New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Off-Band VPN/VPS access?
I've been batting around the idea of allowing users to 'request' a login to an out-of-band PPTP based VPN that would connect them into the private LAN we have between VM's.
This would mean users could access RDC/SSH/etc over their private IP if they didn't want their public facing IP running those services.
There would be no cost attached to the service, at worst a rate limit to stop users from using it to evade bandwidth monitoring.
Good idea? any interest?
Francisco
Comments
I should add that the request thing would be 100% automated and handled within stallion.
Francisco
The users who know how to setup their ssh daemon to listen only on the private IP probably already know how to firewall the ssh port and/or setup vpn access themselves
@rds100, the point of it though is to completely eliminate public-facing services that could become points of compromise.
@Francisco, I would definitely use it. It would be wonderful to get ssh off of a public port.
As Nick said, we got some users that are very paranoid about having anything public facing.
In fact, if I made it so the PPTP would assign each user a static IP, I would likely cause a few people to have a nerdgasm. Private access over a password only they know and they're able to firewall it even more so? Please.
Francisco
It would be very interesting. No more Fail2Ban/DenyHosts running on the VPS, more RAM available for other purposes, assuming that none of the customers attack other's VPS.
That's what Aldryic and bz are for!
@albertdb - it sounds like doing a static IP would be ideal for the service then, that way there is full logs that can be reported if there is abuse?
Francisco
I would like this, things like an SQL server don't need a public facing IP address. Often it's only available for SSH login, otherwise it would be great to ditch the public facing IP altogether in this case.
This sounds great. BuyVM changing the game once again.
+1 That would be great
Offtopic, what about the switchable IPs that you were talking about some time ago? :P
Still on the drawing board. The coding on my end of things (billing, whmcs) is about wrapped up, we've just been busy with KVM and some oddball, but high priority, stuff that needed to be sorted first :P
Sounds like a good plan to me. It's pretty much how I had my storage VPS setup for a while. Firewall rules that said "no" to most everything incoming and outgoing, with only pptp on the external IP. Web, Samba, and ssh were only listening to the VPN address.
Is the idea for this VPN to be for ssh admin only or could I run my personal Samba and web backup services through it as well?
cleonard - you could run those as well.
We'd rate limit speeds to probably 1Mbit though, or maybe 10mbit, to stop users from using it as a way to evade BW.
Francisco