Any networking gurus out there?
 

I have a server that I wanted to be a web/ftp server available to the outside world.

I installed IIS and configured it. Completed with no troubles.

Then, since my ISP periodically assigns new IP addresses, I needed to 1) configure my router for port forwarding, and 2) sign up for a domain name service that periodically tracks what IP my ISP assigns and updates the domain name I chose. After some fiddling around, both have been completed. I can now access my server's web and ftp functions via anywhere on the net despite my ISP changing the IP address.

Then, I wanted to be able to remotely log into the server for three reasons; 1) to administer it, 2) remote development, and 3) able to remote login to my other computers on the LAN from the server. I have gotten all that to work easily enough. The only computer I can remotely log into from the net is the server. Once in there, I can in turn remotely log into any other PC/Mac in the house. On the server, I've already set the single user that is allowed to remotely log in, and set a strong password for that account.

However, this is obviously not secure enough, and this is where my questions come in.

I've read I can remotely log into the server using a web browser (instead of using Windows Remote Login program). This would be nice since I can do so from any computer (Windows, MAC, linux) as long as it has a web browser and internet connection. To make web remote login secure, change the http port number in IIS. Normally of course, it's port 80 for web. But if I change the port number in IIS for web remote login, that also changes the port number for the regular website. So, that leaves me with a few choices:

1) Change the port number for the web and just remember to type the port number at the end of the web address if I want to just go to the website (not logging in, just regular web). Not a good solution since I may eventually move my rc_speed website, and telling everyone the port number to access the site would defeat the whole purpose of changing the port in the first place.

2) Create a VPN tunnel when I want to remotely log in. This would probably be the most secure, but I'd have to have the executables handy depending on what operating system of the client I happen to be using. Plus, I have no idea how where to start. But at least I won't have to mess with port numbers, which means the regular web/ftp will work, and just use the VPN for remotely logging in.

3) I had thought of a third choice, but I forgot it. :oops:

Any ideas/suggestions?

Why not use a 3rd party tool like RealVNC or Citrix or hell, even GoToMyPC?

Because I want to be able to use any computer (and OS) without having to run some kind of client software.

I tunnel rdp over ssh.

The only client required is an ssh client (putty for windows, builtin on any linux, or OS X), and an rdp client. The only port open is ssh, which is obviously very secure. Then I turn off password auth, and only allow key exchange. I use a plug computer for the ssh server, though I used to use a old router with openwrt.

It's cheap, easy, portable, and secure.

For DNS I use dyndns.org

My webserver (when it's up) is also on the plug computer.

Tony

Well, web-enabled remote desktop is out. To be secure, you should change the port number in the "default web site" in IIS to something other than port 3389 (default remote desktop port), but then that also changes the port number for the regular web server. Apparently, you can't have two seperate port numbers and set each for what you want it to apply to.

So, for now, I just changed the default port number for remote desktop (required a registry setting as well as some firewall changes). The only way to secure regular remote desktop is to use "SSH tunneling over a VNC connection". I'll probably end up using some kind of remote access over VPN software eventually. Even if the server gets hacked in the meantime, it's not a big deal since nothing important is on there.

You posted that while I was typing. :smile:

That sounds like the way I want to go. Do you have more info on what you describe? BTW, I'm using dyndns.org as well.

contact eovnu87435ds

I use this for work and home.

https://secure.logmein.com/products/free/

It does require me to install an app on the computer to be controlled but that has never given me any trouble. I can then control it from any web browser even my android phone.

Look into it... I use it all the time and it's awesome.

It's really simple. Find some unix based device, doesn't matter what. Anything running unix, linux, OS X, whatever. (You can do it with Windows stuff, and some ssh software out there, but outside of a few commercial products, it doesn't seem as robust to me. But then I'm a unix admin).

Set ssh to run on whatever port you want. Set your router to forward that port to the ssh box. I don't believe you gain much security by using a non-standard ssh port, but some people do. Set up key management if you want to require key based authentication. Doing so means always having your key with you. I store mine in dropbox, and on my android phone.

SSH in. I'll give the example of using putty, since it's "more complex". Set up your ssh connection to go to your hostname & ssh port. Then in the settings, under ssh->tunnels you want to put in your rdp tunnel.

There's a local port box, and a remote box that's longer. In local port put any local port, say 3389. In the remote box put the INTERNAL IP of the machine you want to rdp to, and the port (3389 by default). So maybe this:

local: 3390
Remote 192.168.1.50:3389

open your ssh connection and login.

Start your rdp client, and rdp to:
localhost:3390

And it'll connect you to your desired destination.

I can email a screenshot if you need more clarification.

Tony