We have a D-Link DNS-321 that we use as our home office server. We occasionally take work on the road with us, and would like to be able to remotely access our entire server.
The D-Link has a DDNS section where I can put in a server address, host name, username and password. I purchased a DynDNS Pro account to link to.
I changed the username/pass combination on the DNS to something more secure than admin/admin (i.e., mixed caps, numbers and characters, no words), and will set the hostname/password on the DDNS side to something secure as well.
I’m at the point where I need to forward ports on our router, and this is where I’m looking for some guidance and security reassurance.
First, I’m a bit unclear as to which ports to forward. Second, are there security issues I should be aware of? The passwords, etc. on the DDNS and local side should survive a brute-force attack, but is that enough? Or in our quest for access am I leaving wide-open doors? Lastly, should we avoid connecting in certain environments, or can we safely connect at airports, coffee shops, hotels, etc.?
And after you activate the FTP server, you need to forward TCP port 21 on your router to the 321.
Or you could pick a more obscure port – say, 4523 – and forward that port on your router’s external interface to internal poer 21 on the 321 device. This has the benefit of “security by obscurity” – the standard port for FTP is 21, and by using FTP over an oddball port you make yourself slightly safer from port scanners.
Slightly.
FTP is a plain-text protocol, so it does come with some risk of eavesdropping.
I have a DNS-323 (close relative of DNS-321) and I use Macs for the most part.
Anyway, I prefer using ssh instead of open FTP to ensure that everything is encrypted. In addition, I prefer not using password authentication. Since I am connecting with a Mac, I simply use public/private keypairs for the authentication.
I also prefer to run the ssh daemon on an obscure port, as Bricker mentioned for FTP. No, you aren’t fooling anyone, since a telnet to the port will still result in “ssh” being displayed, but at least you avoid having thousands of log entries from robots in Russia pinging your standard ssh ports.
I glanced at the manual for the DNS-321 and see that it doesn’t come with SSH out of the box, so in order to get this, you would have to hack it, but that’s not a difficult nor a hazardous thing to do.
The DNS-321 and DNS-323 firmware have a special hook in the OS that looks for a specific script called “fun_plug” that you place in a designated location on the hard drive. Somewhere during the boot process, your own “fun plug” script is called, and that’s where the real fun happens. The script can easily load up some services, such as ssh, that are not normally available on your device.
If you are a command line commando, take a look at the Fonz Fun Plug for the real deal.
If you are still reading this and are interested in such a configuration, let me know. It’s quite painless, though it sounds complicated.
You should assume that anyone can intercept all of the traffic between your remote location and your home server. Using a reasonably good form of encryption will make it more trouble than it is worth for most people to get anything useful from the data they intercept.
However, that means encrypting everything. This can have a moderate to severe impact on performance depending on what the hardware is. Your PC should be OK, but the average home router was designed with the cheapest possible CPU to get the job done.
The easiest thing would probably be to set up what is called a “zero footprint VPN”. There is a hardware box you put on your home network, and then you access it via your web browser. After providing a username and password, it establishes an encrypted tunnel between the remote PC and your home network - your remote PC will actually look like it is on your home network, with all services available.
One thing to watch out for - if you are running a 64-bit operating system like the 64-bit versions of Windows Vista or 7, most of the web-based VPNs as described above don’t work. In that case, you may need to install a VPN client (program) on your remote PC and use it to log in. Once you do that, things should work as I describe above.
Also, remember that most home Internet service is set up to provide more bandwidth (speed) in the direction from the rest of the world into your home, with a much slower connection when sending from your home to the rest of the world. That makes perfect sense when you consider things like web browsing - you ask for cnn.com and a whole screenful of stuff comes back. So don’t expect speeds like you see at home while you’re on the road.
Sounds like there is security concern on two fronts: interception during transfer and break-ins during the day. Looks like I have a bit more research to do to balance things out. (Things are a bit slow office-wise at the moment; recuperating from a couple weeks in the hospital so not much is getting done in a day–sorry if there is a delay here).