Topic: Want to get to server-manager from outside router

[janet]

steve288

If you have port forwarded in your router (in conjunction with enabling server manager access in the server manager Remote Access panel), you are using https, then theoretically anyone on the net can access it, it's just a matter of falsifying their source IP & hacking the password.
Edit - This statement is not correct as Charlie points out in a later post ie "because of the way TCP works, it's not possible to make a port-forwarded connection from the Internet through a router using a spoofed source IP address of 192.168.X.y. The TCP handshake will fail and there will be no connection. The risk you've identified just does not exist."

So you only have one level of security (password) to protect probably the most important "function" on your server.
Edit - and this statement only applies if a hacker is accessing via a site IP specified in the remote access panel.

Edit - This whole issue is why it is not recommended to allow access to server manager from anywhere on the Interent, using the appropriate setting (which I will not repeat here).
Under those conditions it is just a matter of hacking the admin password.

Using the VPN method requires a VPN to be established first which makes you a part of the local network, so security is better, but recently we see issues where VPN connections are less than secure as the ISP can read your communications if they choose to. There may be a shift away from the use of VPN because of this security issue.

By tunnelling you use a secure ssh connection, as good as it gets in a practical world, so security is reasonably well assured. After establshing the tunnel using Putty, typically you then open a browser at https://localhost/server-manager

ssh using tunnelling or command line input is the most secure method.
Port forwarding is not really the connection method, it's just allowing the connection to be fowarded by your router to your sme server, where your router is acting as your local gateway, note you are using https then, and all that is needed to gain access to your system is a correct password. So make sure you use really strong passwords for server manager, and always specify the remote connection fixed IP (in server manager Remote Access panel).

[CharlieBrady]

If you have port forwarded in your router (in conjunction with enabling server manager access in the server manager Remote Access panel), you are using https, then theoretically anyone on the net can access it, it's just a matter of falsifying their source IP & hacking the password.

Mary, because of the way TCP works, it's not possible to make a port-forwarded connection from the Internet through a router using a spoofed source IP address of 192.168.X.y. The TCP handshake will fail and there will be no connection. The risk you've identified just does not exist.

crazybob has correctly noted that particular remote IP addresses can be configured to be permitted access to the server-manager. Only IP addresses within that range can access the server-manager URL and attempt to log in ("hack the password").

[steve288]

Like a junk yard dog Im going to keep chomping on this bone.
Thanks for shareing regarding the various connection security issues, helpfull.

And yes thanks CB I do only allow certain IP's to access the manager. So I believe im "reasonably" secure.

However I still need to ask the question, is the ssh method then just to create a secure tunnel between the two machines so people can't see the data that Im passing back and forth, (for lack of a better word).
In other words is the ssh method just for that reason, and not for any other.
I was thinking is was for some other reason like it would set up a 443 connection through a port 22 connection, thus not requiring you to port forward port 443 in the router if you had only forwarded port 22.

Sorry if Im not explaining it well enough. If I dont understand its hard to ask the question with some intelegence.
Regards.

PS I wish that there was a way to change the Admin name (I have done no research on this I admit.) On windows I have disabled the ability on servers to have a remote connection via administrator and have created an admin acount called say "Joefresh" That way when people try to break in from outside it creates another thing to slow them down. Not only do they need the password but they also need the right name. This would make it very had to get both these right.

[CharlieBrady]

PS I wish that there was a way to change the Admin name (I have done no research on this I admit.) On windows I have disabled the ability on servers to have a remote connection via administrator and have created an admin acount called say "Joefresh" That way when people try to break in from outside it creates another thing to slow them down. Not only do they need the password but they also need the right name. This would make it very had to get both these right.

If you prefix your passwords with 'Joefresh' and continue to use 'admin' as username then you've introduced exactly as much additional difficulty in bruteforcing access to the account. So it's not necessary to change your admin username to get whichever level of difficulty you require. Just choose a suitably difficult to guess or bruteforce password, and protect that password suitable (don't share it, don't give it away if people ask, etc).

[janet]

CharlieBrady

Mary, because of the way TCP works, it's not possible to make a port-forwarded connection from the Internet through a router using a spoofed source IP address of 192.168.X.y. The TCP handshake will fail and there will be no connection. The risk you've identified just does not exist.

Thank you Charlie for your correction & clarification.

[janet]

steve288

Google
what is a ssh tunnel

There are numerous answers which should be informative to you
eg http://en.wikipedia.org/wiki/Tunneling_protocol
and others
No need to rewrite the manual here

[steve288]

Well it was less what tunneling is but rather what the purpose of it is in this case.

Just not to leave this hanging for others I have tested this out.
What I have learned is that when you set up a tunnel using the ssh command line above or the putty method that  mmccarn suggested, is that you can then access your server-manager and webmail via the literal address of
https://localhost/server-manager or https://localhost/webmail. I'm not sure why you would want this but its interesting and I have learned something.

[stephdl]

you can then access your server-manager and webmail via the literal address of
https://localhost/server-manager or https://localhost/webmail. I'm not sure why you would want this but its interesting and I have learned something.

You don't need tunneling to see the webmail, you simply need to allow your webmail

I have setup a page on the wiki
http://wiki.contribs.org/Useful_Commands#SSH