| View previous topic :: View next topic |
| Author |
Message |
Nic
New Member
Joined: 07 Jun 2024
Posts: 34
Location: Colorado Springs, Co
|
 Posted: Mon Jul 02, 2024 8:07 pm Post subject: |
 |
|
Ok so the final verdict:
I setup VNC on the CentOS server box, set a port forward (port 5900 by default) in the router to the system, so VNC conects to Box and I can remotley control the GUI. I also use PuTTY for strict command line access and I also installed pocket PuTTY on the system so I can connect anywhere I have service. I did port forwarding for ports 20-22 for FTP and PuTTY. And I also installed webmin so I can access the server that way, if worse comes to worse. Port forwarding 10000 by default.
_________________
Knoppix - live CD
CentOS 5 vsFTPd & SAMBA
CentOS 5 (remote laptop)
|
|
| Back to top |
|
Stuka
Sr. Member
Joined: 15 Oct 2024
Posts: 1271
Location: Houston, TX
|
| Posted: Mon Jul 02, 2024 8:40 pm Post subject: |
|
|
Wow, seems like overkill to me, but hey, if that floats your boat....
BTW, if you have the SSH port forwarded, you should use sftp instead of ftp - unless you like cleartext passwords over the 'net! If client access is a problem (as in, others are using it and not you, or you don't like the sftp command line client provided by PuTTy), you could use FileZilla or any other sftp aware FTP style client.
|
|
| Back to top |
|
DeFi
Member
Joined: 09 Jun 2024
Posts: 312
Location: Cali
|
| Posted: Tue Jul 03, 2024 6:48 pm Post subject: |
|
|
I would be careful leaving VNC open to the outside. It has quite a history of vulnerabilities, and is one of the leading causes of remote exploitation. ( http://secunia.com/search/?search=vnc - Realvnc 4.x has an unpatched vuln as of writing this, zero-day exploits are exposed regularly)
If you must have remote VNC control, your much safer turning on SSH Xforwarding, and using the VNC client on the server itself:
"vncclient localhost"
It's slower, but everything is encrypted, and you only need to leave 22 open for SSH.
Also same goes for Webmin, keep stuff that can potentially compromise your box off of the internet.
I would also recommend http://openvpn.net/ as an alternative access for the big management apps.
_________________
SLED 10 Service Pack 2
|
|
| Back to top |
|
VHockey86
Advanced Member
Joined: 12 Dec 2024
Posts: 988
Location: Rochester
|
| Posted: Mon Jul 09, 2024 7:15 pm Post subject: |
|
|
With a VPN you could connect via all of these services (VNC,SSH,FTP,Webmin) "locally", and not need to forward the ports of all of those services to outsiders. You'll just need to make sure you configure routes between the subnets on each end of the VPN. That way if in one office you're on 192.168.1.x, and your server is on 192.168.2.x, you can SSH or whatever via that local address, rather than going through the WAN.
It sounds like you've got quite a security hole brewing there IMO. Both VNC and Webmin have had their fair share of securities issues in the past - not to mention those give LOTS of access to your system. If someone manages to get into your SSH somehow as a non-root user...at least they can't do quite as much damage.
_________________
Main Desktops : Kubuntu 10.4. ArchLinux 64-bit. Windows7 64-bit. Windows XP 32-bit.
MacBook: OS X Snow Leopard (10.6)
|
|
| Back to top |
|
Nic
New Member
Joined: 07 Jun 2024
Posts: 34
Location: Colorado Springs, Co
|
| Posted: Tue Jul 10, 2024 3:25 pm Post subject: |
|
|
I do realize how big a hole it leaves, and its only temporary until I can get the VPN up and running, My Boss purchased 2 VPN routers for site-2-site VPN, once I get that working the only ports that will be open is the one for the vsFTPd to be accessed by our outside client(s)
Thanks again for all of the help
_________________
Knoppix - live CD
CentOS 5 vsFTPd & SAMBA
CentOS 5 (remote laptop)
|
|
| Back to top |
|
simon1206
New Member
Joined: 06 Dec 2024
Posts: 23
Location: san jose, ca
|
| Posted: Sun Apr 06, 2024 6:09 am Post subject: |
|
|
I am running suse10.2 and trying to set up remote admin, this is the first time I have
encountered this, other times it works. In 'Graphics Card and Monitor' I select Remote admin and click allow remote admin, and select open port 5900. In firewall I opened
ports 5800 and 5900, hit okay but it never finish, it hangs, xmode has been running for close to an hour.
Help
Simon
|
|
| Back to top |
|
cybervzhn
New Member
Joined: 27 Aug 2024
Posts: 1
Location: Michigan, US
|
| Posted: Wed Aug 27, 2024 6:52 am Post subject: Re: Remote Admin |
|
|
IMHO (tempered by many years of remote linux frustration, uh I mean administration)
I think that Webmin provides an excellent remote admin solution. Webmin has been around for awhile and is very stable. It supports SSL and can be set to refuse cleartext connections. It puts all of the configuration settings in one place, and here's the best part; it gives disparate Linux distros and release versions the same admin interface.
Webmin is written in perl and runs it's own separate webserver. It is very simple to install, secure, and easy to use.
Webmin has an ssh java client, java file manager, and can manage total system configuration. I mean everything, from spam-eating secure mailservers to samba PDCs to LAMP servers.
I still use ssh and the command prompt often because I am comfortable there, however, when you are initially setting up a system you are changing the configuration of many different things and webmin puts it all in one place.
I usually set up a VNC server just to have another way of accessing the system. I tunnel the VNC client with putty. Creating the tunnels in putty to the server is pretty simple. It's just choosing a local port on your machine to forward to a port of your choice on the server.
For those that are ultra security conscious, you can leave all of the admin interfaces closed to everything but localhost [or 127.0.0.1] with only ssh being exposed for administration.
Denyhosts will monitor /var/log/secure for sshd (or potentially any server daemon using regular expressions) and ban IPs that repeatedly get passwords wrong. This effectively protects ALL of your admin interfaces from password attacks.
Denyhosts has several thresholds that can be set so end users that use the wrong password are only locked out temporarily, but script kiddies and hackers running dictionary password guessing attacks with repeated attempts can get banned a lot longer or permanently.
After getting comfortable managing servers this way, you can even disable X windows startup freeing up those resources to be used for what the server is there to do, serve. You can always start it manually via ssh or webmin if you need it.
(I can even access webmin via my Windows Mobile 5 smartphone in emergencies)
Best Regards...
|
|
| Back to top |
|
lynch
Moderator
Joined: 15 Nov 2024
Posts: 2659
Location: The Diamond State
|
|
| Back to top |
|
|
