Domain: bitvise.com
Stories and comments across the archive that link to bitvise.com.
Comments · 16
-
Re:Windows
The biggest missing solution: - Windows server support. There are some expensive solutions, not sure how well they work.
I've been using the Bitvise sshd server on Windows for about 10 years with no problems. It's free for noncommercial personal use and $100 (plus $20 per year for upgrades) per host for a full license if you're using it for business or commercial purposes. This doesn't seem "expensive" to me, but YMMV of course.
-
Re:VNC over SSH tunnels, public keys, no root logi
-
Re:VNC over SSH tunnels, public keys, no root logi
-
Re:Been trying to switch users for years
Tunnelier is rather good, includes an FTP bridge. Connect to your ssh server, and it listens on localhost for ftp commands, translates and sends them to your server over ssh. Not only means encryption, but also compression (something I often care more about). Will sit in your system tray and auto reconnect if connection drops, and enable all old ftp-only software to talk to an ssh only server. I talk to everything over it, mysql, imap/smtp, even web traffic can be sped up.
-
Re:Any encrypted transmission protocol actually
My, aren't you lazy! First link on Google when searching for "windows SSH": WinSSHD.
As for "native" SSH for Windows, there you have it. No Cygwin at least.
As for "native open source" SSH on Windows, there obviously isn't great demand. Alternative solutions for the same problems have been available longer on Windows: 1) Telnet with NTLM or Kerberos authentication 2) RDP 3) PSEXEC. RDP has native encryption, any of the others can be wrapped in the natively provided Windows VPN/tunneling solutions (PPTP,IPsec,L2TP,SSTP).
-
SSH or stunnel?
http://www.bitvise.com/winsshd It does the job connecting all kinds of platforms/client implementations. It does PKI too.
HP's Compaq line of servers has **excellent** remote admin capabilities.
Push the whole thing over an stunnel and you are good to go.
Implementation is another issue. Publish an email if your budget supports consultants. Errmm. Well, it looks like slashdot is taking the place of a qualified expert, so good luck with that.
-
Re:Just check your access logsI would just run a perl script that does a regex on the access logs for anything that does not match the files that should be delivered to clients. Put the perl script in a cron job and let it run. Sounds like LogCheck. I'm using that; it provides a decent organized daily summary of all access to the server. Also do an MD5 hash on those files regularly and check for any changes to static files. Know any pre-written scripts/software that handle this? The trouble is, you'd have to secure the hashes as well, which gets tricky, plus it doesn't offer any help for regularly changing content or database contents (where a content hack like secretly added JS would probably be inserted). But still, better security for non-changing files seems like a good idea; the chattr +i suggestion above seemed useful, assuming you are keeping your root account safe. And use very strong root passwords, don't let root account login remotely, and use ssh keys with no interactive logins. Strongly agreed WRT SSH keys vs. passwords. Another one: if you use cPanel, or phpMyAdmin, or Tomcat's management console, anything like that -- ONLY let it bind to 127.0.0.1 and use SSH tunneling to connect. There's simply no reason to let these listen to public IP if you don't want the "public" accessing & exploiting them.
SSH tunneling is easy to set up; if the PuTTY instructions are too complex, try the BitVise Tunnelier (free as in beer ONLY), it's super-simple. Map local port 10000 to 127.0.0.1:10000 on the host (cPanel example) and you're all set. -
Re:Well...
Furthermore, if you need to tunnel through a firewall that requires windows authentication, you can use http://ntlmaps.sourceforge.net/ to act as the proxy for that. You may also have to tunnel over port 443 (SSL) instead of 80, since some proxys will only allow encrypted traffic over that port. That is where it is nice to be able to use something like OpenBSD's pf at the other end to redirect traffic from ie. 443->22. Then it is just a matter of setting up the local/remote port tunneling in your ssh client.
If you want to get really fancy, you can even access your home PC through SMB using port-forwarding and a loopback device (on windows) using http://www.bitvise.com/file-sharing.html (I even set up my home printer so that I can print directly to it from apps at work)
I find I can also stream music reliably over my 64kB upload over ssh using Shoutcast and transcoding to AAC plus (with 48kbps sounding great). Then you can use VideoLan or Winamp, or there is even a Mediaplayer plugin for listening.
Just make sure you're absolutely honest about what you're doing, if you're doing it at work. Getting caught out on something like this would be deadly.
I make sure to mention very matter-of-factly to my bosses what I'm up to, and would back off if anybody even looked at me funny over it. -
changeover costs = a lot
First of all, I think you should just look at keeping the existing system, just improve it. Changeover cost in hardware/software is going to be high, even if it's free software. Here's what I'd do to try to stay with Windows 2k or XP (throw this all out if you're on 98/ME and get a real OS!):
1. Antivirus
First of all, why no antivirus? Any reasonable Win2k/XP system should be able to run one. If you want something with very low cpu impact, try Eset's Nod32. Also exclude the directory that the DVR uses to write the videos from virus checks. The videos are unlikely to get infected, and virus checking on those directories will just muck things up. (I'm assuming that this is why you aren't using antivirus.) But everything else then can be protected.
If you have licenses for *any* antivirus product, try it again with excluding the videos directories. Any antivirus product worth more than a warm bucket of spit should be able to do that.
2. Disable services.
Disable every unneeded service on these machines. A *lot* of them shouldn't be on. These systems should be doing practically nothing but writing video files (ok maybe some backups, or transferring files to another server for backups). A decent guide to this is here: http://www.theeldergeek.com/services_guide.htm.
3. Consider turning off Windows networking.
Disabling SMB/Netbios calls should stop most viruses/worms/etc. If you need to transfer data for backups and such, use SSH and SFTP instead. SFTP is what you'd use on a Linux/Unix system, and is *much* more secure.
Free Win32 SFTP client:
http://winscp.net/eng/index.php
Free Win32 SFTP server:
http://itefix.no/copssh
Nice, and not too expensive pay SFTP client (Tunnelier) and server (WinSSHD):
http://www.bitvise.com/
(And you shouldn't be getting email-borne viruses -- these systems shouldn't be used for email.)
You can also use SSH on this to restrict all kinds of other access as well, while providing VPN-style access. Very, very nice. (e.g. you can only Remote Desktop or VNC through SSH)
4. Block ports and such, and firewall it.
Setup a firewall between these systems and the outside world. Restrict ports to *only* those needed (e.g. SSH on port 22). If possible, restrict outgoing data to *only* those IP addresses that need access. Yeah, IPs can be falsified, but it's an extra layer of defense.
You could do this through a software firewall, or even just some cheap $20 hardware firewall boxes.
The XP firewall is better than nothing, but it's only incoming. Much better incoming/outgoing freebie firewalls are available from these companies:
http://www.wyvernworks.com/firewall.html
http://www.jetico.com/
(I'd probably do the hardware firewall, but if you're cash is tight, or the time/cost of installing all these extra hardware boxes is high, at least deploy a software firewall.)
5. Other Windows hardening options
You can also try these two freebie Windows hardening programs. They probably aren't perfect, but they help:
Harden-it: http://www.sniff-em.com/hardenit.shtml
Secure-it: http://www.sniff-em.com/secureit.shtml
And decent googling should turn up lots of different hardening guides to Windows as well.
After these you should have antivirus, you're blocking ports, you've disabled almost all virus vectors, and should have systems that are reasonably secure and stable.
Yeah, you have Windows and not sexy or politically correct OSS. But it's what you have. If you can make it work, use it. Fixing up your Windows boxes is probably a lot less time and money than swapping over -
A few good pieces of software
Tunnelier is about the best tunneling program out there:
http://www.bitvise.com/tunnelier.html
Also be sure to check out the SwitchProxy extension for Firefox:
http://mozmonkey.com/
...Michael... -
FYI speakfreely
I have used this program before to make "secure" point to point voice calls with friends.
http://www.speakfreely.org/
How hard can it be to encrypt packets? How hard can it be to tunnel the VoIP through an SSH tunnel?
So, my free solution here would be to install OpenSSH (yes there is one for windows and its free) and putty. Then you just redirect the port of the VoIP thing and that's it. You just have another setup like that in the other end.
http://sshwindows.sourceforge.net
http://www.chiark.greenend.org.uk/~sgtatham/putty/
Now for a commercial SSH tunnel, use Tunnelier.
http://www.bitvise.com/products.html
Now, I know that in government or any private company or industry money MAY BE a limitation... This is cheap and it has good licensing schemes, so no "buts."
Your IP phones are belong to us... (the unencrypted ones at least) get it?
Have a good one. -
I prefer WinSSHd with RDP
I prefer to use WinSSHdhttp://www.bitvise.com/winsshd.html to create an SSH connection to my XP box and then use Remote Desktop through the SSH. Seems more secure to me and of course, I run the SSHd on an off the wall port so it's not in a normal scan. If you use the SP2 firewall, you don't have to have remote desktop or the 3389 port enabled, only the SSHd port that you have selected.
-
Bitvise WinSSHD
Try out WinSSHD from Bitvise.
I've had very good experiences with this one, and it's got a 30 day evaluation program. -
Bitvise WinSSHD
I use Bitvise WinSSHD.
Aside from dropping you straight to the Win2k command prompt, it has
- Secure remote access via console (vt100, xterm and bvterm supported)
- Secure remote access via GUI (WinVNC or XP Remote Desktop required)
- Secure file transfer using SFTP and SCP (compatible with all major clients)
- Secure TCP/IP connection tunneling (port forwarding)
-
OpenDirectory Says. . ..
The OpenDirectory (or at least Google's listing of it) gave me a list of two SSH servers (not exactly comprehensive I admit but. . .
.)
One of which was WinSSHD which has a $95 business license. -
Bitvise is nice and reasonably priced
I've been running a Bitvise WinSSHD server for a while and it works just fine. Integrates with the Windows login also, which is a nice plus. Easy to install, configure, and use.