View unanswered posts    View active topics

All times are UTC - 6 hours





Post new topic Reply to topic  [ 6 posts ] 
Print view Previous topic   Next topic  
Author Message
Search for:
PostPosted: Fri Jun 25, 2004 1:35 pm 
Offline
Joined: Thu Jun 24, 2004 11:40 am
Posts: 6
Location: San Jose, California
This might be useful for newbies or Debian 'switchers'...

I had to switch from my custom built Suse system to KnoppMyth because it wasn't stable (proprietary Promise SX4 raid controller drivers don't like Suse kernels...). So far so good, except that I couldn't ssh or scp anymore from my workplace! It was working with my old system, i.e. my router/firewall is correctly set up. Furthermore I can ssh into it from my internal networK.

Solution: add the following line to /etc/hosts.allow

sshd: ALL

While editing config files you should also change /etc/ssh/sshd_config and set

PermitRootLogin no

It's bad practice allowing root ssh access on a server accessible from the internet...


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jun 25, 2004 6:58 pm 
Offline
Joined: Thu Mar 25, 2004 11:00 am
Posts: 9551
Location: Arlington, MA
HOLY MOTHER OF VINEGAR!!!

Having just called a recommendation to get a firewall appliance "the best advice of the day", this may well be the WORST advice of the day. Most intranets these days use an internal private address space behind a NAT. This means that the outside world sees a single IP address. Check your logs or run "last" and find the one for your office. Allow THAT and your home private network address rather than ALL. Disallowing remote root logins is only a sheet of tissue paper on a box as loose as a default KnoppMyth install.


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jun 26, 2004 1:34 am 
Offline
Joined: Thu Jun 24, 2004 11:40 am
Posts: 6
Location: San Jose, California
Looks like a misunderstanding, my Myth box doesn't have a pulic IP!
I do (and everyone else should) have a separate firewall in between...

True, from a security point of view one should limit everything as much as possible. But the whole reason I have a ssh deamon is to access my box from wherever I am, and most of the time I'm either travelling or on the road...

Speaking of security: don't forget to set the MySQL root password...


Top
 Profile  
 
 Post subject:
PostPosted: Sat Jun 26, 2004 5:25 am 
Offline
Joined: Tue Nov 04, 2003 8:29 pm
Posts: 45
Location: London, UK
I already do this but in a slightly different way.

I have ssh access to my firewall device (Smoothwall firewall & router), but NO routes from the outside world to my Myth box except one port mapped to port 80 on myth for mythweb access. (passworded of course).

I use "SecureCRT" to ssh in, and have profiles set up on the client to forward certain ports as required. (eg radmin to my win server). This way you don't need any forwarding set up on the firewall.

Once I'm logged into the firewall, I can ssh to myth as required. Very unhackable, but easy to access.

Pete


Top
 Profile  
 
PostPosted: Sun Jul 04, 2004 9:31 pm 
Offline
Joined: Sat Feb 14, 2004 2:32 pm
Posts: 94
Debian makes for a great firewall. Nothing wrong with using your MythTV box as your firewall, IMHO

modprobe ipchains
ipchains -A fowards -s 10.1.1.0/255.255.255.0 -d 0.0.0.0/0.0.0.0 -j MASQ
echo 1 > /proc/sys/net/ipv4/ip_forward

Set your default gateway to the myth box and bang, the box is now dual purpose.

... Just when you though KnoppMyth couldn't get any better!

_________________
Complete CCTV Security Cameras | Priceless Photos | Canada Mortgage | Prepaid Calling Cards


Top
 Profile  
 
 Post subject:
PostPosted: Mon Jul 05, 2004 5:59 am 
Offline
Joined: Tue Jun 15, 2004 2:16 am
Posts: 51
Location: Germany
If you want to have access to your box from outside, but don't want to open it to others, you have a look at portknocking.
http://www.portknocking.org/
This allows to have *no* port open, but let on demand the box just open one for you when you need it. This opening process is password locked.

PS: I just read an article about, but have not tried it yet.


Top
 Profile  
 

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 


All times are UTC - 6 hours




Who is online

Users browsing this forum: No registered users and 19 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group

Theme Created By ceyhansuyu