Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. conserver>
  3. users
Conserver remote access
kurt at raschke
Apr 24, 2004, 10:23 AM
Post #1 of 4 (890 views)
Permalink
I have been running conserver on my LAN for a few months now, and so
far it has been very successful. However, I'd like to open up access
to the box running conserver for purposes of remote administration
over the Internet. Obviously, I am worried about the potential
security implications of this, and so I am looking to do it in the
safest way possible. What would you all reccomend? I am thinking of
either opening up SSH to the box, or opening up the conserver port and
then using 'console' to connect remotely, since conserver does include
SSL support to secure the connection.

-Kurt Raschke
Re: Conserver remote access [ In reply to ]
cfowler at outpostsentinel
Apr 24, 2004, 10:39 AM
Post #2 of 4 (871 views)
Permalink
SSL would probably be the best since conserver uses certificates to
authenticate.

SSH would be good too. I would pick a unusual username and very cryptic
password.


On Sat, 2004-04-24 at 13:23, Kurt Raschke wrote:
> I have been running conserver on my LAN for a few months now, and so
> far it has been very successful. However, I'd like to open up access
> to the box running conserver for purposes of remote administration
> over the Internet. Obviously, I am worried about the potential
> security implications of this, and so I am looking to do it in the
> safest way possible. What would you all reccomend? I am thinking of
> either opening up SSH to the box, or opening up the conserver port and
> then using 'console' to connect remotely, since conserver does include
> SSL support to secure the connection.
>
> -Kurt Raschke
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users
Re: Conserver remote access [ In reply to ]
cfowler at outpostsentinel
Apr 24, 2004, 10:46 AM
Post #3 of 4 (868 views)
Permalink
I'll add one more idea to this thread.

If you want to remotely manager the server that is running conserver
then enable it for serial console and wrap a null modem cable into
its port. Or you could use one of the command executiona like "telnet
127.0.0.1" Just remember to use iptables to block the telnet port from
the outside.

This way you can use pure SSL in conserver and sill be able to access
the console server.


On Sat, 2004-04-24 at 13:39, Christopher Fowler wrote:
> SSL would probably be the best since conserver uses certificates to
> authenticate.
>
> SSH would be good too. I would pick a unusual username and very cryptic
> password.
>
>
> On Sat, 2004-04-24 at 13:23, Kurt Raschke wrote:
> > I have been running conserver on my LAN for a few months now, and so
> > far it has been very successful. However, I'd like to open up access
> > to the box running conserver for purposes of remote administration
> > over the Internet. Obviously, I am worried about the potential
> > security implications of this, and so I am looking to do it in the
> > safest way possible. What would you all reccomend? I am thinking of
> > either opening up SSH to the box, or opening up the conserver port and
> > then using 'console' to connect remotely, since conserver does include
> > SSL support to secure the connection.
> >
> > -Kurt Raschke
> > _______________________________________________
> > users mailing list
> > users@conserver.com
> > https://www.conserver.com/mailman/listinfo/users
>
> _______________________________________________
> users mailing list
> users@conserver.com
> https://www.conserver.com/mailman/listinfo/users
Re: Conserver remote access [ In reply to ]
nhruby at uga
Apr 24, 2004, 1:08 PM
Post #4 of 4 (866 views)
Permalink
Hi,

On Sat, 24 Apr 2004, Kurt Raschke wrote:

> I have been running conserver on my LAN for a few months now, and so
> far it has been very successful. However, I'd like to open up access
> to the box running conserver for purposes of remote administration
> over the Internet. Obviously, I am worried about the potential
> security implications of this, and so I am looking to do it in the
> safest way possible. What would you all reccomend? I am thinking of
> either opening up SSH to the box, or opening up the conserver port and
> then using 'console' to connect remotely, since conserver does include
> SSL support to secure the connection.
>

What we've been doing is a mixture of various things. When building
conserver we use "--with-libwrap --with-openssl --with-pam" We also force
the default action in conserver to be deny, not accept non-ssl connections
and have ALL : ALL in hosts.deny. We then open up the conserver port in
the firewall for only a select number of subnets, and then either add
individual machines from subnets to /etc/hosts.allow and conserver.cf or
for subnets we trust, the entire subnet. We do not have any trusted client
hosts in our config, so everyone must enter a password when connecting.
Some users have the console application installed on their box, others ssh
into the servers themselves and console from there, or login directly and
use the screen/keyboard when at the physical box and then simply open an
xterm and use console from there.

Seems complicated (and it can be adding a user or a new host on a new
subnet requires editing 3-4 config files and several restarts of services)
but I think it's probably the most useful while trying to remain the most
secure.

If anyone thinks this is a retarded way of doing things, please LMK. It
seems like a good idea, but I am still fairly new to conserver :)

-n
--
-------------------------------------------
nathan hruby <nhruby@uga.edu>
uga enterprise information technology services
production systems support
metaphysically wrinkle-free
-------------------------------------------

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal