Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.sys.raspberry-pi > #9231
| From | David <wibble@btintenet.com> |
|---|---|
| Newsgroups | comp.sys.raspberry-pi |
| Subject | Re: Changing network ports from closed to stealthed |
| Date | 2015-07-31 10:51 +0000 |
| Message-ID | <d2128mFj3hiU8@mid.individual.net> (permalink) |
| References | <d1vc4jFj3hiU7@mid.individual.net> <mpfchg$s6g$1@dont-email.me> |
On Fri, 31 Jul 2015 09:46:02 +0100, druck wrote: > On 30/07/2015 20:27, David wrote: >> When I DMZ to my Pi (running a VPN server as a test) I can see all the >> ports as "closed" apart from the VPN port. As I understand it the Pi is >> sending a negative response to a request to open the port. This tells >> the far end that there is a device there managing the ports, which is >> an invitation to try again and expand the range of ports probed. >> >> I would like to tell the Pi to ignore all connection requests and >> stealth the ports. > > I wouldn't use the DMZ feature, as this exposes all the services you > have running on the Pi to the internet, and you need to be absolutely > sure you've configured tem all securely. Instead set the router up to > forward just ssh to the Pi, and set up your ssh client to tunnel all the > ports your are interested in via the Pi. > > Make sure you configure ssh securely on the Pi, so only authorised > non-root users can get on, there is plenty of information on the > internet about how to do this. I have mine set up to only allow a > special restricted gateway user to be logged on to using a 2048bit RSA > key and not a password. If forwarding ports this is all that is > required, if you want to get to a user account, you do an su from there. > > If you forward the ssh port 22 on the router to port 22 on the Pi, you > instantly see attempts to gain access in the /var/log/auth.log If > instead you pick some random high number above 1000 on the router and > forward that to port 22 on the Pi, you'll see far less attempts. Make > sure you use this new port number with any ssh clients. > > ---druck Just to note that I am using PPTP and not ssh. I may at some point move to OpenVPN (or a variant of same) but for initial minor use PPTP seems to work O.K. I know it can be brute forced, but threat assessment suggests that allocating 24 hours of serious CPU time to break every PPTP instance visible world wide may be too expensive for the projected return. I may well (as suggested) remove the DMZ configuration and just forward one port instead. Firewall rules could also restrict the IP address ranges which would be allowed to connect. My TUIT is far from round ATM, unfortunately. Oh, and if the configuration is set to forward all incoming VPN connections back out to the Internet, presumably there is no simple way for someone connected via the VPN to access the internal LAN? Thanks to all. Dave R -- Windows 8.1 on PCSpecialist box
Back to comp.sys.raspberry-pi | Previous | Next — Previous in thread | Find similar | Unroll thread
Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-30 19:27 +0000
Re: Changing network ports from closed to stealthed Martin Gregorie <martin@address-in-sig.invalid> - 2015-07-30 20:53 +0000
Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 10:52 +0000
Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-08-02 16:20 +0000
Re: Changing network ports from closed to stealthed Martin Gregorie <martin@address-in-sig.invalid> - 2015-08-02 18:42 +0000
Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-08-02 19:23 +0000
Re: Changing network ports from closed to stealthed mm0fmf <none@mailinator.com> - 2015-08-02 20:26 +0100
Re: Changing network ports from closed to stealthed Martin Gregorie <martin@address-in-sig.invalid> - 2015-08-02 20:08 +0000
Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-08-03 08:34 +0100
Re: Changing network ports from closed to stealthed Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2015-08-02 19:45 -0400
Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-30 21:13 +0000
Re: Changing network ports from closed to stealthed Michael J. Mahon <mjmahon@aol.com> - 2015-07-30 17:12 -0500
Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-30 22:22 +0000
Re: Changing network ports from closed to stealthed Michael J. Mahon <mjmahon@aol.com> - 2015-07-30 19:15 -0500
Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-07-31 10:19 +0100
Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-31 09:33 +0000
Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-07-31 11:23 +0100
Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 10:57 +0000
Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 11:07 +0000
Re: Changing network ports from closed to stealthed Rob <nomail@example.com> - 2015-07-31 11:15 +0000
Re: Changing network ports from closed to stealthed Roger Bell_West <roger+csrp201507@nospam.firedrake.org> - 2015-07-31 11:22 +0000
Re: Changing network ports from closed to stealthed Graham. <me@privicy.net> - 2015-08-01 17:03 +0100
Re: Changing network ports from closed to stealthed druck <news@druck.org.uk> - 2015-08-01 23:30 +0100
Re: Changing network ports from closed to stealthed druck <news@druck.org.uk> - 2015-07-31 09:46 +0100
Re: Changing network ports from closed to stealthed The Natural Philosopher <tnp@invalid.invalid> - 2015-07-31 10:13 +0100
Re: Changing network ports from closed to stealthed I R A Darth Aggie <n0b0dy@invalid.invalid> - 2015-08-02 16:24 +0000
Re: Changing network ports from closed to stealthed David <wibble@btintenet.com> - 2015-07-31 10:51 +0000
csiph-web