Howto set up SSH tunnel for TS Admin to improve security

[Bones_taw]

I wrote up instructions here:
http://www.speakeasy.org/~farnham/se...istration.html

[m&m's]

nice work ! looks good for those that want to go that extra mile to secure there ts server give this a try

now we need a mod to sticky it befor it gets lost down the list
thanks G

[guldi]

Made it sticky, pls, give feedback

[Label2021]

Did not work for me, actually gave an error like "is not a tty" or soemthing along those lines.


-LabeL-

[Bones_taw]

Label,
email me if you want some help
bones (special symbol) theartofwarfare.net

[nbp]

I am looking to eliminate as many paths to the TS server, other than end-user cleint access. My clan runs a TS server and it was recently hacked on our machine via the 14534 port (an access point I was unaware of, sad to say), as the admin password had been freely passed out in the channels by various n00bish users.

The TS server and many of our other clan game servers are run on a rack machine out of a datacenter that's over 500 miles away from me. I access it via RDP or secure FTP and would like to eliminate all of the http server and query ports. I assume the way TS was implemented, I will lose "local" (via RDP) access in this scenario.

I'd rather not just set HTTPServerPort and other ports to some wacky large number as port scanners will get to them eventually. Can I simply disable them at start-up? I considered firewalling those ports off but I prefer more straightforward IT solutions...

[WalkaboutTigger]

You can disable the telnet and web ports. All you need is the TS client port. You could also implement knockd and require a host knock before it has access to the web interface...

In your server.ini,

[Main Config]
ExternalIPDectection=1
HTTPServer Port=14534 SET THIS TO SOME RANDOM VALUE BETWEEN 25000 and 65535
HTTPServer Enabled=1 TO DISABLE THE WEB INTERFACE SET THIS TO 0
DateTimeFormat=dd-mm-yyyy hh:nn:ss
TCPQueryPort=51234
[log]
access_r=1 : Logs access to the server by registered users
access_u=1 : Logs access to the server by unregistered users
channel_registerred=1 : Logs Channel switches and configurations changes for registered channels
channel_unregisterred=1 :Logs Channel switches and configurations changes for unregistered channels
sa=1 : Logs Server Admins acctions
chat=1 : Logs Chat
kick_server=1 : Logs kick from the server
kick_channel=1 : Logs kicks from the channel

[St4Lk3R]

an additional tip: you should change the queryport, if you want to leave it open... 51234 is well-known as ts²-queryport so it will be easy to access your server.
if you are able to, try to block the queryport via iptables so that you can only access it from the local machine.

[razorcmw]

I coudn't get this to work on Windows.

I've got a Windows 2000 Server - on which I installed and configured OpenSSH, and I'm connecting using Windows XP Pro.

I can connect OK using putty - so a basic SSH session is possible, but the port forwarding didn't happen. Seemed to try, but then both telnet and http cme back with nothing.

Servers firewall is open for port 22, and I disba;ed the firewall on the client to make sure it wasn't anything like that.

Any thoughts ?

[razorcmw]

Sorry - got it to work in the end. The server is sitting behind a Nokia Checkpoint firewall - which is doing a NAT of the public IP to the real internal server IP.

I suddenly realised that the SSH port forward would need to use the servers real internal IP, and not the public on, and the tunnel will have already gone through the firewall.

Nice 1 m8 ....... a fantastic post ;-)

[BHKai]

Works like a charm.

Will try to connect outside of the network and see if anything needs to be changed as the directions are for inside the network.

[computerwiz3]

Well i am running win 2000 and want an SSH tunnel for security but i got confuzed in the instructions. so i have 1 question.

1.It says there is client and server software. Does every1 that uses my server need the client software?

i will have more after i start setting things up more soo... keep a watch

thanks
cimputerwiz3

[BHKai]

Yeah putty is the one that you would want to use for windows systems. Works real well.

[computerwiz3]

that didnt answer my question. my question is Would everyone who wants to connect to my server need to install putty? or wuld i just need it on one client?

[BHKai]

If they are going to be accessing the the port through ssh then they will want putty.

Let me explain what this process is about. You set ssh up so that you can close whatever port you want and be able to access that port through ssh. Meaning, that you must know the password to open the port then you can tunnel a port through the ssh port to access whatever service you want.

So even if you do not have your router or firewall to allow people to connect to a port, such as the telnet port 51234, you can still access it from using ssh.

A common setup is that you tunnel the telnet port, possibly the webadmin port(it is not as important as the telnet port but can add some more security), and leave the udp port open so that you do not have to teach every person that want to connect to your ts server how to use ssh.

The only people that need to have a ssh client like putty are the ones that need to access ports that are not being forwarded by the router or are closed by the firewall. So when you give someone ssh access you are giving them a seat at your computer so that they can access ports and files that would not be able to be accessed by the "internet zone".

When setting up make sure to spend time on the permissions section, as you do not want to give them too much permission that they can start changing your section.