Topic: SME Over secure?

[djhomeless]

Hi Everyone,
Let me preface this post by saying this is not a complaint, or even a rant. I'm still terribly new to the SME community (and Linux in general) and just wanted to get some dialog going.

First off, SME is great, and does what it says on the tin (i.e. easy to setup and configure). However, for certain uses I wonder if SME is too secure and protective for its own good.

For example, as a use case I can see the benefits of a totally locked down box that is sitting in the back room of a small business (hence the name SME!). In this case, the majority of users will be accessing the box from an internal LAN/WAN. The few external users would still be able to VPN in for various activities, or access Horde via the web.

But, I feel there is another segment that would see a great deal of interest in SME, ie the home user. The home user, imho, is decidedly different in that at least 50% or more of the time they will be accessing the box remotely, either from work or on the road. Accessing the box primarily offsite, does become trickier depending on the local environment. Let me explain:

More and more, companies and public hotspots seem to be closing ports in an effort to control access (both inbound and outbound). I am a consultant who works onsite with various companies, and not a single one allow outbound VPN, SSH, or even IMAP and POP connections, unless a specific rule is introduced to the firewall. My own company, bars this as well unless it is for 'business' purposes.

And while not scientific, in the hotspots and hotels I have tried over the last two months, only about 1/4 allowed any of the above.

This doesn't mean SME's approach is 'wrong'. But I think you could make a case that the user might be able to have a choice on how secure to make their machine. ie allowing access to the server manager, and possibly allowing more users than just root to access the command line in ssh.

Anyone have any thoughts on this? Again, I'm just curious what people think about this, I'm very very happy with the state of SME (just can't wait for 6.5 rc)!

regards,

Geoffrey

[jcoleman]

However, for certain uses I wonder if SME is too secure and protective for its own good.

This one is sort of amazing.  So far you are the first person I have ever seen question whether a secure server is a good idea.  

You can EASILY make your box less secure.

If you want remote access to anything from anywhere just add 0.0.0.0 to your remote access panel in the server-manager.  I do NOT reccommend that you do this!  But it will certainly make your box less secure and more easily reached (and attacked).

You can also grant shell access to any user.  There are contribs to do this and it can also be done from the command line.  I don't suppose I need to comment on what a bad idea this is in general.

[light hearted humor]
If you really want to make your box less secure there are methods to allow everyone in the world to use your box as a relay server as well.  What other ways would you like to make your box less secure.  I am sure there are quite a few methods out there.
[/light hearted humor]

-jeff

[djhomeless]

This one is sort of amazing.  So far you are the first person I have ever seen question whether a secure server is a good idea.

Oh come on Jeff, its symantics. I'm just saying that there are cases where SME should be more open, not less secure. The fact that I can access the server panel via HTTPS doesn't naturally mean the box will become a zombie relay box.

I ran my own Cobalt Linux box with a barebones minimum of patches and zero command line experience for four years and I never had a problem with relays or the like. I'm not saying SME must be like this, but it certainly could in certain situations.

Glad you could find some humor in my observations.

Geoffrey

[jcoleman]

Hi Geoffrey,

Seriously, the fact that you have not been hacked in the past is no guarantee that it will not happen in the future.  But it is your risk analysis and your decision and I respect that.

Here are two ways you can give more access to yourself and your users.  Try a search on "user shell access" for more info.

If you want remote access to anything from anywhere just add 0.0.0.0 to your remote access panel in the server-manager.

You can also grant shell access to any user.  There are contribs to do this and it can also be done from the command line.

You can easily setup secure email with the SME Server that will let your users send and receive from anywhere.

What else are you looking for?

-jeff

[djhomeless]

Hi Jeff,
I did'nt mean for this post to be a howto, though I certainly appreciate the assistance!

I guess I was trying to see if I was the only one who saw SME possibly living in a home, or even in a hosted environment.

Since the death of Cobalt Linux (which was also RH), no one has really stepped forward and taken that mantle of being a very easy to use server appliance. Even though Cobalt has been dead for a few years now (more like 4 really), the community is still very very strong.

There is a reason for that. Would SME, right now, be able to fit in a hosted environment? Yes, but it may be to cumbersome to have to VPN when all you want to do is create a user.

Would SME fit in as a home solution for road warriors like me? Yes, but as you posted you need to basically hack some security features out of SME.

Am I making sense here? Maybe not. I think SME has a real opportunity to fit in ALL of those places.

Maybe I'm just mad.

Geoffrey

[jcoleman]

Would SME fit in as a home solution for road warriors like me? Yes, but as you posted you need to basically hack some security features out of SME.

It does anyway without hacking it to death.

If you want remote access to the server-manager there are a number of ways to do it.  

- ssh to command line, su to admin and run lynx.

- VPN to server via PPTP

- Secure email is available.  

- Up/Downloads from anywhere is available via SCP or any number of add-ons (webshare, php scripts)

Again, what are you looking for that can't easily be done today?

Maybe I'm just mad.

Now I think we have the heart of it

-jeff

[djhomeless]

If you want remote access to the server-manager there are a number of ways to do it.  

- ssh to command line, su to admin and run lynx.

- VPN to server via PPTP

- Up/Downloads from anywhere is available via SCP or any number of add-ons (webshare, php scripts)

This is why I posted in the first place. In my original post, I talked about how I am seeing more and more large companies locking down ports to the extreme. My own company will only open SSH/SCP ports if there is a business case, and only on an IP by IP basis.

Hotspots, hotels, airports, etc are also starting to close down everything outside of 80, 143, or 110. My my local Starbucks hotspot powered by T-Mobile only allows 80!

Again, this is not so much of a 'I can't do this so tell me how' post, I am really trying to see if there are others in the community who do not fall into the Small to Medium business category, but possibly are geeky road warriors or ppl who host a number of websites for whatever reason yada yada.

This doesn't change the fact that I'm mad.
Geoffrey

[slords]

Hotspots, hotels, airports, etc are also starting to close down everything outside of 80, 143, or 110. My my local Starbucks hotspot powered by T-Mobile only allows 80!

If this is the case how to you propose unsecuring sme so that you can do what you want to?  Basically ALL you have available is http and you aren't going to be able to manage everything over that are you?

-Shad

[djhomeless]

If this is the case how to you propose unsecuring sme so that you can do what you want to?  Basically ALL you have available is http and you aren't going to be able to manage everything over that are you?

What part of my post do I propose anything? I had hoped this would gauge if anyone else had similar experiences as me, AND if anyone thought SME could be positioned in other areas.

Also, if you had bothered to read my post, I was offering that ONE place out of many blocked everything except for 80. Meaning that it is possible that VPN'ing into your box may not be so easy in the future.

I'm starting to regret this post.

Geoffrey

[duncan]

I had hoped this would gauge if anyone else had similar experiences as me,

No

AND if anyone thought SME could be positioned in other areas.
Geoffrey

It can be positioned where ever you like. It might however take a little work to get it to perform the way you want it.

How do you propose getting around your port issue if they are being closed up to you. That has nothing to do with the way SME functions - It does however have everything to do with how your Employee/Starbucks/Hotspot functions.

If you need ssh and it is blocked - make SME listen on another port and use that. Want to do a VPN - use openvpn or cipe - you have 65000 or so ports to choose from. Down to port 80 - MindTerm is your answer.

[kruhm]

::If you need ssh and it is blocked - make SME listen on another port and use that.

Agreed. If you want access to a particular part of the server, and it's that important to you, just host it on a different port. You just need one for every service you want access to. There can only be a handful of services you actually need. This way you get access and security (only you are going to know which service is hosted on which port).

ports 80, 21 & 443 are usually open and (my personal favorite) port 5190 is usually open (for all those execs to keep in contact with each other).

thanxs,
dak

[djhomeless]

How do you propose getting around your port issue if they are being closed up to you.

Where exactly do I state that I have a port issue?

This is sad. the very first line of this thread I state that this is not a complaint, or even a rant, yet no one seems to bother to read anymore. I am happy with SME, and considering my box is stable as a rock I don't plan on changing that.

I was just trying to point out that there possibly are other uses that SME could be used for, that could require changes. I've also tried to point out that connectivity-wise, it may be difficult for new users to actually VPN from the outside world.

I don't really give a hoot if no one agree's with my comments, but please stop with this attitude that I'm trying to say SME is wrong, or that I have some issue here that could be fixed.

If I had an issue, I would post a question. This is a comment.

[duncan]

Okay - Im lost.

This thread makes not a bit of sense.

[djhomeless]

I'm so confused too. I thought I made it blatantly obvious I wasn't creating a thread as a 'help me with problem' or 'i wish sme did it this way'. I was just trying to see if anyone agreed with my assesment that sme might be over-secure for certain uses.

Doesn't really matter that no one agree's, its just odd that no one really read my post at all.

Oh well, life goes on.

Geoffrey

[alexsmithmcp]

Seriously, the fact that you have not been hacked in the past is no guarantee that it will not happen in the future.

amen - this is so true, i have had friends that i have preached at cause they dont use Antivirus and/or firewalls. that was till they got hacked and had there hdd contents wiped out.

I have been using SME since E-Smith 5 and i have never had anyproblems allowing the access needed just from the server-manager. but diffrent people have diffrent needs

you can never be to carefull - not now days anyways.
(btw, my friend is just a home user, so it can and does happen to anyone)

just my 2 pence

[Tib]

Hello djhomeless,

I use SME as a server from home and access it regularly from work ... thats about the only place.

I guess it has been a bit of a struggle in the begining to access my server from outside while I was really new to linux ... but now I don't have as much trouble setting up things.

I myself think the security is a good thing if you give people the option to make it easier to access from outside they might set it up wrong and cause them selves too much heart ache and the rest of the comunty with there problems.

I don't mind searching through the forums for contribs etc to make access easier ... but a secure way ... I have learnt a lot from everyone here and am very pleased with the was SME works. So much so the I even setup a server at work for e-mail/web/ftp/vpn etc.

Our company has been in the stone ages for so long before I stated in this position ... so my boss was very pleased with the result when he used the secure webmail feature for the first time from China just last week and was amazed that he could comunicate with people easily ... internally as well as send mail externally and be able to see all his current e-mails and sent mails.

I love the security ... give people the option and they WILL for sure set it up wrong. Just like I had the problem with people at my work getting addware problem with IE. You have the feature to lower the security ... well some people set it to the lowest setting and off course got hit with all sorts of problems.

I think a better way to tackle external access options and other topics is to have well documented help guides of the most common addon features in an easlily accessibe area where people don't have to do too much searching to find what they require.

I know you have the contibs area but you still have to search through all the peoples folders to find something if you don't know what your looking for.

Maybe the comunity can setup a section like the smeplus updates but for addons. You could add a good description of the addon and then link it to a section where there is a bit of a run down of what it does and then links to a well documented install guide ... the links to the correct contribs or other websites etc.

Maybe even have the area setup so as experienced people can help fix or update the contribs as well like in the smeplus updates pages ... that seems to have gone quite well ... even I have helped in fixing a few links etc.

Just my 2 cents worth.

Tib