OESF Portables Forum
Everything Else => General Support and Discussion => Zaurus General Forums => Archived Forums => Security and Networking => Topic started by: Capn_Fish on June 29, 2007, 11:06:06 pm
-
I know ifconfig will show my intranet IP address, but how do I find my internet IP address? I'm wondering about this for SSHing into my desktop from my Z (and vice versa) across the internet.
Probably a simple question, but I really have no idea how to do it.
Thanks.
-
If your machine is on a private IP segment (10.x.x.x or 192.168.x.x) then there's a NAT gateway/firewall between your machine and the internet proper and you can't directly SSH in from outside. You have to configure an explicit port redirection on the gateway machine/router to do it.
-
If your machine is on a private IP segment (10.x.x.x or 192.168.x.x) then there's a NAT gateway/firewall between your machine and the internet proper and you can't directly SSH in from outside. You have to configure an explicit port redirection on the gateway machine/router to do it.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=164002\"][{POST_SNAPBACK}][/a][/div]
Maybe use dyndns and redirect ssh over a more common http (or something port)? That would simplify getting into your Z from different networking environments, especially those where you can't eaily do the port redirection on the NAT, wouldn't it?
You'd probably want to be running a firewall on the Z and of course edit yuor hostname and sshd.conf, right? Or had you already considered this option?
-
If your machine is on a private IP segment (10.x.x.x or 192.168.x.x) then there's a NAT gateway/firewall between your machine and the internet proper and you can't directly SSH in from outside. You have to configure an explicit port redirection on the gateway machine/router to do it.
[div align=\"right\"][a href=\"index.php?act=findpost&pid=164002\"][{POST_SNAPBACK}][/a][/div]
Maybe use dyndns and redirect ssh over a more common http (or something port)? That would simplify getting into your Z from different networking environments, especially those where you can't eaily do the port redirection on the NAT, wouldn't it?
You'd probably want to be running a firewall on the Z and of course edit yuor hostname and sshd.conf, right? Or had you already considered this option?
[div align=\"right\"][a href=\"index.php?act=findpost&pid=164006\"][{POST_SNAPBACK}][/a][/div]
and like adf said... edit your sshd.conf and set AllowRootLogin to NO!
I has my pdaxrom-dev box open so I could get to it from work... and before I did that I disabled it... well one day something told me to check my why root has so much mail... my SELinux logs say I was getting about 500 bad login attempts from people using random pass gentrators on the root account. But even it there password was right... they still wouldnt get in :-)
Late
-
Yes, I know about setting up sshd.conf. I currently (on the boxes I SSH into from my Z on my intranet) have them set up to deny root access and with DSA key authentication, so if you don't have the private part of the key, you can't get in. Also, I'm firewalled off from all incoming connections from the internet by my router. I realize I'd have to change that to SSH in through the internet, but it's secure AFAIK.
EDIT: That's about as far as my firewalling knowledge goes. I as going to try to learn how to set up IPTables a while ago, but all of tutorials were confusing at that point.
And a quick question: If I open a port on my router's firewall/set up port knocking on it (if possible), could I SSH in then?
-
if you told the Z to listen on that port in sshd.conf
which reminds me--- lokkit or some other simple fast iptables gui would be really helpful on the Z (gpe shield would be fine, but it is currently not working in pdaxii13)
-
if you are behind a NAT and you want your gateways IP then goto whatsmyip.net and it will spit out the IP it sees
as for hiding behind the NAT you want to foward port 22 (or hatever you use, i dont recomend the default) to the IP of the device you want to ssh into, if you dont control the gateway (ie work) then try a default password (the evil way) or you have 2 options
1: Reverse ssh/telnet, involves getting the Z to ssh and port foward to a machine you own. you then connect to the machine you own which connects you to the Z, encrypts data twice (overhead)
2: VPN and fowarding, creates a private address range of physically seperate machines (ie 10.0.0.x might be in japan while 10.0.1.x might be in sydney) that appear local. i am thinking about offering this to people from my server.
btw are we talking about <generic brand> routers here or a DIY linux/openBSD special? makes a diffrence in how you set up the port fowarding (and if you blocked incomming connections properly, remeber only allow "established" connections in
if you are using <generic brand> routers then they have support for dyndns updates these days. however if you drop the line more than twice an hour you might get periods of no conectivity (affects me for eg) or if you own a dowain name and server its posible to update your ip via ssh, but thats getting a bit complex (thats what i like)
i remeber writing up a sshd tricks guide in the security fourm somwhere , should dig that up and add it to my tag
-
Thank you for the informitive post!
I'll look into that stuff.
And for future reference, this is just a standalone router. No custom Linux/BSD setup, I'm afraid.