How Do I Secure Remote Access To Remote Access Products
Mar 24, 2007
I have windows servers that I'll be co-locating very soon. I have purchased a Dell 2161ds-2 and an APC remote boot power strip. Could someone please tell me the best way to secure remote access to these products. Do I put them on public IP's and allow them through the firewall or do I put them behind the firewall and access them after I authenticate through the firewall.
I have an Ubuntu server and have installed AMP. The server is behind a router (2wire).
I have a static IP address which i use for the webserver. I have enabled the router firewall to allow all the typical webserver ports. When I am on the network (in the vicinity of the network) i am able to connect wirelessly to the server via ssh and also access the domains via my web browser.
But when i connect to the net via another router I am unable to gain ssh access or access the websites from a browser.
When i initiate a connection with putty all i get is a black screen and when i connect to the website i get
Quote:
The operation timed out when attempting to contact www.globalexpatservices.com.
I have a Ubuntu Lamp server setup in my building which is used for development purposes.
So I also have phpmyadmin setup and am using a Mysql Query browser and Mysql Administrator desktop programs to administor the database on the server. However I am not able to connect to the server from my desktop. I am able to login to my myphpadmin but not able to login via the Mysql Query Browser program.
Hopwing someone can help. I have read about port forwarding and also read a post about editing the my.cnf file on the server and changing the Bind-Address= 127.0.0.1 to the actual hostname but before I start editing the actual configuration files on the server I want to see if their is another way as I am worried that if I change the me.conf file that the phpmyadmin may stop working?
if there's an OS where that is possible?...i'm probably in the wrong section at this point, but i was thinking about using Remote Desktop to accomplish this...something like a Virtual Private Network... but i don't have XP pro or any other system that could act like a server...
my goal is to allow staff working off site to easily access files through windows programs like ms word or ms excel to save, edit, etc -- files would be located on the web server or on a network computer on site (not necessarily a network server)
I would like to setup my server to allow remote access from home. It's on an office network which is separated from the WAN by a router. So long as I'm on this network, I can access the server from any computer connected to it. I enter the https URL of my server through IE and it brings me to the helm interface (the one that comes with Windows Server 2003). I can click on Maintenance and then on Remote Desktop, and it opens a new window with the server's desktop displayed.
If I'm somewhere other than the office network, I can't access it. IE gives me a "can't find webpage" message (or something along those lines). How do I setup my server to access it from outside the office network. I'd prefer to have a similar graphical interface as Remote Desktop.
I have successfully installed dns only to my vps. the problem is when i try to add it to the cluster system on my other vps it asks for a remote access key, so i visit both ip:2087/scripts/setrhash and ip:2086/scripts/setrhash and it shows an unable to connect error in firefox.
this is both using [url]
does anyone know how i can access the remote access key?
I am currently accessing Serers through remote desktop (windows 2003). To be on the safe site, i like to allow only 1 IP to access through remote, even better would be through one specfic domain or subdomain.
I have already changed the port number, but still like to have this additional feature.
I have subscribed an account in Powweb but since the Powweb does not allow MySQL remote access I need to find another hosting that allow MySQL remote access.
Wich hosting with MySQL remote access do you know?
I've had a dedicated server or two for a while now. Recently I have been asked to see if we can host an accountancy program (Dimensions) offsite and have people access it remotely.
I am toying with the idea of getting a dedicated Windows server and running xenapp or the windows equiv (I work for a charity so budgets are tight).
Has anyone tried running Citrix xenapp or Metaframe on a dedicated server?
I have an outsourced project where someone from India is developing a program for me but we keep running into a problem that I can't find the solution too.
Every time we try to use our program to access one of our private squid/proxy server we receive an error back.
Type: System.Net.WebException Message: Unable to connect to the remote server
Our VPS is a windows 2003 server and I'm pretty sure that one of the services is blocking the program or anything from accessing a remote server. By the way I disabled the firewall and I'm still having problems .
I have a VPS and about 140 accounts on it. I've also got cPanel and WHM installed. I'm moving to a new host, but the thought of having to move all these accounts manually really makes me lazy I have to go into each account and go to backup -> backup to remote FTP, and yeah..
Is there any way I can mass backup all of my accounts, or all accounts I select, to a specified FTP server?
I only have root access on my VPS, but not on the server I'm moving all the backups to..
I seem to have an error with backing up to my personal FTP repository. I have only just noticed the issue, but i believe it originated when I upgraded Plesk Panel 11 to Plesk Panel 12. I am currently running version 12.0.18 on Cent OS 6.5.
Note whether i check the "Use passive mode" option makes no difference to my problem.Below is what I get from the panel.log under /usr/local/psa/admin/logs
I've just ordered my new Windows 2003 server with 49Pence.com and will be taking "delivery" of it once they have commissioned it.
Anyway, I would appreciate some advice on how to secure it. I have been used to the luxury of a hardware firewall, but budgetary constraints mean I will have to rely upon a software firewall (something that scares me a little). It will be running our company websites, MSSQL and MDaemon mailserver.
I am not sure exactly how the server will be delivered, but I assume it will arrive fully patched with Remote Desktop access, and Windows Firewall installed.
First question: Is Windows Firewall sufficent? I am more used to configuring firewalls with Ports/Protocols/IP's rather than "applications". I also understand that Windows Firewall cannot restrict access to specific IP's.
I read that IPSec / TCP Filtering should also be used. I've looked at various links and have an idea how to do this, but I do not want to make a mistake and get "locked out". I saw a post saying that during testing they set up a scheduled job to reset the IPSec policies every x minutes so that they can log back in if they do make a mistake. How would this be done (in terms of IPSec) .. or is this a matter of stopping a service?
If I go with another software firewall, is there an easy way to install remotely without getting locked out of the Remote Desktop? KVM over IP is a charged by the hour.
It is "safe" to leave Port 3389 open and rely upon passwords (and potentially IPSEC IP policies), or should I administer by VPN?
If so, it seems that in order to create a VPN connection on the server, it requires that the Windows Firewall is shut down (at least on my test server here). Obviously this is something I don't want to do!
I'm thinking about creating a limited platform for my employees to access my hosting servers
I wish they can create certain types of directories for users, set permissions on some directories, list users accounts, etc.
but although I don't think they would want to abuse this kind of access, I not only like the Trust-No-One premisse, but I also find it not very unlikely that the computer they're using get compromised or something like that
so I'd like to get technical ideas on how to develop this system and to know if anyone is interested and would like to contribute to the code
what I've considered so far is that I should either create a special user for that which would be on all users group, or should give it "root" access... the latter seems more reasonable for me considering the implementation and compatibility between systems and control panels
but with "root" access I mean "running MY INTERFACE to the employee as root"... this interface would have limited options like "create directory for user X", "list content of user X", etc. (taking a lot of care on input validation)... and would enforce some limits to prevent abuse (for example, can't list the content of more than 10 users per hour, or something like that... and alert me)
my main doubt is how you think that should be implemented? as a special server or as a webservice? with webservice I have the advantage of being capable of using SSL in a simple way and I don't need a special client (since any browser is a client) then that could be PHP or Perl... but running as UID 0 (I don't even know if apache allows that, or if there's a workaround like SUID)
I have recently picked up a CentOS5 server running on an OpenVZ box. Going thru various guides, I have seen repeatedly the importance of securing the /tmp partition. However, I am running into trouble when I try to follow the usual commands [1][2]
For example:
# mount -o nosuid,noexec /media/tmpFS /tmp mount: /media/tmpFS is not a block device (maybe try `-o loop'?) If I check for the presence of loop, it is missing:
# ls -ltr /dev/loop* ls: /dev/loop*: No such file or directory
If I try and create loop using /sbin/makedev loop and re-execute the mount command, I get a new error
mount: no permission to look at loop The nearest I have found so far is this thread [3], which suggests using
mount -t tmpfs tmpfs /tmp I believe the above will not persist across a reboot, so that defeat's the purpose.
Can you advise on how to mount /tmp in noexec,nosuid mode within the VPS environment?
I found a great little app called ID Shutdown Manager which bascially lets you do stuff like wake on LAN, Shutdown, Log Off etc.
The App also has a cgi script which you can call from a web server so you get a web interface to the program.
This is exactly my reason for getting the app as I just wanted to host a web page where I could login from the internet and wake on lan my media PC.
Ok so...
The app gives you all the iis or apache setup instructions and tells you to place the cgi script which is actually a .exe into the scripts folder and then enable basic authentication for it.
Done.
So if I navigate to <SERVER>/scripts/sdmancgi.exe its supposed to give me a user / pass prompt and then when login successful I see the app and can wake on lan etc.
ok I have got this to work
on the actual machine where server is running I can access it in IE7 by localhost etc.. and it works
However when I try to access from another PC in my lan by typing <SERVER>/scripts/sdmancgi.exe I get a nice little message saying the content cannot be displayed you may require to insall a program or something to display it.
If I try to access the page from firefox on same remote PC, it works!
I can also access page from outside my LAN, it works on my N95 browser.
Also I have had friends try it from firefox from the Internet and they say it works as well.
Forgot to mention I am running on port 8081 as I already have other servers running on 8080 and 80 (one is my router and the other server installed itself from setup.exe and I dont know what server its using)
I have also tried latest apache server as well as some other free one. Both have the same effect. Ok in firefox, not in IE.
One would think its a problem with the cgi file not compatible with IE7 however, I even tried to go to default page setup in IIS <SERVER>:8081 and I get the same message. So at this point the server hasnt even tried to access CGI or prompt for Basic Authentication.
I tried googling and not much luck. I read something about CSS and when I view source of failed web page from IE7 it mentions something about CSS so dont know if this is it?