|
|
(14 intermediate revisions by the same user not shown) |
Line 1: |
Line 1: |
− | {{Languages|SME_Server:Documentation:Administration_Manual:Chapter11}}
| |
− | ===Sécurité===
| |
| | | |
− | ====Accés à distance====
| |
− | Si vous êtes un utilisateur avancé, le SME Server fournie plusieurs façons différentes d'accéder au système d'exploitation Linux, soit à partir d'un ordinateur de votre réseau interne ou depuis un ordinateur en dehors de votre entreprise, à partir d'Internet. En outre, vous avez la possibilité d'accéder à votre réseau informatique en toute sécurité à partir d'un ordinateur distant. Toutes ces opérations sont configurés à partir de l'écran ci-dessous dans le gestionnaire de serveur.
| |
− |
| |
− | Chacune de ces méthodes d'accès distant est décrite ci-dessous.
| |
− |
| |
− | [[Image:Remote-access-1.png]]
| |
− | [[Image:Remote-access-2.png]]
| |
− |
| |
− |
| |
− | ===== PPTP (VPN) =====
| |
− | Le Point-to-Point Tunnelling Protocol (PPTP) est utilisé pour créer des connections des clients vers le serveur par des réseaux privés virtuels (VPN) et a été développé par le Forum PPTP, un groupe d'industriels qui comprenait Microsoft et plusieurs autres sociétés. Un VPN est un réseau privé d'ordinateurs qui utilise l'Internet pour se connecter à des nœuds. PPTP permet aux utilisateurs de se connecter à leurs réseaux d'entreprise au travers d'Internet.
| |
− |
| |
− | L'implémentation de PPTP par Microsoft est largement utilisé dans le monde de Windows pour fournir un accès à distance à travers l'Internet. Si vous avez un système Windows distant (par exemple, un ordinateur portable ou un ordinateur à la maison) qui a accès à Internet, vous pouvez également accéder aux informations stockées sur le serveur de votre entreprise.
| |
− |
| |
− | Si vous souhaitez activer l'accès VPN, vous devez décider combien de clients PPTP individuels seront autorisé à se connecter simultanément à votre serveur, et entrez le nombre ici. La méthode la plus simple est d'entrer le nombre total de clients suceptible de se connecter à distance par PPTP dans votre organisation. Alternativement, si vous avez une connexion lente à Internet et que vous ne voulez pas que l'ensemble de ces clients PPTP puissent se connecter en même temps, vous pouvez saisir un nombre inférieur ici. Par exemple, si vous avez cinq utilisateurs qui de temps en temps utilisent le VPN PPTP pour se connecter à distance, en entrant ici le nombre de 5, cela permettra à chacun d'eux de se connecter à tout moment. La saisie de 2 permettra seulement à deux utilisateurs de se connecter à n'importe quel moment donné. Cependant si un troisième utilisateur tente de se connecter, il ou elle recevra un message d'erreur et il ne sera pas capable de se connecter jusqu'à ce que l'un des autres utilisateurs se déconnectent. Si, en revanche, vous avez entré 0, aucune connexion PPTP sera autorisé.
| |
− |
| |
− | Before the server is ready to accept PPTP connections each user that is to be allowed access is to be granted 'VPN Client Access' in the
| |
− | [[:SME_Server:Documentation:Administration_Manual:Chapter9#Users |Users]] panel of the /server-manager.
| |
− | Avant que le serveur ne soit prêt à accepter les connexions PPTP, chaque utilisateur doit être autorisé à acceder au VPN PPTP par l'onglet "Acces par client VPN" dans le [[:SME_Server:Documentation:Administration_Manual:Chapter9/fr#Utilisateurs |panneau Utilisateur]] du server-manager.
| |
− |
| |
− | To connect using PPTP, the protocol must be installed on each remote Windows client. Typically, this is done through the Network Control Panel (you may need to have your original Windows installation CD available). After it is installed (a reboot of your Windows system may be needed), you can create new connections through the Dial-Up Networking panel by entering the external IP address of the server you wish to connect to. Once you're finished, you should be able to initiate a PPTP connection by double-clicking the appropriate icon in the Dial-Up Networking window. When you then open up your Network Neighborhood window, you should see your server workgroup listed there.
| |
− |
| |
− | {{Note box|After changing the number of pptp clients allowed, the increased number of users is not updated until existing users have logged off.}}
| |
− |
| |
− | {{Note box|PPTP uses TCP port 1723 and the Generic Routing Encapsulation (GRE) protocol. If you are using an external router or gateway to your server, and require an inbound VPN connection to support external users, you will need both TCP port 1723 and the GRE protocol to be forwarded.
| |
− |
| |
− | However most PPTP passthrough routers only allow outbound connections. Not all allow inbound connections. Forwarding PPTP inbound is frequently unreliable due to the way PPTP works.
| |
− |
| |
− | The simple, reliable solution is to remove the router and let the SME Server handle the link directly.
| |
− |
| |
− | For a more detailed description of the PPTP protcol see http://en.wikipedia.org/wiki/Point-to-point_tunneling_protocol}}
| |
− |
| |
− |
| |
− | {{Warning box|To protect your network, the SME Server enforces the use of 128-bit encryption for PPTP connections, rather than the 40-bit encryption provided in earlier versions of Microsoft's PPTP software. If you are unable to establish a PPTP connection to your server, you should visit http://windowsupdate.microsoft.com/ and download the appropriate update. Due to the dynamic nature of Microsoft's web site, the page may appear differently depending upon the version of Windows you are using. In most cases, you will want to look or search for Virtual Private Networking or a Dial Up Networking 128-bit encryption update . You may need to install the 40-bit encryption update first, and then install the 128-bit encryption update. Note that with Microsoft's ActiveUpdate process, if you are not presented with the choice for this update, it is most likely already installed in your system.}}
| |
− |
| |
− |
| |
− | ===== Remote Management =====
| |
− | To allow access to the /server-manager from remote networks add allowed IP addresses to the Remote Management section.
| |
− |
| |
− | To allow a single computer (or network of computers behind a firewall) add it's IP and the netmask.
| |
− | 223.102.19.24 255.255.255.255
| |
− |
| |
− |
| |
− | ===== SSH =====
| |
− | If you need to connect directly to your server and login from a remote system belonging to you, we strongly encourage you to use ssh. In addition to UNIX and Linux systems, ssh client software is now also available for Windows and Macintosh systems. (See the section below.)
| |
− |
| |
− | If you do not have any reason to allow remote access, we suggest you set this to No access.
| |
− |
| |
− | SSH (secure shell) provides a secure, encrypted way to login to a remote machine across a network or to copy files from a local machine to a server. Many people do not realize that many programs such as telnet and ftp transmit your password in plain, unencrypted text across your network or the Internet. ssh and its companion program scp provide a secure way to login or copy files. The ssh protocol was originally invented by SSH Communications Security which sells commercial ssh servers, clients, and other related products. The protocol itself has two versions - SSH1 and SSH2 - both of which are supported by most clients and servers today. For more information about SSH Communications Security and its commercial products, visit http://www.ssh.com/.
| |
− |
| |
− | OpenSSH, included with the SME Server, is a free version of the ssh tools and protocol. The server provides the ssh client programs as well as an ssh server daemon and supports both the SSH1 and SSH2 protocols. For more information about OpenSSH, visit http://www.openssh.com/.
| |
− |
| |
− | Once ssh is enabled, you should be able to connect to your server simply by launching the ssh client on your remote system and ensuring that it is pointed to the external domain name or IP address for your server. In the default configuration, you should next be prompted for your user name. After you enter admin and your administrative password, you will be in the server console. From here you can change the server configuration, access the server manager through a text browser or perform other server console tasks.
| |
− |
| |
− | If you do enable ssh access, you have additional configuration options:
| |
− | * Allow administrative command line access over ssh - This allows someone to connect to your server and login as "root" with the administrative password. The user would then have full access to the underlying operating system. This can be useful if someone is providing remote support for your system. In most cases we recommend setting this to No.
| |
− | * Allow ssh using standard passwords - If you choose Yes (the default), users will be able to connect to the server using a standard user name and password. This may be a concern from a security point of view, in that someone wishing to break into your system could connect to your ssh server and repeatedly enter user names and passwords in an attempt to find a valid combination. A more secure way to allow ssh access is called RSA Authentication and involves the copying of an ssh key from the client to the server. See the [[SME_Server:Documentation:User_Manual:Chapter1#Securing_SSH_With_Public_.2F_Private_Keys| User Manual ]] for details
| |
− | * TCP Port for secure shell access - Change the port the ssh client connects to the server, choose a random free port eg. 822 This provides some protection from attacks on the usual port of 22.
| |
− |
| |
− | {{Note box|By default, only two user names can be used to login remotely to the server: admin (to access the server console) and root (to use the Linux shell). Regular users are not permitted to login to the server itself. If you give another user the ability to login remotely to the server, you will need to access the underlying Linux operating system and manually change the user's shell.}}
| |
− |
| |
− | * SSH clients
| |
− | A number of different free software programs provide ssh clients for use in a Windows, Macintosh or Linux environment. Several are extensions of existing telnet programs that include ssh functionality. Two different lists of known clients can be found online at http://www.openssh.com/windows.html and http://www.freessh.org/.
| |
− |
| |
− | A commercial ssh client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note that the client is free for evaluation, academic and certain non-commercial uses.
| |
− |
| |
− | =====FTP=====
| |
− | Another way to upload or download files to and from your server is to enable a protocol called FTP, or "file transfer protocol". This screen enables you to set your policy for FTP. Note that allowing liberal FTP access to your server does reduce your security. You have two options that you can set here.
| |
− |
| |
− | FTP user account access: Private FTP access allows only people on your internal network to write files to your server. Public FTP access allows users both inside and outside your local network to read or write files on your server, provided they have an account and password. If, for example, you want to be able to update your web site from home using FTP, you would choose the "Public" setting. We strongly recommend you leave this as Private unless you have a specific reason to do so.
| |
− |
| |
− | FTP access limits: This allows you to set an overall site-wide policy for FTP access. The setting you choose here will override all other FTP settings on your server . For example, if you choose "Disable public FTP access" here and then later configure an i-bay to allow public FTP access from the Internet, such access will be forbidden. Note that one of the choices here allows you to completely disable any use of FTP.
| |
− |
| |
− | =====Telnet=====
| |
− | Telnet has traditionally been one of the tools used to login remotely to other systems across a network or the Internet. However, when you use telnet, all user names and passwords are transmitted without any kind of encryption, dramatically reducing the security of your server. Because ssh usage has increased to an acceptable level, telnet access has been removed from the SME Server
| |
− |
| |
− | ====Local networks====
| |
− | Your SME Server provides services to machines on the local network and it gives machines on that network special privileges and access. For example, only machines connected to the local network can access the mail server on your server to send mail. When you configured your server, you provided it with sufficient information to deduce its own local network. Machines on the network are automatically identified by the server as being eligible for these privileges and access.
| |
− |
| |
− | If your company only has one network that is being serviced by the server, you do not need to add any information here.
| |
− |
| |
− | Some advanced users may wish to extend privileges to more than one network of computers. If you would like your server to identify one or more additional networks for those privileges, you will be asked to enter those network IDs and the subnet mask for each network here.
| |
− |
| |
− | [[Image:Local-networks.png]]
| |
− |
| |
− | {{Note box|Depending on the architecture of your network infrastructure, the instructions for configuring the client machines on that additional network may be different than the instructions outlined in the chapter in this user guide. If you have questions regarding adding another network, you may wish to contact Contribs.org and visit the forums.}}
| |
− |
| |
− | ====Port forwarding====
| |
− | Your SME Server provides the ability to forward its ports to other machines.
| |
− |
| |
− | [[Image:Port-forwarding.png]]
| |
− |
| |
− | You can use the panel shown above to modify your firewall rules so as to open a specific port (or range of ports) on this server and forward it to another port on another host. Doing so will permit incoming traffic to directly access a private host on your LAN.
| |
− |
| |
− | {{Warning box|Misuse of this feature can seriously compromise the security of your network. Do not use this feature lightly, or without fully understanding the implications of your actions.}}
| |
− |
| |
− | ====Proxy settings====
| |
− | Your SME Server has a transparent HTTP and SMTP proxy.
| |
− |
| |
− | =====HTTP Proxy=====
| |
− | The server's HTTP proxy works to reduce overall uplink usage by caching recently-visited pages. It is transparent to web browsers using this server as their gateway.
| |
− |
| |
− | =====SMTP Proxy=====
| |
− | The server's transparent SMTP proxy works to reduce virus traffic from infected client hosts by forcing all outgoing SMTP traffic through this server. If you wish to use an alternate SMTP server, and this server is your gateway to it, disable this proxy.
| |
− |
| |
− | - Disabled. Clients behind SME Server are allowed to connect to any SMTP
| |
− | server anywhere in the world (that allow them to).
| |
− |
| |
− | - Blocked. This forces all SMTP traffic to go through the server and be authenticated.
| |
− | All attempts to connect to any SMTP Server other than the SME Server will be blocked
| |
− | and treated as if there is no SMTP server on the other end. (This is the new default)
| |
− |
| |
− | - Enabled. Any attempt to connect to an SMTP Server other than the
| |
− | SME Server will be redirected to the SME Server. If someone attempts to connect to an
| |
− | external smtp server (gmail for example) it will be redirected to the sme
| |
− | server. If they then have it set to authenticate to that external server
| |
− | instead of passing the user/pass to the external server it will pass it to the
| |
− | sme server and fail. (This is the old default)
| |
− |
| |
− | Note: The server (by default) now requires email clients (other than webmail) to authenticate and will not allow auth to occur over an unsecure link. If for example you are using thunderbird then you must set the authentication method to normal password. Leave the connection security at starttls or ssl/tls.
| |
− |
| |
− | [[Image:Proxy-settings.png]]
| |