I have my Openbravo appliance running by VMWare workstation on top of Win7 which is in a LAN connected to internet by router.
When I start the appliance. I can access ERP web console by typing in the address it gave at the end of the process (for example, 192.168.1.107). All computer in the LAN can access this address as well which is fine for now.
However, in the future, I need to access this console from my home pc running Win7 (which is, of course, connected to the internet). How do i set this up?. I have try the method given in http://planet.openbravo.com/?p=8612 (see case 3 - Expose my local ERP into a remote network)
I tried (in Openbravo Appliance console running in VMWare)
ssh -R :9999:localhost:80 myhomepc#101.108.70.128
(where 101.108.70.128 is the ip of my home pc read from whatismyip.org)
but it give the following error:
ssh: connect to host 101.108.78.128 port 22: connection timed out
Do I missed any step required?
What should i do the successfully connect to my Openbravo instance?
Best is to ask those questions directly in the Openbravo ERP forums over there: http://forge.openbravo.com
The case 3 from the blog-post you are referring to makes 2 implicit assumptions.
a.) the remote computer runs an ssh-server
b.) This ssh-server can be connected to from the erp instance
One of the two assumptions seems to not hold in your case either your win7 box does not run an ssh server and/or the router of your home network does not forward port 22 from the outside to your win7 box.
Without further information i assume both items are not done.
Let me propose another solution instead. As you want to connct to the commandline of the erp appliance from home you could do the following:
Configure the router of the network with the erp appliance to connect some external port (i.e. 2222) to the ip of the appliance, destination port 22.
This will allow you to access it from the home network (or any other system from the internet knowing the ip/port).
Using an external port different from 22 some simple ssh brute-force passwords scans.
As the appliance by default does not allow login by password but only allows authentication by public-key this is secure to not allow unauthorized access to your system.
After this either use case 1 from the blog-post or an normal ssh tunnel like (ssh -p external-port user#externalipoferplan -L 9999:localhost:22' and then access the ERP via 'http://localhost' from your win7 box.
If that is too complicated and you want to just make the ERP webinterface available from the internet without having the extra ssh security in the middle then you can just configure the router of the erp lan instead to forward port 80 or 443 (http or https) to the erp-instance and access the system directly from anymore as if it would be on some public server in the internet.
Related
I have my website up and running on a google cloud vm. But it runs slow because i only use the cheapest one. Before upgrading the vm to a more powerful one, is it possible to host a website on my own computer using the IP from google cloud vm? I successfully set up a vpn server on it using softether (checking whatsmyip on my computer shows the public IP from google cloud vm). Any tips and help would be appreciated.
VPN is usually for outgoing connections, not incoming. Generally speaking, you would need to have some kind of thin server running on your cloud instance, that forwards all incoming connections to your home machine. From visitors' perspective they will be connecting to the cloud IP, but all the work will be done by your home PC.
Of course your home PC will probably have a dynamic IP so it will have to keep the server updated on this.
Here is one very simple implementation. Do not actually do this, it is just an illustration:
Run your website on your home PC so that it serves on eg. localhost:8000
Set up an SSH server on your home PC
SSH into cloud PC
From there, SSH back into your home PC with SSH forwarding of localhost:8000
Run the reverse proxy (eg. nginx) on your cloud PC and tell it to proxy to localhost:8000
Requests will be proxied to your home PC through SSH so long as the connection is alive. This is obviously not a convenient setup and letting a cloud machine SSH into your home PC is a bad idea for many reasons. You could try to restrict the SSH into your home PC, or even run a VPN server at home and have your cloud instance connect to that VPN to access the website. However that is still not a best practices way to do it.
A better way would be:
Obtain a stable URL (doesn't have to be a full domain, just something that can forward to you IP)
Run an nginx reverse proxy on your cloud server, and tell it to proxy to this URL
Ensure the URL points to your home PC when you IP changes (ideally you want an "update IP" script that runs everytime you turn on your home PC)
If you don't want a URL, you could also write a simple script to update a hosts entry on the remote machine with your home PC's IP.
I want to SSH or VNC to my computer in the company network. I know the internal IP (e.g. 192.168.x.x), the external IP name, and my computer's hostname.
if I do ssh username#externalIP
or open vnc://externalIP
How would ssh know which computer to go to on the network? Is there some way to indicate this?
If I ask my company to open port 22 would that be enough (or is vnc another port?).
What you're asking has a fairly simple solution actually. Basically the computer you are trying to connect with must allow ssh and the router must also have an open port like you mentioned. If you are trying to access the computer from an external network (i.e. not your company's network), then they may require a VPN. What's a VPN?
My university, for example, denies all requests from outside the network. You can't even ping our Raspberry Pi's from off-campus ;) In order to ssh or ping them, we have to connect with the provided VPN. It a powerful way to connect to internal, secured networks. Downside is you will probably need to contact IT within your company.
Is it possible to only allow a Port to be used via SSH Port Tunneling if the user is in a specific Active Directory Group?
I have a client machine, a Windows Web Server and a Linux Server with a database. I would like the client to be able to connect to the Database using SSH, but only if they are in a specific AD group.
Is there any way of achieving this?
Basically: no. Any user with shell access can use his own forwarder and gain access to the port anyway. So if you have users root, bob and dbtunnel on the Linux machine, all three can "export" access to the database.
But what is it that you really want to do? Because it seems to me that you want to encrypt (possibly compress) the database connection between Web server and database. You can do that without SSH at all.
What you can do, with SSH, is disable port forwarding and shell altogether except for that one group. sshd_config allowgroups supports LDAP. You will be severely limiting all (or most) users on the Linux machine.
Some databases such as MySQL offer native encryption, possibly not so performant if compared to "born" solutions. MySQL also has compressed client/server protocol (which is best left disabled whenever using a third party encrypted connection).
You can set up a VPN and only allow access to port 3306 from the VPN interface.
Also, you can restrict connections (both SSH and VPN) to those coming from the web server to reduce the database machine's attack surface.
A fancy solution, even if it does little for security, is to not have SSHd on the Linux machine at all, and rather have it on the Windows machine. Then the Linux machine can connect with an autossh client and forward its local 3306 port to the remote. Anyone on the Windows machine can still connect to the database. And the tunnel user needn't even exist on the Linux machine. You can then disable SSH access to all users except bob for management purposes. To open the tunnel with auto-SSH from Linux to Windows, you'll need some SSH server or other for Windows.
The reason why VPN, iptables and reverse-tunnel make little difference is, how would an attacker get "into" the Windows machine? He would probably exploit the Web server. But at that point, whatever connection there is between the Web server and the database, the attacker would have full access no matter what. He would just piggyback on the existing connection.
So the firewall IP restriction and reverse-tunneling solutions do nothing for user identification, as it would be moot anyway, but rather remove the vulnerability of having the Linux machine accessible from outside the Web server by a non-admin user.
Fancy solution (in this example MySQL and port 3306; could be PostgreSQL and port 5432 just as well)
install a SSHd server on the Windows machine on some nonstandard port.
configure Windows firewall to allow connections to that port only if coming from the Linux machine's IP.
create a (limited) user on the Windows machine to allow Linux to connect.
install autossh script (above) on the Linux machine and configure it to connect to the Windows server, forwarding local 3306 port to a newly created listening remote 3306 port bound to localhost (no -g option).
tell the Web server there's a MySQL server at address 127.0.0.1 port 3306.
...and you're done.
Who can connect to the database now?
any user on that one Windows machine. This should mean only the Web server user (*).
any admin user with SSH access on the Linux machine (provided there is a SSH access to the Linux machine. You could have turned it off).
an attacker successfully exploiting the Windows Web server: but he could have done it anyway, since the Web server needs access to the database.
(*) and any other user could have done this also if port forwarding was LDAP limited -- they would have just needed to wait until the connection was performed by the LDAP enabled user, then they could have piggybacked on it.
I am running an Ubuntu server with my laptop through an Orcale VirtualBox and I try to maximize the bandwidth of my home server, as it really slows down my internet connection. My router supports up to 300Mbit upload/download speed and my laptop wifi's card up to 150bit.
I configured my server with the following(static IP, configured by vim /etc/network/interfaces):
auto eth0
iface eth0 inet static
address 192.168.1.240
netmask 255.255.255.0
gateway 192.168.1.1
dns-nameservers 192.168.1.1
192.168.1.1 is my default gateway, and I just configured a static IP which ends with 240.
When my laptop's WIFI is on, I can easily access the server's files(.html files etc) through chrome from any computer on my house, as I just need to enter the server's IP into the browser, plus I can access the server through SSH. But when It's off, I can't even access the server's HTML files through the laptop itself, though I can see that the server is still running on VirtualBox. When I turn the WIFI once again, I can run services which require Apache2 but they really slow my internet connection, as a result I can barely surf the web. I am trying to configure the server to use only the bandwidth of my router, since my actual internet connection is 30 Mbit download and 1.90 Mbit upload(according to speedtest), and It probably interferes with it. Is it possible to access the server without WIFI connection, so it will purely use my router's speed?
Any help would be appreciated.
1) Looks like you using bridged networking in VM config. When your network adapter is connected to real network - you can interact with your VM via network bridge. When it's not connected - your bridge is also closed. If you need to interact with your VM without WiFi connection - you can add one more virtual network adapter to you VM config: use "Host-only" adapter and configure it on both VM and host PC. Your VM will use new host-only adapter to interact with your PC, and old bridged adapter to interact with other network.
2) Check your WiFi speed near the router. Maybe it's too far or provides too weak signal.
PS. Sorry for my poor english.
I want to make my site available world wide. Im using xampp server for hosting. I have no access to any kind of servers and modems. Situation is shown below:
My site server has local ip assigned by wifi router and it runs Windows 8.
Remember I have no access on any kind of servers and modems so port port-forwarding is impossible (out of my scope).
Its actually difficult, but not impossible.
One way, I would approach this is:
I would host a page on internet.
Then take request and store it in database.
One of my program will always be running from my computer.
Then check for request and curl the request to localhost. For this you may use Node.js (taking data from database using GET method and curl it to localhost).
This is the best I could think of. And I am working on it, when the code is ready I'll make it open source and notify you :)
But still, it's difficult, as you need to put user's request to sleep for 2 seconds and then transferring it.
Its slow, but may work out for you.
Disadvantages:
Program will be very slow and memory usage will be more.
Breaking may happen many times.
High bandwidth wastage
If not encrypted, MIM (Men in Middle) may possible.
Advantages:
Indirect method of hosting
Need not to worry about your code being lost.
I am looking forward for a better alternative and I would like to keep this question for bounty once again.
If you cannot open the necessary ports within your LAN you will require access to an external server. However, the external server does not need to host any code, e.g.
Create a Linux based ec2 instance using Amazon's free tier.
Install a package to redirect remote to local ports:
a. using socat:
Install socat using your distributions package manager
Connect via SSH: ssh -N -R 42500:127.0.0.1:80 -o ServerAliveInterval=60 ubuntu#xxx.xxx.xxx.xxx -N -R 8080:localhost:80 "socat TCP-LISTEN:8080,fork TCP:127.0.0.1:42500"
b. using a webserver and reverse proxy:
Install apache or nginx and any required reverse proxy modules and configure your VirtualHost to proxy requests to a local port, e.g. :8080 -> 127.0.0.1:42500
Connect via SSH: ssh -N -R 42500:127.0.0.1:80 -o ServerAliveInterval=60 ubuntu#xxx.xxx.xxx.xxx
Your machine is now reachable via the ec2 instance http://xxx.xxx.xxx.xxx:8080/.
I occasionally use this technique when debugging web service callbacks.
Update 17-02-2014
If you are a Windows user you will need to install a third-party tool to support ssh. Options include:
cygwin
git bash
PuTTY
PuTTY is the easiest choice if you are not familiar with *nix tools. To configure remote port forwarding in PuTTY expand the following setting: Connection -> SSH -> Tunnels. Given the previously described scenario, populate Source port as 42500, Desination as 127.0.0.1:80 and tick the Remote option. (You may also need to add the path to a PuTTY compatible private key in the Connection -> SSH -> Auth tab depending on your server configuration.
To test you have successfully forwarded a port, execute the command netstat -lnt on your server. You will see output similar to:
tcp 0 0 127.0.0.1:42500 0.0.0.0:* LISTEN
Finally you can test with curl http://127.0.0.1:42500. You will see the output of your own machines web root running on port 80.
if you don't have a public IP address and cannot use port forwarding it is impossible to host the site
As people have said you need a public IP address. However, even if you did you should not use xampp as a public server, as it is designed for development and therefore has some security settings disabled.
I would recommend buying some shared web hosting, and uploading it to that. (you can get cheap hosting if you google 'shared web hosting', plus free .tk domains are avaliable: http://www.dot.tk/)
Do your company has any vpn network?
If it does and you have access to the vpn network, you can include your server to the vpn network and your guest will only need to login to your company vpn network then access your site like in a local network without using port forwarding. And since your data is very confidential, I assume that using vpn will also help to increase the security of your data.
Please correct me if I'm wrong.
Thank You.
What you are asking is not possible without port forwarding.
Lets break it into steps.
To host your site locally you will need a IP that is static so that
users can access it specifically.
You will need a domain so that it can be converted into user friendly name.
A 24x7 Internet Connection is must! You added a Wifi Router in your Diagram and most of today's router are capable of port forwarding.
What i will do in your scenario is:
Instead of using XAMP, i will install WAMP because i am more familiar with it and easy to configure.(totally personal preference)
Then i would set my server "ONLINE".(Google how to set WAMP server online)
Forward port "80" from router settings to my local computer ip address.(mostly it is tagged as "Virtual Server","Firewall","Port Forwarding",etc vary router to router in settings)
Suppose you have a local ip "192.168.1.3" and global/router IP "254.232.123.232" then you would redirect all the HTTP request done towards router to your local IP.
[[[[254.232.123.232]]]] --+ :80 +-- --------->192.168.1.3
That is good for now, but then you will need to tackle dynamic IP problem of router. But don't worry, thanks to some free sites that will be easy!
Go to no-ip.org -> Setup Account -> and create a entry, just a subdomain for now to test whether everything is working fine.(subdomain like mysite.no-ip.org, later purchase a real Domain)
Input your IP address there(Router IP) and download its application which will automatically update their server if your local IP changes.
Wait for some minutes and Voila! Your site is live.