Remote access to my router

Shovel

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,350
Ello all,

It's nearly time for me to go back to Manchester, meaning that the security obligations for the Ward family network will again be left to... no one.

This time around I'd like to do something clever. I can SSH to the machine (running Smoothwall Linux) from inside the network, and there's also a browser based configuration/patching interface for basic settings and config. I would like to have access to this from my system in Manchester.

In Manc I'm also behind an NAT (outside of my control, it's run by the service provider), but apart from that I have completely free reign of my system.

Router wise, I can do anything you like, so long as it wont hit routing performance when I'm not using, and that you draw me some pictures (;)).

I can set up SSH and a VPN from what's already on Smoothwall. I don't, however, know what my external IP is in Manc, so I need some way of having "open access" for a few hours while I travel, and then be able to lock it down as soon as get back to the machine I'll be using.

I've never used a VPN before, but this sounds like this is what I want, and will give me access as if I were a client on the network itself, therefore local SSH acess and the browser interface will be accessible as if I were sitting right here. Please correct me if that's horribly wrong.

So please, if you can offer guidence on how to set it up (so I can get to it first, then how to lock it down). I can also configure a Dynamic DNS type service for the external IP of the router, which I'm guessing will be needed for me to actually get to it over a longer period, since the machine and cable modem are restarted every night.

So in summary that's: Personal, secure remote access to the browser interface and SSH, possibly using the VPN and a Dynamic DNS name.

Challlengers, you have 3 days - time starts....... now! ;)

Thank you :)

Ben/Shovel
 

Gurnox

One of Freddy's beloved
Joined
Dec 28, 2003
Messages
527
If it's solely so you can have periodic access to the box at home, you might find it a load easier to set up dial-in access on your home box. Also has the benefit of being off of the internet entirely if your worried security wise.

However, this isn't very much of a 'project' and is going to be frustrating if you have access to a nice fat Janet pipe at Uni.

Take a look at:

http://linas.org/linux/iptunnel.html

For an iptunnel (VPN) howto. Mmmmmm, VPN.......
 

Shovel

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,350
Dial in isn't an option - I have nothing to dial to (no phone jack near the computer).

I'll read up on the iptunnel VPN stuff, thanks.
 

Gurnox

One of Freddy's beloved
Joined
Dec 28, 2003
Messages
527
Shovel said:
Dial in isn't an option - I have nothing to dial to (no phone jack near the computer).

I'll read up on the iptunnel VPN stuff, thanks.

Reading back on your original post, I'm not sure that a VPN is going to be your best approach.

If all you want is SSH access (I wouldn't expose a browser based config tool to the net) you might be better off setting up dynamic dns on your home box and setting up an SSH shaped hole in your home firewall for your uni machine.

All you'll then need to know is the IP address of the NAT router(s) at your Uni.
 

Shovel

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,350
So it would be a case of setting iptables to allow all external connections on SSH port, and then as soon as I have my actual external connection, ammending that to allow my external ip on the SSH port?
 

Gurnox

One of Freddy's beloved
Joined
Dec 28, 2003
Messages
527
Shovel said:
So it would be a case of setting iptables to allow all external connections on SSH port, and then as soon as I have my actual external connection, ammending that to allow my external ip on the SSH port?

Eeerk.. I couldn't ever recommend leaving SSH open to all external connections to be honest. If you went down this road, you'd have to be super sure that you changed the iptables rules to something secure at your earliest opportunity. And hope that someone hasn't got there first......

If you do decide that this is the way to go, make sure your firewall box is fully up to date patch wise.

Is there anyone in your house you can train to run a script from a floppy (or whatever) that will modify the iptables for you? Test it at home, modify it at Uni and then snail mail it home.
 

Shovel

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,350
hmmmm.... I'll have to sleep on it I guess.

And no, training is probably not an option - bloody technophones ;)
 

Gurnox

One of Freddy's beloved
Joined
Dec 28, 2003
Messages
527
Shovel said:
hmmmm.... I'll have to sleep on it I guess.

And no, training is probably not an option - bloody technophones ;)

Curse them! Damn 'technophones' :)

Have fun back at Uni!
 

TdC

Trem's hunky sex love muffin
Joined
Dec 20, 2003
Messages
30,801
lock the thing down and leave it :)
 

Gurnox

One of Freddy's beloved
Joined
Dec 28, 2003
Messages
527
TdC said:
lock the thing down and leave it :)

Yep, that would be the simplest and safest thing to do. I somehow don't think that's going to happen though :)
 

Shovel

Can't get enough of FH
Joined
Dec 22, 2003
Messages
1,350
As appropriate as my custom title is, this is one occasion that I will probably adhere to the "leave it alone" advice. From advice here and on the Smoothwall forums it seems that there's quite a lot to it, and therefore attempting this is 3 days with more important exam revision as well is not a good idea.

Thanks for the advice though. :D
 

phlash

Fledgling Freddie
Joined
Dec 24, 2003
Messages
195
I currently have open SSH into my Smoothwall box and dynamic DNS to find it (no tunnels through it of course) - not noticed anybody trying to crack their way in yet (this is not a challenge BTW :touch: )... I was thinking of setting up a little monitor tool on my desktop that looks at the Smoothwall logs and tells me when someone tries to log in but fails...

Phil.
 

Gurnox

One of Freddy's beloved
Joined
Dec 28, 2003
Messages
527
phlash said:
I currently have open SSH into my Smoothwall box and dynamic DNS to find it (no tunnels through it of course) - not noticed anybody trying to crack their way in yet (this is not a challenge BTW :touch: )... I was thinking of setting up a little monitor tool on my desktop that looks at the Smoothwall logs and tells me when someone tries to log in but fails...

Phil.

Logwatch will do it for you. Or you could just grep through your logs with a script.
 

Users who are viewing this thread

Top Bottom