Hi Paul, My first suggestion is to consider upgrading your hardware sometime in the future. :-)
Michael (below) has good suggestions, but some only apply when connecting to SSH on the AstLinux box itself. If I'm understanding you correctly, you want to connect to an internal SSH server when AstLinux is the router/firewall. Though Michael's suggestion to use a VPN does apply in that case, which is the best choice, OpenVPN or IPsec. Assuming a VPN is not desired for the remote clients, then you will need to use the firewall with a rule something like: -- NAT EXT->LAN - Protocol: TCP - Source: 0/0 Port: 2222 - Dest: <internal IPv4> Port: 22 -- The "2222" is the port on the public interface, which you can choose, and is specified by the client SSH. If you can restrict the allowed Source: address range, that will add security. Placing your SSH server in the DMZ won't add any security on the surface, but should that SSH box ever get compromised, it would limit the damage somewhat since there are no default rules to allow DMZ -> LAN or DMZ -> Local packets. Beyond the scope of the AstLinux configuration, you could harden the internal SSH server configuration by only allowing public-private keys and not passwords for example. Google is your friend here. Lonnie Am 18.04.2013 um 14:24 schrieb Paul Jochum: > Hi All: > > For astlinux 1.0.6 (running on a Soerkris 4801), what is the best > (i.e. most secure) way to setup an SSH connection from the internet to > a box on the internal IP (or a box on a DMZ interface, if that is > better)? > > thanks, > > Paul If possible I would always use a VPN (e.g. OpenVPN). If this is not possible, you could use the firewall "dyndnshost-open" plugin to open the SSH port only for a specific (DNS)host, or create IP-dependent rules in the firewall. Additionally you should use the firewall "adaptive-ban" plugin, to block a possible attacker after X failed tries. Michael http://www.mksolutions.info ------------------------------------------------------------------------------ Precog is a next-generation analytics platform capable of advanced analytics on semi-structured data. The platform includes APIs for building apps and a phenomenal toolset for data science. Developers can use our toolset for easy data analysis & visualization. Get a free account! http://www2.precog.com/precogplatform/slashdotnewsletter _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
