Remote Support?

[Allanon]

Question... Does the enabling of Remote Support just enable SSH on an Untangle setup? And if so are there any NAT or FW rules that it should automatically create?

[gwar9999]

I believe it also runs the rbot ruby program which maybe a security issue. I don't think anybody at Untangle has officially commented on rbot, but I did start a thread regarding it.

You can leave support disabled and manually create symlinks to start ssh. FWIW, the ssh that Untangle starts is susceptible to brute force attacks since it allows root access and every cracking script will try to login as root (among other often used usernames such as, believe it or not "fluffy"). You might want to take a look at the DenyHosts statistics page:

http://stats.denyhosts.net/stats.html

which shows over 111,000 unique hosts that have launched brute force attacks against SSH servers.

One way of securing the SSH server on Untangle is to make it accessible only to the internal interface (such that nobody can connect to it from a remote server). To do so, edit the file /etc/ssh/sshd_config:

Comment out the existing ListenAddress:

Quote:

#ListenAddress 0.0.0.0

And create a new one restricting access to your LAN (internal) interface:

Quote:

ListenAddress 192.168.1.1

Then restart the sshd server:

Quote:

/etc/init.d/ssh restart

There are other methods to securing SSH but this is sufficient if your LAN users aren't a security risk.

[Allanon]

Well my goal is to access that box from work, we run a number of external websites here so it's more aof a convenience thing to be able to SSH tohome, then validate a url thru Lynx. I realize there's probably many other ways to do that, this was is comfortable.

However symlinks are over my head

So if I want to setup a more secure SSH should I disable the gui's Remote Support" and just setup a normal SSHD?

[gwar9999]

Quote:

Originally Posted by Allanon

Well my goal is to access that box from work, we run a number of external websites here so it's more aof a convenience thing to be able to SSH tohome, then validate a url thru Lynx. I realize there's probably many other ways to do that, this was is comfortable.

However symlinks are over my head

So if I want to setup a more secure SSH should I disable the gui's Remote Support" and just setup a normal SSHD?

A couple of other options... if you have an SSH daemon running on another Linux (for instance) server you could set up port forwarding in Untangle such that you could ssh to Untangle's port 9922 (or whatever) which would forward the connection to your other SSH server's port 22. Once connected to your other SSH server you could SSH into Untangle.

Alternatively, you could setup another user on Untangle (using "useradd") and disable root logins which is notoriously BAD in /etc/ssh/sshd_config:

<quote>
PermitRootLogin no
</quote>

This way, you could SSH into Untangle externally but as a non-root user. If you require root access, use "sudo" once logged in.

[Allanon]

ok i editted the sshd_conf file and change the permitrootuser to no. however right now I am unable to ssh into the box...remote support is enabled but its non responsive.. I was checking my config and I noticed how Im showing an Internal and a DNZ interface are linked up. This box only has two nics so I wonder if the fact that according to Untangle it's External interface has no link and is in a down state have anything to do with my issues? Is there a way I can totally remove the DMZ?

[Allanon]

Quick question here.. if your ssh is enabled externally and internally.. and by adding the "PermitRootLogin no".. will you still be able to ssh as root internally?