So the guides I had read suggested the port 3390 but apparently this is blocked on Windows 7 so using port 3391 it works!
Just to convince our provider that I should be allowed ssh rather than using their vpn at £600.
Thanks for all the help!
sorry, I should have been clearer, it was directed more at beany (as you have a working solution). When I setup openSSH on server 2008 installing it wasnt enough, you need to configure it to your own domain etc. Hence me asking.
dhicks (27th June 2011)
So I've received a response to my request for port 22 opening:
With regards to your change request, I have read through your emails of late to the service desk and would like to advise.
I feel that Port 22 inbound will not be allowed by our security team (the change would have to be sent to them for review due to the nature of connections over port 22) We have had issues before due to the number of known exploits using SSH.
You have to remember that when making an inbound connection to your network you are opening up the server to the internet via a NAT’d IP address. This puts it at risk to all sorts of attacks and requires you to maintain and implement high security. As a result of this, a disclaimer sent to the head teacher accepting all responsibility for the network and its security before we can allow it.
There are other solutions available for remote access to your network. I appreciate the price quoted for our VPN is high, but if you ask whoever has the Service Portfolio for 2011 which was provided to all schools you will get the accurate pricing for the VPN solution. (I believe it is £100 per token (user) per year) This is a secure and usable solution for RDP over the internet which can provide you full local network access whilst keeping the school network secure.
Other solutions have been implemented by other schools, such as TSGateway on Windows Server 2008. This also requires a NAT’d IP and puts the security on the school, however it is a known “out of the box” secure solution and is accepted as such.
Any thoughts / Opinions on this??? I know for a fact my school wouldn't consider the VPN of £600 setup then £100 per year.
Can they tell you what the exploits are? Does SSH get hacked more often than their VPN solution - is their VPN solution actually more secure, or has it just not had anyone try to break it? Can you ask them for RDP-over-HTTPS access and then just use port 443 for SSH anyway?I feel that Port 22 inbound will not be allowed by our security team (the change would have to be sent to them for review due to the nature of connections over port 22) We have had issues before due to the number of known exploits using SSH.
If you make your SSH server only accept connections with a certificate, then only people with a valid certificate should be able to log in, unless there's some way of getting around that. I'd also look at making sure the SSH server will only port-forward to your RDP server.You have to remember that when making an inbound connection to your network you are opening up the server to the internet via a NAT’d IP address.
Hang on, is that £100 per user per year?I know for a fact my school wouldn't consider the VPN of £600 setup then £100 per year.
openssh doesnt HAVE to listen on port 22. Indeed mine doesnt. Just change it to a port that IS open and forwarded on your network. Incidentally do you use FTP? FTP is far far more vulnerable than SSH, ask them can you have SFTP (which is SSH in a different coat) instead....
Thanks for the reply dhicks - glad I'm not the only one thinking the situation is ridiculous. I'm gonna forward on your questions and see what they say.
Also for the firewall changes they requested a destination IP and source IP, so I supplied my home WAN ip. Surely that means that the only way to exploit ssh is from my home IP?
This setup was literally for me to access the server from home and do any tasks that I don't have time or can't do at work - But yes the £100 is per user!
@KK20 thanks, Don't know how to get around the port issue the only ones open are standard ones like 80 and imap etc. To open a port they want to know all the details.
www.domain.com gets directed to your web server, but remote.domain.com could go to a web-based admin console (command prompt?) of some sort. You'd need access to add entries to your domain name's DNS settings, of course.
@dhicks - I'd need to be able to port forward though then wouldn't I? I don't have access to the proxy, firewall, or even the switch that's connecting the school to the bt fibre connection. It's just all getting overly complex to say I just wanted to be able to catch up on some tasks at home!
Think ill wait for the response to the questions you asked dhicks from our provider, but for now I've given in!
Thanks for all the help everyone
If the issue is simply that your LEA don't think that a free solution is going to be as secure as a paid one then all we have to do is charge a £500 setup fee to install an SSH server appliance and, say, £50 per user per year and wait for the money to role in :-)
Variation on the dhicks theme:
If it's just one server you want to RDP to, then tell them you've put a TSG on the relevant IP address to get 443 opened/mapped. Pop stunnel on the server using port 443, and *importantly* configure it for mutual auth i.e so you need a client cert to connect the tunnel from home. Tunnel RDP over it.
Or perhaps tell 'em you want to do that and ask them to justify why it is less secure than TSG (which it probably is NOT unless TSG folk are also using mutual auth).
Hi guys, tried using putty to connect to my ssh server at the weekend, locally i get a connection in no problem but if i put in the external ip address i get connection refused, I have changed the SSHD_config file to allow to 443, so from work i assume i enter the external ip address and port 443 not 22 to get the connection through to my router, any help would be much appreciated, firstname.lastname@example.org if anyone could contact me for help. Thanks.
There are currently 2 users browsing this thread. (0 members and 2 guests)