Topic: Map shares through SSH (PuTTy - Plink)

[groyk]

Hi

I have made a little Windows client that can map network drives through SSH (PuTTy-Plink)

The client maps shares listed in the netlogin.bat

If anyone would like to test it, and maybe give some feedback I would glad.

I think it is a great add-on for SME server, witch can allow users without VPN to access shares on the server.



Program download
http://www.groyk.dk/SmeNetwork.zip

Remark the program is only version 0.1 Beta. (Please give me feedback for improvements)

Please read Install.txt in zipfile before running the program.

[cactus]

Remark the program is only version 0.1 Beta. (Please give me feedback for improvements)

Why are you writing such tools? AFAIK you do not need them, just configure VPN and you can map drives all you like. VPN can be enabled on any default SME Server, I am not sure if this is helping to keep SME Server secure and stable as it is designed to be.

[groyk]

Hi Cactus

I do not know much about security, but I do know that when I am connected through VPN there is some web pages I can't see (Even when I am not using my server as proxy)
At the same time my connection gets unstable
At last I can't use MSN and other messenger app's.

About security, what is the problem by giving users bash access?

I am asking because I don't know

[cactus]

About security, what is the problem by giving users bash access?

I am asking because I don't know

Giving users bash access from outside you network means exposing the SSHD port to the outside world. If you do not use very strong password (or even better client-server certificates) there is a high likelihood that your server might be hacked eventually.

At the same time my connection gets unstable
At last I can't use MSN and other messenger app's.

I think you are better of determining why you are having described issues instead of working around like this. You must keep in mind that when you setup a VPN not all traffic is routed over that connection only traffic that is explicitly routed there (because of the IP number or routing rules), also the IP ranges on both sides of the VPN connection should be different as well as the assigned VPN IP number should beoutside of your DHCP scope.

I am asking because I don't know

The benefit of VPN is that you authenticate a user first (using a variety of methods based on the cnfiguration set by the system administrator) after which a network bridge is setup that makes it look for the user that (s)he is inside the local network as well as encrypting all data (s)he is transferring.

[arne]

I have been running with password login for sshd over internet for something like ten years, and until now it has not been a problem.

If you use the standard port 22 this will work like a magnet and people will attack you from everywhere in the world all the day. One quite ok to study hackers in work, is to open ssh at port 22 and then just monitor and see what they are doing and how they work. Most attacs are actually done in a rather primitive way. When brute force attacks is carried out, you can also study the quality and level of the work that is carried out for guessig passwords, and you can also calculate the risk for that situation should occour that your password is guessed.

If you just change your portnumber to something srange and unusual, then the number of attacks normally be reduced with a factor of 1000 or something like that. Running with a strange and unusual portnumber there will regularly be hardly any attacs at all. One idea for improving the security of the sme server could be to remove the identification string from the sshd server. This would make the situation even more difficult for the atacker.

As I will see it security has to do with what actually happens from day to day, and over the years, and what you actually can read in the log. Also important will be your practial need for security, if you are commersial company, a bank or a private user or whatever.

I think that from a prakctical point of view, for many practical situations, it is not a problem to use external access for the ssh deamon via internet, but that it is a good idea not to use port 22 and to configure the ssh server in such a way that it identifies itself as a ssh server. (Like that the sshd of the sme server does.)

When it comes to the new windows client, it is one thing I am courious about:

Winscp also give a graphical interphase for transfering files. Will the new Windows client for practical purposes work much different from WinSCP ?

(I tried to download the new program for testing. It said that I did not have putty installed. I usually uses putty and winscp as standallone executable files with no installation.)

[Stefano]

I do not know much about security, but I do know that when I am connected through VPN there is some web pages I can't see (Even when I am not using my server as proxy)
At the same time my connection gets unstable
At last I can't use MSN and other messenger app's.

this is a windows problem

open your vpn properties page, go to "networking" tab -> choose "Internet protocol (Tcp/Ip)" and click on "properties" button -> click on "Advanced" one -> unflag "Use default gateway on remote network"

That's all

HTH
Ciao

Stefano

[cactus]

If you just change your portnumber to something srange and unusual, then the number of attacks normally be reduced with a factor of 1000 or something like that. Running with a strange and unusual portnumber there will regularly be hardly any attacs at all. One idea for improving the security of the sme server could be to remove the identification string from the sshd server. This would make the situation even more difficult for the atacker.

Once again.... this does not lower the risk or make it more difficult for the hacker as the level of security is not raised, it might just lower the chance. Best protection for SSH is (still) public private keys, read more about this in the wiki: http://wiki.contribs.org/SSH Public-Private Keys.

I would like to ask you, once again, to refrain from posting posts like this in the forum as this gives users a false positive feeling on security. Your advice is more or less comparable with moving to a big city from a tiny village, you'll be less likely to be found, but you can still be found.

[groyk]

Hi Cactus

I will be a little bit more carefull by posting in the forum.

But remember. Making restrictions may cause good ideas wont be posted.

(I was thinking gennerally, not this idea  )

[groyk]

Hi Arne

The program searces the registry for checking if PuTTy is installed.

If you are running PuTTy without install, it is why it won't work for you.

I don't know if you are programming vb.net, if you are I could send you the source code.

I am not the BIG programmor, so it would be nice to have feedback from others, maybe there could be included the possibillity for a key file on the client!

I have been running with password login for sshd over internet for something like ten years, and until now it has not been a problem.

If you use the standard port 22 this will work like a magnet and people will attack you from everywhere in the world all the day. One quite ok to study hackers in work, is to open ssh at port 22 and then just monitor and see what they are doing and how they work. Most attacs are actually done in a rather primitive way. When brute force attacks is carried out, you can also study the quality and level of the work that is carried out for guessig passwords, and you can also calculate the risk for that situation should occour that your password is guessed.

If you just change your portnumber to something srange and unusual, then the number of attacks normally be reduced with a factor of 1000 or something like that. Running with a strange and unusual portnumber there will regularly be hardly any attacs at all. One idea for improving the security of the sme server could be to remove the identification string from the sshd server. This would make the situation even more difficult for the atacker.

As I will see it security has to do with what actually happens from day to day, and over the years, and what you actually can read in the log. Also important will be your practial need for security, if you are commersial company, a bank or a private user or whatever.

I think that from a prakctical point of view, for many practical situations, it is not a problem to use external access for the ssh deamon via internet, but that it is a good idea not to use port 22 and to configure the ssh server in such a way that it identifies itself as a ssh server. (Like that the sshd of the sme server does.)

When it comes to the new windows client, it is one thing I am courious about:

Winscp also give a graphical interphase for transfering files. Will the new Windows client for practical purposes work much different from WinSCP ?

(I tried to download the new program for testing. It said that I did not have putty installed. I usually uses putty and winscp as standallone executable files with no installation.)

[arne]

Once again.... this does not lower the risk or make it more difficult for the hacker as the level of security is not raised, it might just lower the chance. Best protection for SSH is (still) public private keys, read more about this in the wiki: http://wiki.contribs.org/SSH Public-Private Keys.

I would like to ask you, once again, to refrain from posting posts like this in the forum as this gives users a false positive feeling on security. Your advice is more or less comparable with moving to a big city from a tiny village, you'll be less likely to be found, but you can still be found.

Some months, or a year ago I deceided to try to do something to improve the security of my SME server. One thing that worried me a bit was that the log showed thousands of hacking attempts on regular basis. Specially the web server log showed a lot of hacking attempts. With some of my old but still usable php applications, I did not like it to much.

To improve security a bit a decided to redesign things a little bit, so a rather changed over to run the SME server as a virtual installation on Centos 5.3 with also a virtual installation of Smoothwall, both installations runned on the same box. The only public available server function is now sshd on a unstandard port and standard password login. All other server functions is only available from approved ip adresses.

From some thousands on regular basis, has the number of attacks against the SME server now been lowered to a total of zero attacks over a period of 6 monts connected to internet.

As I will see it hacking attempts is something that has to be buildt up over time. Before real hacking attemptes there will always be some preactivity.

My personal opoinion is that when you can look into your logs on regular basis, and you can se that there is absolute zero atempts to breake in, and zero hacking attempts, you actually, as I will see it has improved security.

I think anyone working with or dealing with computer security should have their own right to have their own meaning. According to my opinion hacking will normally require some observable preactivity. As long as the number of atempts is zero over time and all preactivity is equal to zero, the security is according to my opinion OK. Other persons should be free to mean that redusing the nuber of attemts to zero over time and also reduzing all preactivity to zero, has nothing to do with security, but I think is has something to do with security.

It should be possible to respect each other different point of view on such a case. As I will se it mathematical propability is a quite important factor in security work. Whe there is thousands of attempts there is a risk. As long as you can monitor and see that there is zero attempts over time, the statistical chanse of beeing hacked has, as I will see it, been reduced.

I feel that my installation is safe as long as monitored hacking preactivity is zero. Other might be free to say that I am not correct and that my installation is unsafe.

There is some printed publications on network security, as an example Hacking Exposed. I think this book actually will give me right (??!!) Actually it was the recomendations from this book I used for the security redesign.

groyk ->

No I am not a programmer at all myself, and certainly not on MS platform. I thing it is very positive that someone try to come up with some new ideas some times.