access control, can set up and revoke if necessary a > user account for each device, and you have the option to use your home > internet connection on the road too. When connected remotely, your > device will behave as though it's at home. Something like > http://www.pivpn.io/ is a straightforward introduction to certificate > based VPNs and while that's intended for a RPi, it can be run on any > Linux box. > > If you're particularly paranoid, you can also set up port knocking. That > means you effectively visit a port of your choice which logs your IP > address, adds it to a firewall rule for a temporary period, then you can > access the remove services (the VPN in this case) over a different port. > Unless you've knocked on the chosen port first, attempted connections to > the VPN are rejected, providing another layer of security and obfuscation > > > On 16/02/2018 14:26, leloft wrote: >> On Fri, 16 Feb 2018 13:17:03 +0000 >> Roland Tarver via list <list@xxxxxxxxxxxxx> wrote: >> >> >>> So, erm, in terms of accessing data on your home (linux) network, when >>> *not* at home... >>> >>> ... what would be the best, safest and most secure way of doing so >>> please? >>> >>> or, is this simply a bad idea? to be avoided. >>> >>> thanks >>> roly. >> Hi roly, >> Firstly, read up on iptables, pam, ssh keys and scp. >> >> At a minimum, I would say >> >> On router: >> 1) close all ports on your router to outside >> traffic except the one you will need for ssh (by default 22, but we're >> going to change that in a minute) and block pinging >> >> As root user, on all home computers that you will want to access: >> 2) change your /etc/ssh/sshd_config to use [new port number] and set >> PermitRootLogin=no >> >> 3) configure /etc/security/access.conf to allow only authorized >> users to login remotely and set /etc/pam.d/login to enforce this >> >> 4) set /etc/securetty to contain the word 'console' only >> >> 5) reboot each computer and try to ssh -vvvp [new port number] >> user@IPaddress from the travelling computer. If the >> firewall and pam are working correctly, you should not be able to and >> your three v's should tell you why. If you can, you will need to do some >> more reading up about firewalls and check your pam settings. >> >> 6) configure your firewall to allow NEW incoming tcp traffic on your >> [new port number] only, and only ESTABLISHED, RELATED incoming traffic >> otherwise. >> >> 7) When it's all working satisfactorily, change your root password to >> something impossibly long and complicated, and your user password to >> something marginally less so. Then install ssh keys. >> >> 8) You can access your home files via ssh and copy them via scp. >> >>  The above files are for debian-based distros, and i know that redhat >>  based distros have some of them tucked away inside other folders. But >>  this should keep you out of mischief for a few days. And make sure >>  that you get it all working before you lock yourself out of your own >>  machines. Get it right on your least important one first and apply >>  what you've learned to the next-least. Remember that humans are flawed >>  machines at best and it's not a bad idea to write down what you've >>  done. This applies particularly to impossibly long and complicated >>  passwords... >> >> I have written this in a hurry, and haven't had a chance to check >> details, but the principles are sound. No doubt, our senior >> members will run their eyes over it, so i'd wait until they've had >> their say. >> >> Regards >> >> fraser >> > > Sounds like a topic we could really look in to at a future tech jam or perhaps Pi jam in Exeter, given I think a lot of people could be closer to Exeter. The Exeter jam is being extended so that the first 2 hours 10 - 12 are for families then after that there is a chance for any one else (minus any children) to hack, ask questions or do more indepth topics. If anyone is interested I would liaise with Ian so it can be arranged, and promoted to suit. Either that or we set up a more dedicated meeting for this sort of thing. On the topic of passwords, you can perhaps use apt -m 30 which will generate a 30 character password such as apg -m 30 poclosGicOfVeabZetOrtouHowpat7 DiolRekwigviepWefyetJeHiShmod7 FenFonrarkyalHuQuiwedUfIbpyids ImhicsAgetCavMovMeksevIrboykvi frenKutmowvinvuxjochitevAsUkph oddoaldIthubCuWircEemenWidLeun Paul -- http://www.zleap.net diaspora : zleap@xxxxxxxxxxxxxxxx Torbay Tech Jam http://torbaytechjam.org.uk Next Tech jam 2nd Saturday of the month -- The Mailing List for the Devon & Cornwall LUG https://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq