Hi All,
I have taken over the IT management for a business that has, for want of a better expression, a load of 'branch sites' and I would like to be able to get remote access into those via SSH (I can then use the SSH tunnel to access other endpoints in our branch network).
The 'branch sites' are generally just one person, in some cases two or three, that are using a room in an office owned by another business (often a supplier or customer). In some cases, we have our own internet connection, in which case I can access the router, setup remote access / port forwarding etc, but in most we do not, and run our router sitting 'inside' the other business' router to give our staff internet access, but not access to the other business' network. We cannot access those routers remotely, and I'd prefer not to try getting ports forwarded through to our router for remote access, as it will get messy / awkward (we don't want to make the arrangement a hassle for the other business as we are often paying little to nothing in rent), and each one would likely be different.
We could use remote access software, but there is no budget for it, and no prospect of getting one in the foreseeable future, so I am looking for a way to make my life easier than having to rely on talking the remote staff through things as the only option, and to let me access the branch endpoints even when our staff are not in their office (which is often for days at a time).
Our branches each have a Raspberry Pi in it, running software to allow one or more desk-phones to connect to our phone system. Those Raspberry Pi units are very much under utilised, so they could easily do double-duty. I can setup a new Raspberry Pi for each location, and get it sent out to the branches - they can then send me back the one they already have, so I will only need one spare unit (already have a couple of spare Raspberry Pi 4 Model B units anyway), although it might take a while to do this with all branches, but I can live with it taking a while - we'll get them all done eventually.
I am thinking of doing the following, but I wanted to run it past others here to see if anyone spots a glaring security or other issue:
1) Install AutoSSH on the Raspberry Pi to connect back to a machine here at head-office.
2) Setup crontab to run AutoSSH upon reboot (so it is always running).
If I need to connect to a branch office LAN, I can initiate a 'reverse SSH' connection from the machine here at head-office, and get an SSH prompt on the Raspberry Pi at the branch. If I needed to access something else on the branch-office network, I can use 'SSH Remote Forwarding' to get through to the other endpoint (PC, desk-phone, printer etc). This works fine - I have tested it, and no issues, and there is no problem or impact with the 'phone function' of the Raspberry Pi.
However, it feels very insecure in that I would now have multiple connections, from outside, into a machine in our LAN, so I am thinking of doing the following to make it, hopefully, secure:
3) Make the destination for the SSH connections (the machine at head-office) be a VM that is generally powered off - that way, normally, there is no actual tunnel into our network.
4) Make the user that is connected to on the VM be different for each branch office (and each with a unique password). That way, I can have all the users disabled by default, and only enable a given user after booting up the VM.
5) Have a separate hostname to be used by each branch office. This is really 'obscurity', rather than true security, but I figure no harm - it is only a once off setup anyway.
6) Use a different port number for each branch office to connect to our head-office. Again, this is really 'obscurity', rather than true security, but I figure no harm here either, and also only a once-off setup.
If I ever want to completely disable access for a given branch office, I can:
- Disable (or delete) the hostname
- Close (or delete) the port forwarding on our head-office router to the VM
- Disable (or delete) the unique user for the branch office
Under normal circumstances, disabling the unique user feels sufficient, but I could easily do all three if others feel that disabling the user is not sufficient.
I am thinking that the risk is really only if someone gains access to the Raspberry Pi anyway, and that is relatively unlikely to happen, but I have to assume at some point that someone will walk off with one (for example, if the other business gets burgled, all of our onsite kit might get stolen along with theirs).
What are your thoughts? Have I missed something really obvious that makes this a significant security risk?
Thanks,
Alan.
I have taken over the IT management for a business that has, for want of a better expression, a load of 'branch sites' and I would like to be able to get remote access into those via SSH (I can then use the SSH tunnel to access other endpoints in our branch network).
The 'branch sites' are generally just one person, in some cases two or three, that are using a room in an office owned by another business (often a supplier or customer). In some cases, we have our own internet connection, in which case I can access the router, setup remote access / port forwarding etc, but in most we do not, and run our router sitting 'inside' the other business' router to give our staff internet access, but not access to the other business' network. We cannot access those routers remotely, and I'd prefer not to try getting ports forwarded through to our router for remote access, as it will get messy / awkward (we don't want to make the arrangement a hassle for the other business as we are often paying little to nothing in rent), and each one would likely be different.
We could use remote access software, but there is no budget for it, and no prospect of getting one in the foreseeable future, so I am looking for a way to make my life easier than having to rely on talking the remote staff through things as the only option, and to let me access the branch endpoints even when our staff are not in their office (which is often for days at a time).
Our branches each have a Raspberry Pi in it, running software to allow one or more desk-phones to connect to our phone system. Those Raspberry Pi units are very much under utilised, so they could easily do double-duty. I can setup a new Raspberry Pi for each location, and get it sent out to the branches - they can then send me back the one they already have, so I will only need one spare unit (already have a couple of spare Raspberry Pi 4 Model B units anyway), although it might take a while to do this with all branches, but I can live with it taking a while - we'll get them all done eventually.
I am thinking of doing the following, but I wanted to run it past others here to see if anyone spots a glaring security or other issue:
1) Install AutoSSH on the Raspberry Pi to connect back to a machine here at head-office.
2) Setup crontab to run AutoSSH upon reboot (so it is always running).
If I need to connect to a branch office LAN, I can initiate a 'reverse SSH' connection from the machine here at head-office, and get an SSH prompt on the Raspberry Pi at the branch. If I needed to access something else on the branch-office network, I can use 'SSH Remote Forwarding' to get through to the other endpoint (PC, desk-phone, printer etc). This works fine - I have tested it, and no issues, and there is no problem or impact with the 'phone function' of the Raspberry Pi.
However, it feels very insecure in that I would now have multiple connections, from outside, into a machine in our LAN, so I am thinking of doing the following to make it, hopefully, secure:
3) Make the destination for the SSH connections (the machine at head-office) be a VM that is generally powered off - that way, normally, there is no actual tunnel into our network.
4) Make the user that is connected to on the VM be different for each branch office (and each with a unique password). That way, I can have all the users disabled by default, and only enable a given user after booting up the VM.
5) Have a separate hostname to be used by each branch office. This is really 'obscurity', rather than true security, but I figure no harm - it is only a once off setup anyway.
6) Use a different port number for each branch office to connect to our head-office. Again, this is really 'obscurity', rather than true security, but I figure no harm here either, and also only a once-off setup.
If I ever want to completely disable access for a given branch office, I can:
- Disable (or delete) the hostname
- Close (or delete) the port forwarding on our head-office router to the VM
- Disable (or delete) the unique user for the branch office
Under normal circumstances, disabling the unique user feels sufficient, but I could easily do all three if others feel that disabling the user is not sufficient.
I am thinking that the risk is really only if someone gains access to the Raspberry Pi anyway, and that is relatively unlikely to happen, but I have to assume at some point that someone will walk off with one (for example, if the other business gets burgled, all of our onsite kit might get stolen along with theirs).
What are your thoughts? Have I missed something really obvious that makes this a significant security risk?
Thanks,
Alan.
Statistics: Posted by Alan2409 — Tue Sep 10, 2024 1:48 am