So, we all use TeamViewer for accessing GUI based (Windows / Linux) remotely and of course, it works really well.
Any ideas of how to do the same with headless (Ubuntu) servers? I'm thinking that the headless servers would run some sort of service that connects to a central server, which I can then remote into (somehow) and then route through the central server to the remote server.
It's kinda like the server based TightVNC that was popular a view years ago, where you could host the "server" module and have all your TightVNC clients connect to that server, whilst you do the same on your client, and the server module provides a gateway through to the remote systems. Just like TeamViewer really.
I wonder if the remote servers can connect to the (central) gateway server via SSH, I would do the same (again via SSH) but then the gateway server will provide me a "tunnel" through to the remote server.
I would of course prefer to have the remote servers have SSH ports opened through their firewall and then connect to them directly, but sometimes their IT teams don't like that. Having a server that runs a service, connects to a public server, means that the IT team will typically permit this, as the traffic is initiated internally and would be even more so agreeable to permitting it if that traffic uses an encrypted protocol.
Anyway - I just wondered if there was something out there that I could have a look at and see if it would work??
If you don't want a cloud controlled service (with serious security issues as of late), then check out the self-hostable MeshCentral project. It creates outbound tunnels that allow devices to communicate behind NAT and other networks.
Good news! Teamviewer 11 supports headless Linux servers :)
https://www.teamviewer.com/en/help/1111-How-do-I-install-TeamViewer-on-a-Linux-system-with-no-graphical-user-interface
Try https://www.dwservice.net/en/
Works on RPI, Linux and Windows.Best Part is free and Support for Terminal access
not just GUI ( so works faster in slower internet ) .
Client side- > just run the script ( not need of GUI)
Remote side - > Run just browser.
Related
I currently have the following network setup and would like to be able to make WebRTC calls between the two clients in different networks.
I enabled IPv4 forwarding on the openSuse Leap 15.2 server and both devices have either 192.168.2.1 or 192.168.4.1 as their default gateway. The web application as well as the signaling service are both hosted on this server as well.
With the Firewall disabled the call works as suspected, but with the Firewall on the call no longer works. I thought about hosting a Coturn STUN/TURN server on this server, as I've read that you should provision one, if you run into troubles with a firewall.
Is a setup like this doable with lets say Coturn and what would the configuration look like for a scenario like this?
I ended up solving it as I describe in my GitHub issue for this matter.
Hi i am new to Web Services. Here is my doubt
1) If i am hosting my website then their should be a web server which should keep my website into that this also we are calling server..
2) If i want to run PHP Program in my local system i should use Local Server lie XAMPP this also we are calling server.
My doubt is for example in local system i have downloaded Xampp and i am running my server side program.. but after uploading into server how its working
also AWS, Proxy is which server???
All the servers are confusing a lot
Both web servers and local servers are just computers with software installed on them.
Not much more.
That said a web server is a computer that is connected to the internet and has some kind of a web server software installed on it.
The most common one is an HTTP server software that can serve web pages.
For example, Apache, Nginx are both HTTP servers that can serve both static and dynamic web pages to browser across the world.
Another web server can be FTP, IRC, NTP, SMTP/IMAP/POP3 (mail servers) are all web servers that just have different software installed on them and so they serve other purposes.
A local server is again a computer that serves a client within the local network or LAN.
That means that in most cases it will not be connected to the internet or if it does it will be protected with a password so not everybody can access its services.
It can act as a file server or LDAP server that are roles of a typical local server but it can also be a local web server that holds web-based application only for the local organization.
For example, a company will have a local web server with Salesforce installed on it to serve it's CRM needs.
To make a long story short both servers are just computers connected to a network. Local servers are connected to the LAN and Web Servers are connected to the WAN. Other than that it really depends on the software you install on them and the use you want to make of them.
If you need more clarification, leave a comment and I'll try to help.
I have a set up I would like to implement but just not sure on the details. As you can see in the image below I have a single VPS in the web which I would like to use as a gateway to a number of locally running web servers. Im using the VPN to hide the IP/location of the server farm while maintaining the ability to host locally.
What I am not sure on is the implementation as I have never used a VPN before. My understanding is that I can host the VPN server on the server farm, have the VPS connect to it which will give me another 'local' network interface which I can then use apache to proxy traffic through?
The server farm is basically a small Kubernetes cluster give or take a little.
Is my understanding correct and can you offer any advice on implementaion?
Thanks in advance!
server farm example image
The VPN server should have two network interfaces. The first is the public interface that connects to the Internet and the second is the local interface that connects to the server farm. All the servers in the farm should connect only to the local interface and have the gateway set as the VPN server.
You can use the Reverse Proxy functionality in Apache to route incoming traffic to the appropriate server. See Reverse Proxy Guide
Is it possible to only allow a Port to be used via SSH Port Tunneling if the user is in a specific Active Directory Group?
I have a client machine, a Windows Web Server and a Linux Server with a database. I would like the client to be able to connect to the Database using SSH, but only if they are in a specific AD group.
Is there any way of achieving this?
Basically: no. Any user with shell access can use his own forwarder and gain access to the port anyway. So if you have users root, bob and dbtunnel on the Linux machine, all three can "export" access to the database.
But what is it that you really want to do? Because it seems to me that you want to encrypt (possibly compress) the database connection between Web server and database. You can do that without SSH at all.
What you can do, with SSH, is disable port forwarding and shell altogether except for that one group. sshd_config allowgroups supports LDAP. You will be severely limiting all (or most) users on the Linux machine.
Some databases such as MySQL offer native encryption, possibly not so performant if compared to "born" solutions. MySQL also has compressed client/server protocol (which is best left disabled whenever using a third party encrypted connection).
You can set up a VPN and only allow access to port 3306 from the VPN interface.
Also, you can restrict connections (both SSH and VPN) to those coming from the web server to reduce the database machine's attack surface.
A fancy solution, even if it does little for security, is to not have SSHd on the Linux machine at all, and rather have it on the Windows machine. Then the Linux machine can connect with an autossh client and forward its local 3306 port to the remote. Anyone on the Windows machine can still connect to the database. And the tunnel user needn't even exist on the Linux machine. You can then disable SSH access to all users except bob for management purposes. To open the tunnel with auto-SSH from Linux to Windows, you'll need some SSH server or other for Windows.
The reason why VPN, iptables and reverse-tunnel make little difference is, how would an attacker get "into" the Windows machine? He would probably exploit the Web server. But at that point, whatever connection there is between the Web server and the database, the attacker would have full access no matter what. He would just piggyback on the existing connection.
So the firewall IP restriction and reverse-tunneling solutions do nothing for user identification, as it would be moot anyway, but rather remove the vulnerability of having the Linux machine accessible from outside the Web server by a non-admin user.
Fancy solution (in this example MySQL and port 3306; could be PostgreSQL and port 5432 just as well)
install a SSHd server on the Windows machine on some nonstandard port.
configure Windows firewall to allow connections to that port only if coming from the Linux machine's IP.
create a (limited) user on the Windows machine to allow Linux to connect.
install autossh script (above) on the Linux machine and configure it to connect to the Windows server, forwarding local 3306 port to a newly created listening remote 3306 port bound to localhost (no -g option).
tell the Web server there's a MySQL server at address 127.0.0.1 port 3306.
...and you're done.
Who can connect to the database now?
any user on that one Windows machine. This should mean only the Web server user (*).
any admin user with SSH access on the Linux machine (provided there is a SSH access to the Linux machine. You could have turned it off).
an attacker successfully exploiting the Windows Web server: but he could have done it anyway, since the Web server needs access to the database.
(*) and any other user could have done this also if port forwarding was LDAP limited -- they would have just needed to wait until the connection was performed by the LDAP enabled user, then they could have piggybacked on it.
I want to install a number of raspberry pis at remote locations and be able to log in to them remotely. (Will begin with 30-40 boxes and hopefully grow to 1000 individual raspberry pis soon.)
I need to be able to remotely manage these boxes. Going the easier route, forwarding a port on the router and setting a DHCP reservation, requires either IT support from the company we'll be doing the install for (many of which don't have IT), or it will require one of our IT people physically installing each box.
My tentative solution is to have each box create a reverse SSH tunnel to our server. My question is: How feasible would this be? How easy would it be to manage that many connections? Would it be an issue for a small local server to have 1000+ concurrent SSH connections? Is there an easier solution to this problem?
My end goal is to be able to ship someone a box, have them plug it in, and be able to access it.
Thanks,
w
An alternate solution would be to:
Install OpenVPN server on your server machine. How to install OpenVPN Server on the PI. Additionally, add firewall rules that block everything but traffic directed for the client's ssh and other services ports (if desired), from administrating machine(s).
Run OpenVPN clients on your Raspberry PI client machines. They will connect back to your VPN server. On a side note, the VPN server and administrating machine(s) need not be the same machine if resources are limited on the VPN server. How to install OpenVPN on the client Raspberry PIs.
SSH from administrating machine(s) to each client machine. Optionally, you could use RSA authentication to simplify authentication.
Benefits include encryption for the tunnel including ssh encryption for administrating, as well as being able to monitor other services on their respective ports.
I made a WebApp to manage this exact same setting in about 60 minutes with my java web template. All I can share are some scripts that I use to list the connection and info about them. You can use those to build your own app, it is really simple to display this in some fancy way in a fast web.
Take a look at my scripts: https://unix.stackexchange.com/a/625771/332669
Those will allow you to get the listening port, as well as the public IPs they're binded from. With that you can easilly plan a system where everything is easilly identificable with a simple BBDD.
You might find this docker container useful https://hub.docker.com/r/logicethos/revssh/