I will be physically sending a Linux netbook to a remote site where it will be connected to the internet. I have no idea of the public IP address.
I need to be able to securely log in to the system. What's the best way to do this? I guess it needs to broadcast an id somehow (dyndns? free options?). It all needs to be preconfigured before I send it.
I'm more than happy to research on my own, but I'd be grateful in someone could point me in the right direction.
Regards,
Update- I only need console access, and it's ubuntu
Because the system may be behind an NAT or firewall, there is no way you can guarantee any connectivity. Even if you did know its public IP address, it is unlikely that you would be able to initiate a connection to the box from the outside.
So the next best thing is to have the box itself initiate a connection to one or more known servers. An outgoing connection stands a much better chance of traversing any firewalls and is essential to traversing NAT.
To make this work, you will need a server with some process listening for connections on a fixed address and port and ready to forward your ssh sessions to any such connection. The box itself will need to periodically attempt an outgoing connection to that server, perhaps hourly.
The simplest would be to have an /etc/rc.init script (or whatever is the equivalent on your particular linux distribution) which periodically tries to establish an ssh tunnel. It might look something like:
ssh -i remotekey.pem -R 33333:localhost:22 user#my.server.com
This assumes you've setup "user" for key based login using "remotekey.pem" on your server.
Then from your server you would log into the remote box using
ssh -p 33333 boxuser#localhost
This assumes "boxuser" is a valid user on your remote box.
Related
I want to create a Minetest server on my Raspberry Pi 3 in my own network.
I know some discussions have been made (like Any risks in installing my own http server?), but I want to create a Minetest server.
I would like to know
• If it's dangerous to create a server in my own network
• If I can make a protection if it's dangerous.
Thanks
PS : Sorry for the mistakes, I'm French!
I'm going to assume here that you're intending to serve this internally. You certainly wouldn't want to put an external game server on a network that was also shared by your household. The Raspberry PI is assumed to be internal itself without a public IP or any way to be addressed beyond the local network.
Realistically speaking, you can probably assume an internal network is safe enough for inconsequential internal services, if physical and wireless access is adequately controlled. Looks like minetest is a game server, so unless you combine its server with other far more sensitive tasks, it's not like there's any dire consequence to unauthorized access.
But that perspective does seem a little naive, doesn't it? If access were to occur, the raspberry pi could probably be compromised, and from there, the IoT devices in the home, other private services, etc are at risk too. So, perhaps you're just a little too paranoid / experienced / virtuous to leave it at that.
If so, we can probably assume that the connection itself doesn't support much in the way of encryption, but it's likely we can successfully tunnel the connection in any number of ways to add an encryption layer "between" client and server.
The simplest of these is probably ssh. You're already using it to manage your raspberry pi, probably, and if you're not, you might want to (I for one need copy/paste between web and terminal, and I don't want to run gui on pi!). SSH offers a much higher standard of security than most protocols.
Conceptually, you execute an ssh client locally on the game client configured to open a local port on the game client, and forwards packet recieved on that port to a remote port on the ssh server. The remote port need not be accessible on the network directly, only ssh ( the game server would listen on localhost). The ssh tunnel uses strong encryption methods to pass the traffic over the untrusted network ( yours, or perhaps any network for some traffic ).
The process when implemented, would look something like this:
actiate ssh server on pi if not yet done,
obtain ssh client for game client machine. ( Putty for old windows, built in for linux or osx etc, new windows might have better support).
generate ssh keypair on client (each client should do these steps. private keys are ideally never transferred. )
add public key to ssh user on pi and verify that you can login without password
Use SSH tunnel in oyur client to create a local port that tunnels to the remote game server port. https://www.skyverge.com/blog/how-to-set-up-an-ssh-tunnel-with-putty/ looks like a good putty tutorial, https://www.revsys.com/writings/quicktips/ssh-tunnel.html looks decent for unixy environs.
I prefer to take the safe and lazy route, assuming no network is necessarily secure, and weighing the convenience of accessibility against the securiry concerns. Using an ssh tunnel is, once you get used to it, a simple and straightforward way to access services across any untrusted network, by it your own, a public wifi, or the internet at large.
I am testing my application against three ConQuest DICOM servers running:
one on localhost, another one on a different computer in the local network, and still another one on a remote machine in the VPN network. The requesting application is present in both local and the VPN networks.
When I am trying to retrieve an image (via C-MOVE) from each of those three instances of ConQuest, both local servers duly respond the request and send me the image. The remote server on VPN, however, responds
"Host 'XXX' did not accept the connection"
and, after a timeout, closes.
I was unable to understand the reason, or, the difference - the corresponding settings in the configuration files on all three machines seem to be identical and correct.
I can successfully verify the VPN ConQuest server. I can also send images to it. But the C-MOVE retrieve does not work.
This is certainly not a firewall problem (I switched out firewall on all computers, and it did not help).
Can the problem have to do with the form of the host name? Do I need to indicate which network I mean, apart from the IP address?
Thanks A_J and everybody involved. After a while, we gathered enough experience with ConQuest and also with a couple of other PACS in real hospitals. There are principally three things to check:
The network parameters (AET, IP, port) of the PACS must be correctly registered with your application (all three you shall learn from the network admin);
The PACS must know the same three parameters of your system in its configuration (its physical implementation depending on the system). The port is the number of port on which your C-MOVE listener runs, the IP you can find with ipconfig (ifconfig), and the AET is that you chose. These data you shall tell the network administrator, so that (s)he registers them with the PACS;
Configure a firewall inbound rule on the machine where your application runs to allow connection on the port number of your C-MOVE listener.
To our experience, this is all what one needs for all practical purposes.
Hi all and thanks in advance for your help.
I have a situation where I have a need to test an unstable Internet connection on one internal network and send out an email alert on any issues (obviously requiring an Internet connection) through another network - .
I have hardware with dual nic and plan on writing something simple in vb.
Is there a way I can disable ping on my 'good' connection forcing it through the test network yet allowing smtp?
I've looked into routing and done some basic testing but it seems the ping automatically reroutes through the good network shortly after the bad network fails?
Any advice warmly received.
You should not even think about blocking ICMP. This is a good way to cause many, many problems. Instead, you should explicitly specify which interface to use for the ping requests.
If you're using a command-line ping, you usually do this by specifying the source IP to use for sending the packets. For example, on OS X, you can run the command
ping -c 5 -S 10.0.1.13 8.8.8.8
to ping Google's public DNS server (8.8.8.8) using the interface whose IP address is 10.0.1.13. If the interface with that IP is down, the ping will fail.
The specific flag varies from implementation to implementation.
If you're writing your own ping code, IIRC, you just need to bind the socket to that source address with the bind() system call.
I need to find the port number of a server, I have the host name and the IP address.
Is this possible?
I need this as when I try to connect to this server through putty its throwing a Network error:Connection refused error, which may be because of the wrong port number
So you are looking for the port number the ssh server on that system listens on. Usually that is port 22 (well known ssh port), but you are right, this can be changed in the ssh server configuration. If so there are two possibilities yo have:
ask the administrator of the ssh server for the port number
make a network scan of the server which shows up all open ports. Note however that this can be regarded as offensive behavior and may be blocked in mid way.
But most likely you are facing another problem: some firewall blocking your requests or the ssh server not listening to request from outside at all.
And a side note: a server is a service, often listening on a port, you can interact with it typically by "speaking" a specific protocol. A system might refer to a computer running software, typically reachable via network these days. Many servers can be operated on a system. A system can be identified by its ip address. Many people confuse this and speak of a "server" when referring to such a "system" which is simply wrong and creates confusion from a technical point of view.
I found a tutorial that shows you how to create server and client programs, and make them communicate over a network.
http://www.win32developer.com/tutorial/winsock/winsock_tutorial_1.shtm
I can make a client program connect to, for example, 192.168.0.4 on my local network, and I can make it connect to 74.125.225.96. But what if I wanted to make it communicate with 192.168.0.4 on the network of 74.125.225.96, instead of just the default server on 74.125.225.96? I'm having a difficult time finding the answer with Google.
Is there even a way to do this? If not, then how are Gnutella and Bittorrent, able to connect computers directly together to share files?
To do what you are asking, 74.125.225.96 would have to be assigned to a router that is configured to forward inbound connections on the target server port to the machine that is running 192.168.0.4.
BitTorrent and other file sharing apps use various techniques, like NAT traversal, hole punching, etc to get connections through routers and firewalls. For example, if one party is behind a router/firewall and the other party is not, then the two apps first try to connect to each other in one direction, and if that fails then they reverse roles - client becomes server and server becomes client - and they try again. If that still fails, they could then connect to a middleman server that both parties have access to, and let it delegate the connections.