This is just an update about my recent questions regarding how to transfer files reasonably securely (as in system security rather than confidentiality of file content) from a remote unattended system.
I have what seems to me to be a satisfactory solution that also makes some other things a bit easier.
While hunting around for ideas and solutions for this and other issues I came across an explanation and examples of the use of ProxyCommand in the ssh config file. This has provided me with my solution.
Just to recap, the remote system is a Beaglebone Black running Ubuntu which is on our boat in France monitoring temperatures, battery voltages, etc. It's connected to the internet via a WiFi hotspot so is behind a NAT router (presumably) and a firewall which are out of my control.
So, to make the BBB accessible it runs an ssh tunnel to an intermediate system (my web hosting provider) where I have an ssh login account. To maintain this connection through power failures and/or other glitches I run ssh on the BBB using autossh:-
autossh -N -R ?????:localhost:22 -l isbdnet3 <host on the internet>
(port number masked to ??????, there's a real number there of course)
To connect from home to the BBB I used to ssh from home to <host on the internet> and then from there, via the tunnel, to the BBB. The reason for the intermediate system is that my home firewall only allows connections from <host on the internet> and a couple of other specific IP addresses. (This is to protect my home system from long term attacks using ssh)
Adding a ProxyCommand to my ssh config at home allows me to connect 'directly' from my home system to the BBB, the line is:-
Host bbb ProxyCommand ssh <host on the internet> nc -q0 localhost ?????
Now I can just 'ssh bbb' and it goes straight to the BBB.
Even better and more importantly it means that I can use sshfs to mount a directory from the BBB onto my home system, thus I can:-
sshfs bbb:tmp odin
... and the files being stored in ~/tmp on the BBB appear on my home desktop in ~/odin. This means I can manipulate them as required (which means add the values to a database) *and* when this has been done I can delete them safely, ideal! :-)
On 15/06/14 11:04, Chris Green wrote:
This is just an update about my recent questions regarding how to transfer files reasonably securely (as in system security rather than confidentiality of file content) from a remote unattended system.
[SNIP]
To connect from home to the BBB I used to ssh from home to <host on the internet> and then from there, via the tunnel, to the BBB. The reason for the intermediate system is that my home firewall only allows connections from <host on the internet> and a couple of other specific IP addresses. (This is to protect my home system from long term attacks using ssh)
Glad you found a solution to your problem.
As you mention protecting your home system from ssh attacks.
That made me think, so I just thought I'd mention. There are various articles on making ssh as secure as possible, by doing various things - highest of them is prevent root login, (and limiting ssh login to a specific users or groups) I presume you've done all that stuff. If not have a google!
I used to get loads of people trying to log into my ssh server. That is until I moved it to another port. I know "security through obscurity" isn't the best policy, I found that I went from tens of logins attempts a day, to one every month or two. You may want to try this if you're not already.
You could try running Denyhosts )or poss Failtoban). It monitors the log files for repeated failed login attempts, and if it find any, it adds a firewall rule to block the originating IP address for a while. Every little helps.
Please forgive me if you've already got all this covered, but I thought it might be helpful to mention it just in case, or in case anyone else is interested.
Cheers Steve
-
Chris Green -
steve-ALUG@hst.me.uk