- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Allow user to SSH from home to his PC
How can I allow a user to SSH to his UNIX box from home? Can I set it up so when his home address (and only HIS home address) SSH to my external address he will forward right to his machine?
- Labels:
-
Next Generation Firewall
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
I suggest to use an identity based policy in which you use the VIP. Just add a user group (with just one user) to the source field (formerly: source address field) in the policy.
Only if your user has got a fixed public address you might use it to identify your user.
Details:
1- VIP: external addr: free public address, mapped to addr: private ssh_server_IP, external/mapped to port: tcp/22
2- policy: either
src addr: any AND usergroup: this_user
OR
src addr: fixed home office address
dest addr: VIP, service: SSH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest using an identity-based policy in which you use the VIP with customized SSH port on the public network.
This article will help you.
http://cookbook.fortinet.com/port-forwarding/
Regards,
Deepak Kumar
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use VIP with customized SSH port. Since your publishing to the internet customizing ssh port is important to avoid attackers.
Regards
------------------------------
Rony Moussa
Fortinet NSE Certified: Level 8
------------------------------
Fortinet NSE Certified: Level 8
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tunnel mode (with FCT) or web portal mode is possible.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Generally it is very difficult to create a rule for someones home IP address as they change from time to time. It can be done but be prepared for users to complain every time they get a new IP and the Policies no longer work. From a security perspective direct SSH access from "any" can open you up to a lot of potential issues, brute force attacks etc. Not something I would recommend. Changing the service to a non-standard port is also not recommended because the service can be fingerprinted and identified by tools like NMAP, and other port scanners.
Using SSL VPN for remote access to internal resources is the answer, in my opinion.
------------------------------
Dan
Network / Security Analyst
------------------------------
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it's a public server, VIP + policy SSH with source ip (home).
If it's a private server. Client IPsec or client SSL VPN w native - or FortiClient.
In the policy SSH as service. Add IPS and AV in the policy since this is a home user = no ctrl over home environment.
IPsec VPN with FortiClient - Fortinet Cookbook
Fortinet Cookbook | remove preview | ||||||
|
SSL VPN using web and tunnel mode - Fortinet Cookbook
Fortinet Cookbook | remove preview | ||||||
|
------------------------------
Odd [LastName] [Designation]
IT Security Specialist / Senior IT Consultant
[CompanyName]
[City] [State]
[Phone]
------------------------------
![](/skins/images/EC9FF2F7BE06D4243426EA19DD2C8052/responsive_peak/images/icon_anonymous_message.png)