Voices

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

Re: Accessing MH from outside

Neil Cherry
David H. Lynch Jr. wrote:

> Neil Cherry wrote:
>>
>> You might want to look into setting up an SSH tunnel instead. It
>> would require that you login but then you'd be able to get to any
>> resources remotely. I've set this up under Linux (I'm pretty sure
>> you can do this under Windows also).
>>
>>  
>     Or any other type of secure VPN. There are numerous options. The all
> allow you to connect to your home network from the outside using a
> secure tunnel and giving you full access to your internal network - not
> just MH.
>
>     Getting a VPN working may be harder, but the payback is greater -
> you can typically access ALL internal resources, AND it is alot more
> secure than leaving MisterHouse bare ass naked to the world.

I agree, my WRT54G has iptables (Linux software I understand pretty
well) and I can open it up for access from only certain ip ranges.
too bad my work location no longer permits ssh (block on the
protocol not the port range). When it was working I could use SSH
from work to browse any of my internal systems. I could use my
dns to resolve to my local addresses and not have to memorize
IP addresses. It worked great, I'm not sure about other VPN
solutions as the one my work computer uses locks me out. The
SSH tunnels permits me to use my browser to access the ssh
tunneled ports like I was directly connected to my home
network. A nice feature I needed but one that may not work
well for others use.

--
Linux Home Automation         Neil Cherry       [hidden email]
http://www.linuxha.com/                         Main site
http://linuxha.blogspot.com/                    My HA Blog
http://home.comcast.net/~ncherry/               Backup site


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
________________________________________________________
To unsubscribe from this list, go to: http://sourceforge.net/mail/?group_id=1365

Reply | Threaded
Open this post in threaded view
|

Re: Accessing MH from outside

David Lynch Jr.
In reply to this post by David Lynch Jr.
Melanie wrote:
Greetings,

On Friday, July 14, 2006, you wrote, in part,:
...
DHLJ>     Finally, I do not think MisterHouse has ever claimed to be secure
DHLJ> enough to properly support safe remote access. I do access my mh
DHLJ> remotely, but I have a Linux firewall router, and I limit mh access to a
DHLJ> limited number of known trustworthy IP's. When I am on the road I ssh
DHLJ> into the router add my current IP to the safe list and then browse mh.
DHLJ> When I am done I remove it. Further I run mh on its own Linux virtual
DHLJ> server - crack it and the most you get is the ability to foul up my
DHLJ> misterhouse configuration.
...

Could you point me in any direction so I can learn how to setup my own
Linux virtual server?


  
A could of links.

http://linux-vserver.org/
http://deb.riseup.net/vserver/

A link to a HOWTO I am working on about different forms of virtualization.

http://web.dlasys.net:8888/howtos/xml/Virtualization.xml

    First:
          Linux VServers are Not the same as what is typically refered to as virtualization - Xen, VMWare, M$ Virtual PC.
       Those systems run a host OS, and then run a complete live copy of one or many guest OS's ontop of the host OS.
    The host typically creates an emulated hardware environment for the guest OS.
    Though there have been enormous improvements, that type of virtualization is slower and more resource intensive - but also more secure.

    Linux VServers are a logical extension of what is refered to a chroot or chroot jail environments. Running a Linux Service in a chroot jail makes it significantly harder for an outside attacker to gain access to files outside the "chroot jail". A chroot jail basically runs a process or server in a specific directory as if that directory were the root directory of the system. That service is not allowed to see any of the directories outside the chroot jail.

    VServer take that concept and extend it to many other linux resources. Not only can't a VServer process see files outside the vserver environment, but it can not see processes or other resources.

    There is only one copy of Linux running - so the performance penalty is not nearly so great as with hardware virtualization.
    Linux VServers partition the internal Linux data tables such that each vserver appears to get its own private set. It has its own processes, open files, directory tree, ... And it can not see the processes, files, directory tree etc of other vservers (unless you go to some trouble to let it)

    At a higher level, each vserver has its own Linux install - not a separate kernel, but a separate directory tree with its own paths etc. You do nto even have to run the same Linux distribution in each vserver. Further because separate copies of the core files for each vserver could be wasteful of space there is Unify process that creates hard links between identical files accross differrent vservers. Eventually duplicated files become a single file with multiple links. But there is a kernel modification regarding hard links so that if any vserver writes a linked file - it gets a new copy, and the other vservers retain the old one.

    I do not know your level of expertise or what Linux distro you are running.

    I use debian - everything I am writing should be true about the plethora of debian derived distributions such as ubuntu.

    First, you need to install and possibly busild a vserver enabled kernel. With Debian - you just search for the binary kernel package matching your CPU with vserver in the name.

    Oh, Do not install a vserver kernel on a router. Last I checked they do not have routers working. It is one of few things left. I do nto think you will ever be able to runn the router in a vserver, but you should be able to run the router on the host, and have vservers on top of it.

    Then you need to install the vserver utilities.

    I just saw another set of server virtualization tools show up in debian so you want to get the right ones. Aparently there is another similar project - who knows maybe better but I have no experience with it yet.

    Then you need to create a new vserver instance. The links above show examples. It basically involves installing a new copy of debian (not the linux kernel) with certain parts missing (they are already on the host).

    After that vserver xxx enter gets you into the new vserver, where you can do whater you want, install it configure it etc.

    After that you just use it.

    Typically I vserver xxx enter
          install a copy of sshd
          exit and use an ssh cleint to connect and do everything else. I do nto need the vserver tools for much after that.



-- 
Dave Lynch 					  	    DLA Systems
Software Development:  				         Embedded Linux
717.627.3770 	       [hidden email] 	  http://www.dlasys.net
fax: 1.253.369.9244 			           Cell: 1.717.587.7774
Over 25 years' experience in platforms, languages, and technologies too numerous to list.

"Any intelligent fool can make things bigger and more complex... It takes a touch of genius - and a lot of courage to move in the opposite direction."
Albert Einstein


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642

________________________________________________________
To unsubscribe from this list, go to: http://sourceforge.net/mail/?group_id=1365

Reply | Threaded
Open this post in threaded view
|

Re: Accessing MH from outside

Tim Sailer-2
In reply to this post by Neil Cherry

On Sun, July 16, 2006 21:57, Neil Cherry said:

> David H. Lynch Jr. wrote:
>> Neil Cherry wrote:
>>>
>>> You might want to look into setting up an SSH tunnel instead. It
>>> would require that you login but then you'd be able to get to any
>>> resources remotely. I've set this up under Linux (I'm pretty sure
>>> you can do this under Windows also).
>>>
>>>
>>     Or any other type of secure VPN. There are numerous options. The all
>> allow you to connect to your home network from the outside using a
>> secure tunnel and giving you full access to your internal network - not
>> just MH.
>>
>>     Getting a VPN working may be harder, but the payback is greater -
>> you can typically access ALL internal resources, AND it is alot more
>> secure than leaving MisterHouse bare ass naked to the world.
>
> I agree, my WRT54G has iptables (Linux software I understand pretty
> well) and I can open it up for access from only certain ip ranges.
> too bad my work location no longer permits ssh (block on the
> protocol not the port range). When it was working I could use SSH
> from work to browse any of my internal systems. I could use my
> dns to resolve to my local addresses and not have to memorize
> IP addresses. It worked great, I'm not sure about other VPN
> solutions as the one my work computer uses locks me out. The
> SSH tunnels permits me to use my browser to access the ssh
> tunneled ports like I was directly connected to my home
> network. A nice feature I needed but one that may not work
> well for others use.

If you use linux or unix as a remote client, you can also use portknocking
to open and close connections. For all you Debian folks, 'apt-get install
knockd', then 'man knockd'

Tim
--
Tim Sailer
Coastal Internet, Inc.
www.buoy.com
631-399-2910



-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
________________________________________________________
To unsubscribe from this list, go to: http://sourceforge.net/mail/?group_id=1365

Reply | Threaded
Open this post in threaded view
|

Re: Accessing MH from outside

Chock_05
This post has NOT been accepted by the mailing list yet.
In reply to this post by Neil Cherry
Yeah, finding a suitable VPN is a hard task but if you find a right service then the payback is greater. I need kodi vpn but would prefer using in with my other devices like phone and laptop as well. So if you know a good VPN with the facility of simultaneous multi logins, please let me know.
12