Having updated my server from WHS v1 to 2011 I have been looking at ways of securing remote access. With my old server, I followed the advice from this site to look at the IIS logs to see who was connecting to my server and then stop ip scanning by using host headers http://forum.wegotserved.com/index.php/tutorials/article/43-protect-your-whs-web-site-from-ip-scanners/. This only covered http as IIS 6.0 does not support host headers for https but you can deal with https from a command prompt. My experience was that before I made this change I had connections from various parts of the world trying to access pages that do not even exist on the server eg …/admin.php.
With my new server I didn’t make the host header change for a couple of weeks until a look at the IIS logs showed that several people had been trying to connect. As a temporary fix I used the host header technique again and the logs showed that the attempts to connect to the server stopped. I thoroughly recommend this change to anyone who has remote access enabled on their server.
I decided that I wanted a better solution and set the following goals:
- Close as many ports as possible on the firewall and (if possible) use only non-standard ports for those that must remain open.
- Use two factor authentication.
- No impact on users inside the home ie only remote access should be affected.
- If possible, get access from my phone (Android) as well as from PCs.
The solution I have settled upon is to use an SSH server. This uses a non-standard port, not the default port 22, and only permits login by security certificate not password - this helps with the two factor authentication requirement. I have now removed the standard homeserver port forwards from my router (80, 443 and 4125) – as I understand it, IP scanners tend to try well known ports so closing these should reduce my visibility.
Using port forwarding I can create an RDP connection from other PCs outside my network or from my phone. When I need to connect from another PC I have a usb stick with a copy of Plink.exe and the private key (secured with a password). An added benefit of this solution is that I now have an SSH proxy which I can use when I am away from home.
There are a couple of downsides to this approach. Firstly, it takes slightly longer to establish a connection as I need to enter some of the settings to establish the connection and forward the ports – a batch file helps with plink.exe but obviously I don’t want all of the settings in the batch file eg passwords! When I use the remote web access (via the SSH tunnel) a certificate warning is displayed as the name on the security certificate which is in the form <my domain>.homeserver.com does not match the Windows host name <myserver>.
Setup on the server was very easy – I initially tried Cygwin and OpenSSH but struggled when I tried to move from password security to certificates and then found Bitvise SSH server and got the server end up and running very quickly. On my phone I use VX Connectbot, Remote RDP Lite and Opera if I want to surf the web via the SSH tunnel. Opera allows you to change the proxy settings without having to root the phone. Proxy settings can also be changed in Firefox for Android (and there is greater control than with Opera) but I prefer Firefox as my default browser and would need to keep enabling and disabling the proxy settings depending on whether I am using the SSH tunnel – the tunnel is overkill if all you want is Google!
I am happy to provide more information if people are interested in this and also for any feedback on whether this does make my system more secure or is it simply more obscure!