Very Computer

>>My problem is that I have several customers at large corporations which
>>have firewalls that block outgoing access to my machine. Is anything
>>there I can do to make it possible for them the access my machine, moving
>>to another port. Is there anything that they can do? I'm open to
>>suggestions?

> Stay on standard ports, perhaps try https -- going to non-standard ports
> may give one an illusion of security, but it is still the old 'security by
> obscurity' -- non-viable as you have seen.  You're lumped in with the
> copyright breakers and evil file sharers on strange ports...

> Grant.

>>>My problem is that I have several customers at large corporations which
>>>have firewalls that block outgoing access to my machine. Is anything
>>>there I can do to make it possible for them the access my machine, moving
>>>to another port. Is there anything that they can do? I'm open to
>>>suggestions?

>> Stay on standard ports, perhaps try https

>>We have home offices. I have a business DSL line with a single static IP
>>and a registered domain. I have a half dozen Linux machines which I use
>>for development and as file servers.

> OK - look at the address you are using on that domain. If you do a DNS
> lookup of the domain name, you get an IP address. If you then do a second
> lookup - this time of the IP address, does it return your hostname, or
> some generic stuff (generic defined as a hostname that contains the IP
> address in some form such as 192.0.2.22 ->
> dsl-192-000-002-022.provider.com or similar).  Second, look up the IP
> address in the various RBL lists - one way being
> http://www.TQMcube.com/rblcheck.htm   (uses tables) and see that the
> provider is clean.  We've null-routed quite a number of providers because
> of spam problems - some of them being quite large. In a couple of cases,
> we've had to cut holes to "whitelist" some entity that has chosen a poor
> provider.  I know you can't get a direct assignment from an RIR, but see
> if your provider will SWIP the address to you, or at least list you on
> their rwhois server.  That builds confidence not only in network security
> types, but also mail administrators.

>>I have two dedicated servers that connect to the Internet though ssh. One
>>server, on port 22, is our CVS server. That server is accessed by my
>>partners and me and is used to collaborate on development. The only
>>machines that are authorized to connect to it (I use RSA authorization,
>>passwords are disabled) belong to me and my partners.

> OK, with a single address, I can see your problem.

>>The other machine is my release server, which has ssh mapped to a high
>>port number.

>>Each customer has a user account on the release server. I place code
>>releases for them in their accounts.

> I don't know what your threat model is, yada, yada, yada. You want to
> separate the two SSH servers - that's fine.  If all your customers can do
> is download AND NOTHING ELSE, I'd suggest having a strong username and
> password setup for each, set permissions so that they can't do anything
> except download, and then leave it on 22. I'd have the CVS server using
> the non-standard port number, as your people would be minimally
> inconvenienced. That would appear more on the "up-and-up" to the paranoid
> net security types.

> The bit about "strong username" - do your customers have a frequent need
> to be connecting? Would writing down the username and password be
> something normal (mainly because of infrequent use)?  If so, consider
> generating usernames the way we _used_ to generate initial passwords.
> Either 'head -2 /dev/random | uuencode /dev/stdout' or 'head -2
> /dev/random | mimencode'  and in either case, select a string that begins
> with a letter consisting of letters and numbers only.  Using mixed case
> would increase security and is permitted by most systems, but probably
> should be avoided to prevent confusing the users.  While you're at it -
> there is also the password a little further into the string.

>>I've also set the privileges on all accounts to 700 so that no customer
>>can see the content of any other customer's directory.

> Do they _need_ to be writable by the customers?

>>For the startups this setup works fine. For the big companies this
>>doesn't work because their firewalls don't permit them to access my
>>server. The work around so far is that my customers at these companies
>>have used their home machines to access the server.

> That doesn't work here - we don't allow _any_ access to the home systems
> from our network.  I can't say much more than that.

>>I've tried moving the port to 20 (FTP) figuring that a company is
>>unlikely to block FTP, but that didn't work.

> You'd have to ask them why, but depending on your provider, I can't see
> any reason why that wouldn't work. Of course if your address is in the
> middle of SpammersRus.com, there would be problems.

>>Does anyone have any suggestions about a means for providing access to
>>releases to customers at big companies? My requirements are 1) Reasonably
>>straight forward access for my customers. 2) Good security for me. 3)
>>Runs on Linux.

> From my view, clean address, resolves both ways, and a known port would
> _probably_ get the best results.  Security for you comes from having good
> usernames. and running on up-to-date Linux (or similar).

>         Old guy

> I think your best bet will be to get another global IP address for your
> release server. Then your customers would be able to connect using the
> standard port and everybody is happy. You could do that in a number of
> ways, of course. One would just be to ask your ISP to delegate a larger
> block of static IP addresses. You obviously have a legitimate need, so in
> exchange for a few dollars per month the ISP should oblige. Another idea
> would be to move your release server to a data center and get a static
> address there.

> Both of these solutions would be very clean and seem to present the
> simplest possible path. There are less clean solutions that could let you
> differentiate traffic to the same standard port, but why complicate
> things? As for the security of sshd on the standard port, random usernames
> and good passwords are a good first stp. You could do more, but it depends
> on the sophistication of your users, or maybe you could factor that out by
> building the update function into the software itself? Just some thoughts.

> Medgya

> I have a small company (3 man) that provides IP for FPGAs and ASICs. Our
> customers are all over the world and range from startups to fortune 500
> corporations.

> We have home offices. I have a business DSL line with a single static IP
> and a registered domain. I have a half dozen Linux machines which I use
> for development and as file servers.

> I have two dedicated servers that connect to the Internet though ssh. One
> server, on port 22, is our CVS server. That server is accessed by my
> partners and me and is used to collaborate on development. The only
> machines that are authorized to connect to it (I use RSA authorization,
> passwords are disabled) belong to me and my partners. The other machine is
> my release server, which has ssh mapped to a high port number.

> Each customer has a user account on the release server. I place code
> releases for them in their accounts. The only networking service on this
> machine is ssh, there are no legacy servers installed and all of the other
> machines on my network have this machine in their hosts.deny file and none
> of them permit ssh access from it (I can ssh to it from all of my
> machines). I've also set the privileges on all accounts to 700 so that no
> customer can see the content of any other customer's directory.

> For the startups this setup works fine. For the big companies this doesn't
> work because their firewalls don't permit them to access my server. The
> work around so far is that my customers at these companies have used their
> home machines to access the server. I've tried moving the port to 20 (FTP)
> figuring that a company is unlikely to block FTP, but that didn't work.

> Does anyone have any suggestions about a means for providing access to
> releases to customers at big companies? My requirements are 1) Reasonably
> straight forward access for my customers. 2) Good security for me. 3) Runs
> on Linux.

> Medgya