[wellylug] Router piercing
Jim Cheetham
jim at gonzul.net
Mon Dec 12 10:08:00 NZDT 2005
On Sat, Dec 10, 2005 at 11:36:23AM +1300, Bret Comstock Waldow wrote:
> I've noticed 'vnc', 'ssh tunnels', and lots of kernel options with the word
> 'tunnel' in them. Are they all about the same thing? Are there several
> approaches? I'm after the 10,000 foot view first, although I'd be happy to
> hear anything you think is useful about the matter.
Several approaches. First of all, what you're asking for (share
desktops, files, whatever) is accomplished by a wide range of extremely
different software on your machines :-) Most of them do not pay any
attention to security in the slightest. Allowing the traffic for these
services to pass into your router would not be a very good idea (because
it is inherently impossible to be *sure* that the traffic you allow comes
from the place you allow, for the purpose you allow)
One of the services does understand security, and that's ssh on TCP port
22. It is cautious and secure, and well-known. By default it will allow
connections from anyone to your machine, and rely on good
username/password combinations to keep people out. If you are not *sure*
of the state of all your machine's usernames (without looking - how
many do you have? Don't know? You're not sure enough, sorry) then
allowing ssh traffic to come through is not a great decision.
Anyone who says, "Oh, I'm not a target - no-one would bother attacking
my machine" doesn't understand the current state of the Internet - it's
awash with automated, mindless attack software, which will bash away at
any open connection you have, regardless of the type of your machines.
The majority of the attacks are targetted at Windows machines, it';s
true - but there are enough of the right kind to hurt a poorly-managed
Unix machine too.
The 10,000' opinion (and this applies to your wifi connections too) is
to use OpenVPN (http://openvpn.net). It's considered safe to open your
router to allow this traffic in - as long as you take even minimum care
with the setup, of course - because by default nothing will work.
This provides you with an entire virtual network between your machines,
and you can run all that interesting non-secure sharing traffic over it.
Even if you connect over a dynamic IP address (and therefore cannot
always predict the address of the machine you want to talk to), you can
get OpenVPN to work and provide a static address for each machine on the
private network. Just point all your VPN, Samba, whatever at that
private address, and the connection will either work (and be secure) or
fail. No middle ground. And only one open port on the routers :-)
-jim
More information about the wellylug
mailing list