a little security

Nathan England plug-discuss@lists.PLUG.phoenix.az.us
07 Sep 2001 10:22:16 -0700 

On 07 Sep 2001 10:15:58 -0700, Rusty Carruth wrote:
> > 
> > Okay, I know half of you will probably shoot me for this, but I'm doing
> > it anyway...
> 
> I'll let Frenchie take that job ;-)
> 
> > I need access to a volume on a server across the internet.  
> > Right now I am running samba and I am connecting by running three
> > ssh tunnells to ports 137, 138, and 139 from my computer at work to the
> > server. From there I mount the volumes.
> 
> Um, which do you mean:
> 
> <you>--<your_computer><ssh_tunnelling_137,138,139>---<internet>---<ssh_server><fileserver>
> 
> or
> 
> <you>--<your_computer>---<internet>---<fileserver><ssh_tunnelling_137,138,139>---<fileserver2>
> 
> 
I'm doing it this way..
ssh the-arcanum.org -L 137:the-arcanum.org:137 
and again for the other ports...

oh it's also -C and -f using sleep...

the latter is really bad, for extremely large values of bad.
> 
> the former is only bad if you allow people into your machine, OR if you allow the
> port forwards to be used from outside your machine.
> 
> 
> > There has to be a more secure way than this. Especially more secure than
> > samba..  I have a good password, but still any sniffer would get it in a
> 
> Oh, I don't know. nfs is probably worse ;-)
> 
> > few seconds.  Except for the ssh tunnels, there really isn't any
> > security.  
> > 
> > Are there any safer ways any one knows of that I could do this?
> > I'm not so worried about my security where someone sniffs me and gets my
> > password, but others seeing the wide open ports and going after it..
> > It's pretty stupid.
> > 
> > I was thinking about setting ipchains to only accept the connection from
> > a specific ip, but is there a better way than this?  Any input helpfull.
> > Thanks guys.
> 
> Well, first, I'd be sure I'm doing the first option I mention above.
> Then, make ssh only accept you from your machine.  I'm sure others
> can come up with more paranoid suggestions also.
Problem with that is, about 20 people use my database... so they all
need to get at it.. Luckily we're all behind a firewall so it's only one
IP going at my box.. So I can be generic there. 

The only thing to worry is the people at work that might do it, but the
only ones who know about it would be those who use it, and those who are
secretly watching us! lol


> 
> > nathan
> > 
> > 
> > -- 
> >  "Ah, lives there a man with soul so dead, who never to himself hath
> > said, 
> > as he hunched and rolled in his comfortable bed:
> > To hell with rent...I'll drink instead!"
> > 
> > ________________________________________________
> > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> > 
> > PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > 
> 
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
> 
> PLUG-discuss mailing list  -  PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-- 
 "Ah, lives there a man with soul so dead, who never to himself hath
said, 
as he hunched and rolled in his comfortable bed:
To hell with rent...I'll drink instead!"