I'm running windows sever 2012 on EC2 and I have users who RDP in from multiple physical locations-ie. logging on from Mobile hot-spots and home ISPs with dynamic IPs.
For security, I'm working on the AWS security group and wanted to avoid using 0.0.0.0 for inbound RDP source, but not sure if I can specify the wide range of IPs that my users will be using. I have about 3-4 uses at this time. What would be best way to reduce security risk? Thanks!
I would suggest running RDP over an SSH tunnel and/or setup a VPN.
In both cases, you can limit the open RDP port to either the SSH gateway or the VPN network.
Related
I am getting connection time out when I try to ssh to my Azure VM on a specific ISP provider, not any other ISP provider. I did notify them about this issue but they do not know what might seem to be the issue.
Also tried to create a new rule to open port 22 on windows Machine, followed all Azure troubleshooting methods, disabled my Firewall, but nothing seems to work, Only when I connect to a different ISP provider.
Please take note that the ISP through which you were trying to connect to your Azure VM over port 22 through SSH is blocked over public internet owing to various server side vulnerabilities. The vulnerabilities that the SSH server side is prone to includes Port forwarding, unauthorised SSH access, vulnerable SSH configuration, pivoting and unpatched SSH software. Along with Port 22, most ISPs also block SMB port 445 also on the public internet owing to frequent and hot instances of brute force as well as software manipulation attacks. Since, users are not known to take care or take appropriate security measures for avoiding such attacks, so the ISPs block the inbound as well as the outbound traffic on these ports overall.
You can check by connecting through some other ISP or using cell phone internet in that case as these ports are not blocked over there.
I am trying to set up my JMeter master/slave set up on AWS EC2 instances using windows. Out of the box integration didn't work (connection refused errors) and after some investigation I got to know that RMI communication only works if the machines are on same subnet (is this true?). I found this great article and I tried to follow it as is on windows (tried running ssh port forward tunneling via cygwin) but not have any luck. So I was hoping if someone already done this with Windows and can share their experience.
Out of the box integration didn't work (connection refused errors) and
after some investigation I got to know that RMI communication only
works if the machines are on same subnet (is this true?)
It is not necessary. Even if the machines are in a different subnet and addressable via the network, RMI should work. Here make sure the Security Groups and NACLs are properly set so that both EC2 instances can communicate with each other via the network.
You can check whether you can ping(For this you need to enable ICMP in your Security Groups and also make sure other needed ports are opened for RMI) from one EC2 instance to another. If the servers can communicate with each other, then you need to troubleshoot internal firewall configuration in windows EC2 instances.
We have used https://testable.io/ AMI's from the marketplace. It takes care of all configuration and just needs to worry only about testing and the results.
https://aws.amazon.com/marketplace/pp/B073JNTVKP
All our endpoints are secured to certain IP-ranges from testable.io. If you have internal, still you need to setup those security settings.
Hope it helps.
I need to block all IP on a network and give unrestricted access to 3-4 computers.
So I have created IP Sec policy as follows:
IP List 1: added to 4 IPs and associated a filter to Permit
IP List 2: added to Any IP Address and associated a filter to Block
After adding this policy, application (using socket communication for IPC in local machine) is working fine in Win7 machine. But not in Win2k8 machine.
Please note for inpterprocess communication within a machine we use sockets.
When we enable block filter for all IPs in IPSec pollicy, the if there are programs which uses local machine IP itself like 10.78.78.78 connects to 10.78.78.78 (Both server and client application in same machine) for Inter process communication, then had to add a firewall exception for exempting authentication between the same machine IPs.
I have a scenario where I have a Windows VM in windows Azure that needs to connect to an external customer network (and connect to a database that is not in Azure).
This traffic is uni-directional in that it is only my VM that needs to connect to the customer's databases and not the other way around. Site to site is managed on Azure, which I cannot really test locally.
Conceptually, connecting to the customer's network via a point-to-site VPN seems more suitable (by creating the VPN connection in Windows itself via the network config).
The customer prefers site-to-site even though they don't need to connect to my VM. Am I missing something?
In point-to-site, you have to connect to the network you want to access manually. Usually, if you log-off or restart the workstation it loses connection, and you have to reconnect every time. It's common to use this type of VPN when we are working remotely, and we need to access our company assets. The channel is bi-directional, but it's 1-to-many.
Site-to-site is used when you want to connect two networks and keep the communication up all the time. It's also bi-directional, but it's many-to-many and stays up no matter if your server/workstation is running or not because the connection is established through a network gateway and not from the computer operating system.
In Azure, the Virtual Network Gateway is the platform providing both functionalities. You can configure site-to-site to connect to your customer network. If this network is not running in Azure, they usually have an appliance to establish dedicated tunnels. As long as it supports IPsec IKE, you are good to go.
If you are using the VM in Azure as a workstation, then point-to-site may be enough, but if your application needs to get data from the customer database automatically with or without someone logged in the VM, then site-to-site is a better approach.
A better explanation can be found here
I have set up a new NAS using Open Media Vault. I have installed the WebMin extension to get on to the web gui for configuration. My problem is that I have to be on the same network as my NAS. How can I connect to my NAS from a different network than it is connected to? On the network that it is connected to its IP is 192.168.0.99:1000 for the WebMin gui. How can I access this from a different network?
Setup a VPN to connect to the network that your NAS is on. Once the VPN is connected you can connect to the NAS as if you were on the local network.
You could also possibly setup firewall and/or port forwarding rules depending on how your network is setup but please consider the security issues when doing so.
You could alternatively also try to open the NAS and give it a public IP address and a DNS. This will allow you to setup SSH and FTP as it was any other server.
To SSH remotely over the internet, you need either a permanent IP address or a domain name that is updated to point to the IP address when it changes. The latter requires a dynamic domain name service. A good free one is DuckDNS (duckdns.org). First, use one of the sign-in options such as Google. In the domain line enter your preferred subdomain name.
There is a great guide on how you can do this here: https://forums.freenas.org/index.php?threads/how-to-how-to-access-your-freenas-server-remotely-and-securely.27376/