On Mon, 2009-03-23 at 16:26 +0000, Anne Wilson wrote: > On Monday 23 March 2009 15:29:53 JohnS wrote: > > On Mon, 2009-03-23 at 14:31 +0000, Anne Wilson wrote: > > > On Tuesday 23 December 2008 15:38:17 Warren Young wrote: > > > > Michael Simpson wrote: > > > > >> GRC reports that ports are stealthed > > > > > > > > > > Try www.auditmypc.com or nmap-online.com rather than grc to look for > > > > > open ports > > > > > > > > What advantages do they have, in your opinion? > > > > > > > > >> there a better way than opening port 143? > > > > > > > > > > ssh tunnelling? > > > > > > > > I agree, though the default CentOS sshd configuration requires some > > > > tightening down to trust it on Internet-facing servers, IMHO: > > > > > > > > 1. In /etc/ssh/sshd_config, set "PasswordAuthentication no". No matter > > > > how good your password, it isn't as good as using keys. Remember, > > > > forwarding ssh opens it to pounding 24x7 from any of the millions on > > > > zombie boxes on the Internet. > > > > > > > > 2. On the machine(s) that you want to allow logins from, run > > > > "ssh-keygen -t rsa" to generate a key pair, if you haven't already. > > > > Then copy the contents of ~/.ssh/id-rsa.pub into ~/.ssh/authorized_keys > > > > on your home server. These keys are used to authenticate the remote > > > > system, in lieu of a password or physical token. You could put these > > > > keys on a USB stick instead, if you didn't want to keep them > > > > permanently on the remote hosts. > > > > > > > > 3. Disable SSHv1 protocol support in /etc/ssh/sshd_config: "Protocol > > > > 2", not "Protocol 2,1". SSHv1 has known weaknesses. Boggles my mind > > > > that it's still enabled by default.... > > > > > > > > 4. Same file, set "PermitRootLogin no" if it isn't already. > > > > > > > > (Aside: I also like to set up sudo with one account allowed to do > > > > anything, then lock the root account, so the only way to get root > > > > access is to log in as a regular user then sudo up, reducing the risk > > > > of passwordless keys.) > > > > > > > > Having done all this, you're ready to allow remote access: > > > > > > > > 5. In your router, forward a high-numbered port to 22 on the server. > > > > If it's not smart enough to use different port numbers on either side, > > > > you can change the sshd configuration so it listens on a different port > > > > instead. I like to use 22022 for this. > > > > > > > > This is *not* security through obscurity. It's simply a way to reduce > > > > the amount of log spam you have to dig through when monitoring your > > > > system's behavior. Everything that appears in your logs should be > > > > *interesting*. Constant port knocking from worms and script kiddies is > > > > not interesting. > > > > > > > > In case you've not done ssh tunelling, Anne, the command that does what > > > > you want, having done all the above is: > > > > > > > > $ ssh -p22022 -L10143:my.server.com:143 anne@xxxxxxxxxxxxx > > > > > > > > This sets up port 10143 on the local system to be redirected through > > > > the ssh session to the IMAP port on your home server. You don't want > > > > to redirect 143 to 143 because that would require you to run ssh as > > > > root. It also prevents you from using this on a system that itself has > > > > an IMAP server. > > > > > > > > With the tunnel up, you can set up your mail client to connect to port > > > > 10143 on localhost, and you'll be looking at your remote mail server. > > > > > > Hello again. You were kind enough to give me this advice last December. > > > I've another holiday approaching and thought it was time that I got this > > > sorted. Unfortunately, I'm not sure that I can do this, so I'm asking > > > your opinion. > > > > > > My router is a Netgear DG834G. I can create a service, tell it which > > > ports to open, and say which local IP I want it sent to. However, I > > > can't see any way to set the port to which it should be forwarded as > > > anything other than the incoming port. IOW, I can enable the new service > > > Ext-ssh, which accepts incoming traffic on port 22022, and direct it to > > > my server on 192.168.0.40, but I can't see how to make it send that > > > traffic to port 22 on the server. > > > > > > Am I totally misunderstanding this? Really all I want is to be able to > > > log in to the server if I get an email alert that there is a problem or > > > security updates pending. If I can get this sorted, I'll look again at > > > how to route the IMAP mail through the tunnel too. > > > > --- > > http://kbserver.netgear.com/kb_web_files/n101145.asp > > http://kbserver.netgear.com/kb_web_files/n101145.asp#FR114PAnchor > > > Sure, but those pages are very much like the router's doc pages. I don't see > any info about forwarding to ports different from the incoming one. --- Her's another example it will do what you want, your just misunderstanding it. I have 2 customers that use Netgear routers. I think your not setting up the Nat - Add Page. http://portforward.com/english/routers/port_forwarding/Netgear/DG834G/eMule.htm One thing are you using it for the DSL or another modem/router for dsl? If your using two only one can be Natted and the other Main router in Bridged Mode. JohnStanley _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos