Zimbra - accessing from outside, best practice(s)?

[billinvegas]

Hello,

had an incident last night which required my coming back to work in the middle of the night. Wasn't 'too' upset, I live close, and I was awake...

Currently, I do not forward port 7071, or ssh through my firewall.

Everything I did at the console last night was done via ssh on the LAN.

Q: If I were to pass ssh through the firewall, do administer the Zimbra server, what would be the most secure way to do so?

I initially thought about building a linux box, with one user account, hideously long and complex password, and then passing ssh from the outside in to this box, rather than ssh to the zimbra server itself. Then I could ssh from that box to zimbra...

But then it dawned on me, if someone were to get into the "ssh box", they would have access to the LAN anyway, so would there be any benefit to that scenario?

Feedback / suggestions / comments / observations greatly appreciated!

BTW: Talk slow please, rather new to *nix

[mtorres]

Hi, the way I do it is I put a permit rule in my firewall for ssh and port 7071 traffic to zimbra from my home IP address and block ssh and port 7071 for everyone else. Probly not the best way of doing it but it has worked for me.

[billinvegas]

I've also thought about limiting the port forwarding to one originating ip address...
however, I'm on a cable modem service, and the ip address does change up.

hate to have to use ssh one night, only to discover that the ip address has changed at home, and the firewall has the old info...

anyone else dealing with an ISP that's doing dhcp?

[mtorres]

My ISP uses dhcp as well, so I keep an eye on it. But, I have noticed if I don't disconnect my cable modem for more that an hour or so, it keeps the same IP. For example, i've had the same IP address for the past 5 months. But idk, maybe yours is different, I would just try it and see how often your IP changes. If it changes every week then you'll have to think of something else, but if it is like mine and changes only a few times a year it isn't too bad.

[meesha]

DHCP IP address has some lifetime depending on your MAC address. So there is very likely you will have the same IP address.

If not, you can allow some DHCP subnet 255.255.255.0.
You can call your ISP or get the subnet from your current IP settings (ipconfig in windows).

I think that the other clients of your ISP aren't they, who are waiting for hacking your Zimbra installation and they are very low security problem.

If you have several changes of IP a year, you should use strong password and you can change port 7071 to some different. If you are paranoid, you can access webadmin via VPN connection to the server, etc....

[pcad]

If not already doing this, I would recommend ssh'ing into Zimbra as a regular user with limited rights, and then do a 'su' as a privileged user.

[bbardon]

You may want to look at using public/private keys to authenticate to the server. As long as you protect your private key, you will be able to log in from any IP address, and have confidence that your system is secure to others.

Here is a tutorial on how to set up SSH keys.

Once you have tested that your key setup works, then edit /etc/ssh/sshd_config and disable password authentication.