Results 1 to 7 of 7

Thread: Zimbra - accessing from outside, best practice(s)?

  1. #1
    Join Date
    Jun 2011
    Location
    Sin City
    Posts
    38
    Rep Power
    4

    Default Zimbra - accessing from outside, best practice(s)?

    Hello,

    had an incident last night which required my coming back to work in the middle of the night. Wasn't 'too' upset, I live close, and I was awake...

    Currently, I do not forward port 7071, or ssh through my firewall.

    Everything I did at the console last night was done via ssh on the LAN.

    Q: If I were to pass ssh through the firewall, do administer the Zimbra server, what would be the most secure way to do so?

    I initially thought about building a linux box, with one user account, hideously long and complex password, and then passing ssh from the outside in to this box, rather than ssh to the zimbra server itself. Then I could ssh from that box to zimbra...

    But then it dawned on me, if someone were to get into the "ssh box", they would have access to the LAN anyway, so would there be any benefit to that scenario?

    Feedback / suggestions / comments / observations greatly appreciated!

    BTW: Talk slow please, rather new to *nix

  2. #2
    Join Date
    May 2008
    Location
    Sierra Vista, Az
    Posts
    74
    Rep Power
    7

    Default

    Hi, the way I do it is I put a permit rule in my firewall for ssh and port 7071 traffic to zimbra from my home IP address and block ssh and port 7071 for everyone else. Probly not the best way of doing it but it has worked for me.

  3. #3
    Join Date
    Jun 2011
    Location
    Sin City
    Posts
    38
    Rep Power
    4

    Default

    I've also thought about limiting the port forwarding to one originating ip address...
    however, I'm on a cable modem service, and the ip address does change up.

    hate to have to use ssh one night, only to discover that the ip address has changed at home, and the firewall has the old info...

    anyone else dealing with an ISP that's doing dhcp?

  4. #4
    Join Date
    May 2008
    Location
    Sierra Vista, Az
    Posts
    74
    Rep Power
    7

    Default

    My ISP uses dhcp as well, so I keep an eye on it. But, I have noticed if I don't disconnect my cable modem for more that an hour or so, it keeps the same IP. For example, i've had the same IP address for the past 5 months. But idk, maybe yours is different, I would just try it and see how often your IP changes. If it changes every week then you'll have to think of something else, but if it is like mine and changes only a few times a year it isn't too bad.

  5. #5
    Join Date
    Apr 2011
    Location
    Prague
    Posts
    65
    Rep Power
    4

    Default

    DHCP IP address has some lifetime depending on your MAC address. So there is very likely you will have the same IP address.

    If not, you can allow some DHCP subnet 255.255.255.0.
    You can call your ISP or get the subnet from your current IP settings (ipconfig in windows).

    I think that the other clients of your ISP aren't they, who are waiting for hacking your Zimbra installation and they are very low security problem.

    If you have several changes of IP a year, you should use strong password and you can change port 7071 to some different. If you are paranoid, you can access webadmin via VPN connection to the server, etc....

  6. #6
    Join Date
    Jul 2008
    Location
    Lancaster, PA
    Posts
    24
    Rep Power
    7

    Default

    If not already doing this, I would recommend ssh'ing into Zimbra as a regular user with limited rights, and then do a 'su' as a privileged user.
    Release 6.0.12_GA_2883.RHEL5_64_20110305232032 RHEL5_64 NETWORK edition.

  7. #7
    Join Date
    Aug 2007
    Location
    Omaha, NE
    Posts
    4
    Rep Power
    8

    Default

    You may want to look at using public/private keys to authenticate to the server. As long as you protect your private key, you will be able to log in from any IP address, and have confidence that your system is secure to others.

    Here is a tutorial on how to set up SSH keys.

    Once you have tested that your key setup works, then edit /etc/ssh/sshd_config and disable password authentication.
    --
    Bill

Similar Threads

  1. Zimbra Admin Interface issue
    By Jack_Redington in forum Administrators
    Replies: 9
    Last Post: 08-04-2012, 05:51 AM
  2. [SOLVED] Error Installing Zimbra on RHEL 5
    By harris7139 in forum Installation
    Replies: 10
    Last Post: 09-25-2007, 12:39 PM
  3. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 12:34 PM
  4. zmtlsctl give LDAP error
    By sourcehound in forum Administrators
    Replies: 5
    Last Post: 03-11-2007, 04:48 PM
  5. 4.5 Upgrade failure
    By brained in forum Installation
    Replies: 9
    Last Post: 03-03-2007, 03:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •