What tool or protocol do you use for remotely connecting to your linux boxes?

[Arkitech]

I'm studying for the Linux + and RHCE certification and I'm curious what methods people use for remoting into servers/workstations. I know on the enterprise side it's likely going to be some form of SSH for the CLI, but not really sure what's the preferred (most secure) method for a GUI remote connection.

What do you guys use, either at work or at home for play?


Also if a person wants to remote into a linux box from a public wifi, what would be the best method? Some kind of tunnel along with SSH or would that be redundant?

 

[smakme7757]

I just use SSH. I have no need for a GUI on any of my Linux machines. However if I did have to have a remote GUI connection then I would use VNC as that also supports encryption

As for your last question. Just use SSH as everything is encrypted that is sent to the server. If i had to use any insecure protocols I would use a VPN solution to connect securely first (OpenVPN).

 

[Arkitech]

Thanks Smakme, I'm going to do a little research into OpenVPN.

I'm also looking for a secure way to stream media from my Linux box. This should point me in the right direction.

 

[Red Squirrel]

Actually I'd be curious about this as well. For general management I just use SSH, but sometimes I'm at work and it would be nice if I could remote into my workstation and see what would be on the monitor. VNC in Linux works differently than in Windows in that it acts more like a terminal server, so while that has it's use, it wont let you remote directly into the same session that you are in physically at the computer. Guessing this is a security thing.

 

[jhu]

I tunnel X over ssh if I ever needed to do that. Usually just use ssh for command-line.

 

[Arkitech]

Quick question, do you guys use the default port of 22 for SSH? Or do you change it for added security? I don't know if that's needed or not when using the fingerprint authentication.

 

[Red Squirrel]

I tunnel X over ssh if I ever needed to do that. Usually just use ssh for command-line.

That works ok if you want to actually launch an app, but not if you want to see something that's already open.

Quick question, do you guys use the default port of 22 for SSH? Or do you change it for added security? I don't know if that's needed or not when using the fingerprint authentication.

I use a non default port, keeps the logs clean from all the bot attacks, and lets me easily able spot an actual targetted attempt.

I also use fail2ban to ensure if someone gets the password wrong more than 3 times their IP gets blocked. It's a must on a public facing SSH server. Without brute force protection it's not a matter of if, but a matter of when, you get hacked.

 

[Arkitech]

That works ok if you want to actually launch an app, but not if you want to see something that's already open.




I use a non default port, keeps the logs clean from all the bot attacks, and lets me easily able spot an actual targetted attempt.

I also use fail2ban to ensure if someone gets the password wrong more than 3 times their IP gets blocked. It's a must on a public facing SSH server. Without brute force protection it's not a matter of if, but a matter of when, you get hacked.

Hmm, I need to look into that. I do plan on forward the SSH port in the future.

 

[jhu]

I use a non default port, keeps the logs clean from all the bot attacks, and lets me easily able spot an actual targetted attempt.

I also use fail2ban to ensure if someone gets the password wrong more than 3 times their IP gets blocked. It's a must on a public facing SSH server. Without brute force protection it's not a matter of if, but a matter of when, you get hacked.

Public key/private key pairs and deny password auth.

 

[Red Squirrel]

Public key/private key pairs and deny password auth.

That works for fixed stuff for automating backup jobs and what not, but if you want to be able to access from anywhere from any PC it's easier to just have password. You still want brute force protection anyway as someone could in theory try to brute force the keys. Which, come to think of it, I don't know if fail2ban even handles that. I'd have to test that.

 

[jhu]

That works for fixed stuff for automating backup jobs and what not, but if you want to be able to access from anywhere from any PC it's easier to just have password. You still want brute force protection anyway as someone could in theory try to brute force the keys. Which, come to think of it, I don't know if fail2ban even handles that. I'd have to test that.

It should since it monitors log files, and it should notice the failed log in attempts (or you can set it to notice these things).

 

[Anteaus]

I use Teamviewer. The latest version will automatically configure itself for headless use, which was actually a problem at one point if you didn't have a monitor attached.

SSH works great for admin but if you want to use a GUI without resorting to a virtual machine then I'd give Teamviewer a look.

 

[Fallen Kell]

I use a custom setup I built myself about 13-15 years ago which sounds a bit like fail2ban on my internet facing system, but I have an additional level which after banning the IP address, it bans the subnet if it sess additional failed attempts from another system, and would lookup the ISP and ban it as well. It also partially spoofs being a windows system (2003 specifically) and automatically bans IP addresses that attempt to connect with windows centric applications/usernames/ports (as opposed to the 3 attempts you get on ssh failures).

Back to on topic, pretty much everyone uses SSH and/or SSH+VPN. As for needing a GUI, almost no one in the industry uses it for admin work on Linux/Unix/BSD unless you are supporting end users that are running it on the desktop and are having application problems (everything else is typically done via command line).