MindTerm, VNC, socat there Oh, no!, while the ability to remote work is always system programmers and administrators like one of the advantages of Linux, but setting up remote access is not a simple thing.
Select the appropriate remote service each month, the server must describe how the clinic to get the most out of the use of the hardware in the server room. This often involves the use of Linux methods that do not like the well-deserved, as we all know: will Linux for Fortran program, the Linux operating system is made for the old design applications, and so on. Followed by a second topic is the topic of this column: security. Your servers are physically should be quarantined, you should disable all unnecessary network access and can only be through SSH or better way to access the server. In particular, as little use real-time Telnet, ftp, rsh and rlogin, and related services; they are simply too dangerous. Suppose that you have done all these things. Now your away-may in your product, or in consultation with new customers, or in the discussion needs to end a meeting (which was already included in your training budget). You need to bring up certain materials in the company. So what should you do? first, you should try something. Programmers and administrators could during normal working hours in their quiet workplace, but they do like to force yourself to do this work, the assault but this. You don't become a victim of this kind of behavior that you make! connected with the legitimate business purposes, is not a breach. However, if you used to have these organizational issues, join the answer is "ssh". Even if you are in principle more dependent on virtual private network (VPN) instead of ssh, I still think it's an emergency, if you cannot use the regular method, then set up ssh access would be more careful. VPN, there are still some difficult and you need to rely on particular hardware configuration. If you are using the client's network (mostly use ordinary desktop machines) "call hosts", you can make selection is extremely limited. Ssh needs good news is that ssh in these limits are usually also niche meets your needs. Even if you are out of work, but in the public access points (such as "Internet"), you may have insufficient resources to enable ssh work. You may not be able to rely on their equipment. Very seriously, with any large than handheld devices around, is another security risk; worse, many places are not allowed to insert external hardware. Typically, you must use the provided to your hardware. But download puTTY, ssh or MindTerm client is generally very quickly. But I also like doing that. Anyone with enough network stack, you can connect to your server room of hosts, there may be permitted to download a Web browser. Use the already installed the client must carefully; for some people, the client with a modified, can capture keystrokes (or worse) of the client it is too easy. Another way is to construct embedded MindTerm client as an applet in a Web page, this seems very attractive. But my experience tells himself this way useful. Most places are disable Java, or provide only have the old Java runtime engine (JRE) in your browser, or use other ways to reduce the applet's convenience. If I want to use the MindTerm, you only want to download and install the client and the compatibility of the JRE. For constructs for end-user application, applet usually is a good technique. Applet also suitable for read-only configuration. However, I found this usage is rare. Therefore, in order to make your work with efficiency, not worth the time to solve the applet may exist in your environment. I have always felt that find a megabyte of free high-capacity storage and install ssh client easier. You sit down one after the new installation should be ssh clients and starts it. However, this may not be enough. Some local firewall turned off most of the port, or at least close by including standard ssh port 22, many ports. Here is another way to be prepared to provide help. In my at least one host, I hope to make sshd (ssh daemon) is usually assigned to common Internet services (such as ftp, http, smtp or pop3) port. Even the most stringent firewall to open port 8080, 21, 25 and 110. Your machine is set to "capture" of such communications, you can make it through most firewalls. If this sounds like "break-in" talking? I do not agree with the abuse of the network. Often have other companies ' employees invited me to use their network, although they also know that sensitive manner (such as temporary open port 22) change their firewall systems, the company is not feasible. I began to accept this recognition: ready to use "plots" is also part of the current professional practice, but I need to make sure you only in a responsible way to finish the job. Of course, as the ssh channel open, I would have like to sit in the server room in console almost all features before. If you need a graphics display, I can use by channel X or VNC, or from the command line access to all the other common activities. This started my work session, and then: I downloaded reference ssh client, quick installation and launch them, and then use SSL-secured password back validation I left in the server room a ssd in the running. Please note that I'm still vulnerable to tampering with a host of attacks. A fully modified desktop machine or a vigilance "voyeuristic fantasy" can arrive at the keystroke information SSL library before it is logged. This solution is the use of one-time password (OTP) system. To date, inIt seems to me that OTP trouble than security. OTP to yourself the cost and revenue certainty at least slightly different. Anyway, back to the daily workplace could be a good time to update the password. The use of standard parts I want server clinics every month display working code. In this article, it is difficult to add any code. I recommended configuration is very simple, standard reference materials are made in full. For example, to a second port on the ssh service, just add the following line: Port8080 added to existing/etc/ssh/sshd_config, and then restart the sshd. Another method is to use "Web proxy" or "port forwarder" (such as netcat or socat), it refers back local host (localhost) standard SSH port, this method runs tests and tuning log records or extra security is very useful. Agent here in the context of an "agent" is a small "translator", it simply allows network traffic through. If I set up on port 22 sshd server and you want to port 110 sets another sshd server, then the realization of the idea of a method is to install the network agent. This agent on port 110 is used as a server, and receives from the outside world. It adopted in port 22 on acts as a client to handle these groupings. Basic sshd Server completes all the actual work; agent role just from one port to another port (possibly on another host). This is particularly true for the column value does not lie in the esoteric code, but merely to convey a clear concept, you should take this as the target to enable your remote services. I've tried many methods. Take advantage of these experiences, in particular to understand how not to do, at least to understand when you are first setting up the server room not to do: disable Telnet, don't let the unused service always on, there is no need to worry about applet (in particular, don't worry about applet signing), and if you don't feel wrong for remote login. On the other hand, be sure to use standard components. I've tried a lot of clever ideas, for adjusting the ssh protocol or your firewall to block "Black Hat" hacker (of specialized skills using network intrusion network failure, translator's note). And these ideas offer security compared to a small increase, their maintenance more difficult, so some gain. Unless I prepare a clear security project of the budget, and with clear long-term target, otherwise it is best to spend time on using ssh rather spend time trying to improve it. Using the above steps, you will have a server room, it security is not as simple as you only use the standard Linux Server installation. You can find almost all the world of remote management on the synchronization connection. For your own security plan, this is a good starting point.
No comments:
Post a Comment