screen resolution as headless server

What do you mean by 'external LAN interface'? His (and my) LAN is on a private IP range and is mostly wired and within the house. There is WiFi but I doubt if it reaches anyone else's house and you can't stop in the lane outside without causing an obstruction (and lots of dog barking).
Ah, you mean the outside facing *WAN* interface of the NAT router. Yes, there can be security holes put there by ISPs and such but since I (and probably The Natural Philosopher) use our own (not the ISP's) router that's unlikely.
I ran some tests of this sort on mine a while ago, seemed to confirm that it's fairly 'hard'.
--
Chris Green
Reply to
Chris Green
Loading thread data ...
Your router does connect you to the Internet, doesn't ist? External administration is so "convenient" and "comfortable" that it may be offered by default and if not your security need not be worth much.
On the other hand, getting at you that way will require knowledge and effort. I expect you to be safe just because nobody as qualified would consider it worth his time to look at your PI experiments. Now, if you hosted a sizeable customer database there of ran a political website ...
--




/ \  Mail | -- No unannounced, large, binary attachments, please! --
Reply to
Axel Berger
Of course
The only hole in mine is to a printer.
Good luck pwning that, when its mostly off.
--
?It is hard to imagine a more stupid decision or more dangerous way of  
making decisions than by putting those decisions in the hands of people  
 Click to see the full signature
Reply to
The Natural Philosopher
No. External administration is not offered by defaukt on a second hand Cisco 527W
Even there, its surprsinsing how resileinet one can be. I do run a very public websitre
Have a look at what was happening in October...
...a massive increase in traffic TO the server...
Till I got bored with the huge logs and firwalled out the fruitless attempts to log in as root with every possible password.
Hint to hackers. Root login is in any case disallowed. Even with the roopt password.
My point is that even with a relatively high profile and exposed machine that has sshd enabled to all comers, they couldnt hack the thing in a month of trying.
Whereas I know of people with varoius 'web tools' like joomla who were hacked every few DAYS
--
Future generations will wonder in bemused amazement that the early  
twenty-first century?s developed world went into hysterical panic over a  
 Click to see the full signature
Reply to
The Natural Philosopher
It's turned off. If I *really* need to configure from outside then I set up a temporary ssh tunnel to do so.
Quite! :-) I doubt anyone will expend a *lot* of effort trying to break into my home systems.
--
Chris Green
Reply to
Chris Green
Yes, it's amazing how many hits an open ssh port gets! :-)
I have mine set up to only allow connections from two outside sites where I have ssh login accounts. Thus I connect from 'somewhere' to one of these two accounts and then from there to my home system.
--
Chris Green
Reply to
Chris Green
Basically I have unlimited access from my (fixed) home address - I had opened ssh up so I could access it from abroad, but I am back home now, so I have shut the lot down.
Now the only globally open ports are smtp, ssmtp, pop3, http and https. And one other I won't mention.
ACCEPT tcp -- anywhere anywhere tcp dpt:www ACCEPT tcp -- anywhere anywhere tcp dpt:ssmtp ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:xxxxx REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
On the internet the default should always be 'only let in what you absolutely need, and then only once you have worked out how to hack it, and blocked that too'
I havenm't had a virus since I abandonedd Windows, and I have never been hacked. Yet. But I have been subjected to sccessful denial of service attacks.
Greens dont like gridwatch.
Reply to
The Natural Philosopher
Fair comment
Most of these are obvious and sensible given that you're running a webserver and, presumably, a mainserver that accepts SMTP connections.
Indeed, but one has me curious: why is pop3 open?
I assume you're running a public or semi-public POP3 server, since using it to collect mail from an ISP doesn't require an externally accessible POP3 port.
--
Martin    | martin at 
Gregorie  | gregorie 
 Click to see the full signature
Reply to
Kiwi User
I use ssh to read mail and usenet as I simply connect to my desktop machine at home and run command line mail and news clients.
I only have SMTP open in addition to ssh. I did have SMTP limited (like ssh) to only some IPs allowed to connect (my hosting service's mail servers) but that got a bit difficult to maintain so it's now open to any IP. It doesn't seem to get many unwanted connection attempts, nothing like ssh gets.
--
Chris Green
Reply to
Chris Green
Correct. A friend is also using it, from a BT dynamic IP setup.
I dont understand what you mean by 'using it to collect mail from an ISP'.
Why on earth would I want to be 'collecting mail from an ISP'?
Since ISPS don't have mail to collect. They are merely connectivity devices.
I mean what is the POINT of having your own domains and server, if you then 'use it to collect mail from somewhere else?
Mail comes on and out via SMTP and SSMTP
POP3 is how it gets to me inside my network, as I don't want to open an SMTP port into my home network
--
"I am inclined to tell the truth and dislike people who lie consistently. 
This makes me unfit for the company of people of a Left persuasion, and  
 Click to see the full signature
Reply to
The Natural Philosopher
Well I have to have it openm else how could I receive global email?
Ditto https and https. You cant run webservers if the world is firewalled out.
Naturally there are comnstantt attempts to hack into all these serviecs, but sincef I dont runs 'standard' sofwtare liek wordpress, phpmydamnin, jooomla, ISP style mail logins...they are all simply network load that leads to nothing.
None of the hack attempts have even come close.
--
The biggest threat to humanity comes from socialism, which has utterly  
diverted our attention away from what really matters to our existential  
 Click to see the full signature
Reply to
The Natural Philosopher
It probably would not suit you, but the following setup works exactly the way I want it to:
My Postfix MTA sends outgoing mail via my ISP's mail host and I use getmail to retrieve incoming mail from from my ISP's mail host using POP3, passing it to my MTA for local delivery via Dovecot. My mail volume is fairly small, so this system handles it easily while allowing me to receive and send mail without having any ports externally visible or accessible.
I do run a web server, but only for internal use. My published websites are hosted by my ISP. These are maintained locally and published by using FTP to mirror them onto my ISP's webhosting servers.
--
Martin    | martin at 
Gregorie  | gregorie 
 Click to see the full signature
Reply to
Kiwi User
Good gid. I wouldnt rteuts my ISP tro host a cklown party for 5 year olds.
I run about 20 websites on a linux virtual private server, plus half a dozen doamins I keep for my email and other nefarious purposes plus a few other people's websites and email.
This isnt at home stuff. Behind some firewall. This is out there on the backbone shit.
The only firewall is iptables.
--
"Anyone who believes that the laws of physics are mere social  
conventions is invited to try transgressing those conventions from the  
 Click to see the full signature
Reply to
The Natural Philosopher
You would be surprised about how far it extends. The range of your WiFi depends on your equipment and that used by the second party, with some very simple hardware it is easy to build an antenna with sufficient gain to boost the signal out to a mile or more. While unlikely that some hacker with QRP (reduced power) skills would be within a mile or two of your house it is possible. I have used a simple cantenna to boost wifi across a field of just over a mile to get a poor but useable signal.
2.4GHz wifi band routers output about 100mW, one of the current QRP ham radio records is about 1500 miles on a microwatt, not a quality data signal by any means but a very low bandwidth signal that was detectable. With a directional antenna a hacker could sit in a car a hundred yards or so away and easily pick up your router or a neighbour could. Finding a way in through open ports is possible then but brute forcing the key may be a better option.
I live in the UK and use Sky as my provider. Their routers use WPA encryption which has an ASCII key between 8 and 63 characters long. Sky chose 8 characters for simplicity which, if you use the full printable ASCII set, has about 100 Billion combinations. At 10 seconds per key that amounts to an average of about 15 thousand years to crack by brute forcing so fairly secure. Sky however, for customer simplicity and convenience over security, only uses upper case letters in their passwords so that 95 possible characters drops to 26 and brute forcing is possible in an average of 3 months.
You have to be very determined to crack an average user's wifi and even more determined to do so at a distance but it is possible. Also bear in mind that many small businesses use standard routers for the broadband so hacking a shop to steal banking information is possibly more lucrative. I brute forced a sky password in just over a month just for fun with an old Pi1. It was an spare router of my own BTW before someone quotes the computer misuse act. The simplest way to crack a neighbour's wifi is just to visit them and sneak a peek at the back of their router, it saves weeks of fiddling about.
Andy
Reply to
AndyW
I would only allow SSH access from the outside using DSH/RSH key authentication, possibly even changing the port even though that should not be considered a security measure in its own right.
personally I prefer to have a VPN tunnel into my network again protected by key/certificate rather than password.
--
'It's time to-' 
'Prod buttock, sir?' said Carrot, hurriedly. 
 Click to see the full signature
Reply to
alister
The effect for this is the same but I wonder if there are things that do work differently when you leave the framebuffer dimensions commented out and instead edit the hdmi mode settings, eg. I am used to changing:
hdmi_group=1 hdmi_mode=31
for TV mode 1080p @50 Hz. And then to make absolutely sure:
hdmi_force_hotplug=1 hdmi_ignore_edid=0xa5000080
(in my case for a receiver that wrongly reported available resolutions). See all settings at
formatting link
Reply to
A. Dumas
RDP gives a much better experience than VNC. Install x11vnc and xrdp on the Pi and you can use any Remmina on Linux or Windows Remote Desktop clients.
---druck
Reply to
druck
you
The POINT is that it saves you trouble of running and administering that mail server ... and spares you the responsibility of knowing what you're doing and keeping that knowledge up to date. Life is finite!
You and I may be happy doing all that, but I wouldn't recommend that most people try running any kind of public-facing server (even if they do have their own domains) unless they're really sure that they have a good reason to do so and that they know how to do it securely.
Of course, having your own domain is convenient even if you have no intention of running your own server(s), as it gives you the freedom to move the hosting between ISPs/suppliers without having to change your addresses.
--
Cheers, 
 Daniel.
Reply to
Daniel James
But it doesn't. You still have to set up the mail server. Assuming its out there in internet land the most trivial thing is to let it accept incoming SMTP mail and set MX recods to point to it.
But thats only haf my pint.
Why use a server AT ALL if it's simply cloning someone elses server? Why not go direct to the original server?
--
A lie can travel halfway around the world while the truth is putting on  
its shoes.
Reply to
The Natural Philosopher
Actually, I chose to do it that way because using getmail to collect incoming messages avoids having to open any ports in my firewall.
I run my own internal Postfix MTA for two additional reasons:
- I have a database-based mail archive which gets fed via a Postfix 'always_bcc' directive. I ensure that all my incoming and outgoing mail passes through that MTA. Why do that? Because I thought that it should be a lot faster to find an e-mail by searching that database than by looking through huge email folders in an MTA - and it certainly is. Any matching email among the 184,000 in the archive will be found within 10 seconds and can be inspected in the search app or forwarded to my MUA so attachments can be saved and/or it can be replied to.
- The archive also acts as a whitelisting engine: I wrote a Spamassassin rule that whitelists any e-mail whose sender is recorded as having received mail from me.
That too. I also run an internal HTTP server (Apache) which is an extended bookmarking system, provides no-hassle access to a growing collection of images and documents in a variety of topics, as well as being a convenient place to publish my externally visible websites, which are exported to a webhost via FTP.
I save myself a lot of hassle by using external hosts for my websites and domain names and by routing all incoming and outgoing mail through my ISP's mail server.
--
Martin    | martin at 
Gregorie  | gregorie 
 Click to see the full signature
Reply to
Kiwi User

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.