[nzlug] Server initiated SSH session

Steve Holdoway steve at greengecko.co.nz
Mon Feb 25 16:35:10 NZDT 2008 

On Mon, 25 Feb 2008 13:21:37 +1300
"Michael Hutchinson" <mhutchinson at manux.co.nz> wrote:

> Hello everyone,
> 
> I am looking for a way to get SSH access to work, but I have some
> restrictions to work around, which could make it difficult or
> impossible. The situation is this:
> 
> I want to connect to our mail server at work, via SSH. It is publically
> addressable, but not for SSH - we have had hack attempts on SSH before
> so we blocked SSH in the firewall, except from the internal network.
> >From home I can access a windows server at work via RDP. From there I am
> able to SSH to our mail server. The problem here is that SSH over RDP is
> rather baggy and is a bit of a pain to work with as display refresh
> delays get in the way and cause typos etc. 
> 
> I am hoping that I can initiate an SSH session from the mail server
> (given commands from the SSH over RDP connection) to my home computer,
> which would then act as if it had connected to the mail server and give
> me a terminal as such. Keeping in mind, I am on a dynamic IP at home.
> 
> My first question is, is this possible? 
> 
> Secondly, how would I approach a solution? 
> 
> VPN is not really an option, if it were I'd have setup an IPsec linux
> box at home a while ago.
> 
> Thanks in advance for any ideas,
> 
> Cheers,
> Michael Hutchinson.
> 
> 
> _______________________________________________
> NZLUG mailing list NZLUG at linux.net.nz
> http://www.linux.net.nz/cgi-bin/mailman/listinfo/nzlug

I'd go for the simplest solution: re-open the ssh port, and restrict ssh access on the target machine to a single, obscurish user, which you've swapped keys with. Passphrase protect the key, and lock the account on the target machine if you wish, so you can't log in with a password at all. You may need to use the services of dyndns or no-ip if you've not got a static ip address on your client box.

These script kiddies who do this are just that, and they're the ones filling up your logs. Any serious hacker will find ssh, whatever port you're running it on. But when it's set up as above, you're about as safe as you can be.

My $0.02,


Steve

-- 
Steve Holdoway <steve at greengecko.co.nz>

More information about the NZLUG mailing list