Changes

===== PPTP (VPN) =====

===== VPN =====

The Point-to-Point Tunnelling Protocol (PPTP) is used to create client-to-server Virtual Private Networks (VPNs) and was developed by the PPTP Forum, an industry group which included Microsoft and several other companies. A VPN is a private network of computers that uses the public Internet to connect some nodes. PPTP allows users to connect to their corporate networks across the Internet.

 

 

<!--The Point-to-Point Tunnelling Protocol (PPTP) is used to create client-to-server Virtual Private Networks (VPNs) and was developed by the PPTP Forum, an industry group which included Microsoft and several other companies. A VPN is a private network of computers that uses the public Internet to connect some nodes. PPTP allows users to connect to their corporate networks across the Internet.

Microsoft's PPTP implementation is widely used in the Windows world to provide remote access across the Internet. If you have a remote Windows system (for instance, a laptop or a home computer) that has access to the Internet, you can also access the information stored on your server.

Microsoft's PPTP implementation is widely used in the Windows world to provide remote access across the Internet. If you have a remote Windows system (for instance, a laptop or a home computer) that has access to the Internet, you can also access the information stored on your server.

{{Warning box|To protect your network, the SME Server enforces the use of 128-bit encryption for PPTP connections, rather than the 40-bit encryption provided in earlier versions of Microsoft's PPTP software. If you are unable to establish a PPTP connection to your server, you should visit http://windowsupdate.microsoft.com/ and download the appropriate update. Due to the dynamic nature of Microsoft's web site, the page may appear differently depending upon the version of Windows you are using. In most cases, you will want to look or search for Virtual Private Networking or a Dial Up Networking 128-bit encryption update . You may need to install the 40-bit encryption update first, and then install the 128-bit encryption update. Note that with Microsoft's ActiveUpdate process, if you are not presented with the choice for this update, it is most likely already installed in your system.}}

{{Warning box|To protect your network, the SME Server enforces the use of 128-bit encryption for PPTP connections, rather than the 40-bit encryption provided in earlier versions of Microsoft's PPTP software. If you are unable to establish a PPTP connection to your server, you should visit http://windowsupdate.microsoft.com/ and download the appropriate update. Due to the dynamic nature of Microsoft's web site, the page may appear differently depending upon the version of Windows you are using. In most cases, you will want to look or search for Virtual Private Networking or a Dial Up Networking 128-bit encryption update . You may need to install the 40-bit encryption update first, and then install the 128-bit encryption update. Note that with Microsoft's ActiveUpdate process, if you are not presented with the choice for this update, it is most likely already installed in your system.}}-->

 

===== Remote Management =====

===== Remote Management =====

To allow access to the /server-manager from remote networks add allowed IP addresses to the Remote Management section.

To allow access to the /server-manager from remote networks add allowed IP addresses to the Remote Management section.

To allow a single computer (or network of computers behind a firewall) add it's IP and the netmask.

To allow a single computer (or network of computers behind a firewall) add its IP and the netmask.

  223.102.19.24  255.255.255.255

  223.102.19.24  255.255.255.255

===== SSH =====

===== SSH =====

* Allow administrative command line access over ssh - This allows someone to connect to your server and login as "root" with the administrative password. The user would then have full access to the underlying operating system. This can be useful if someone is providing remote support for your system. In most cases we recommend setting this to No.

* Allow administrative command line access over ssh - This allows someone to connect to your server and login as "root" with the administrative password. The user would then have full access to the underlying operating system. This can be useful if someone is providing remote support for your system. In most cases we recommend setting this to No.

* Allow ssh using standard passwords - If you choose Yes (the default), users will be able to connect to the server using a standard user name and password. This may be a concern from a security point of view, in that someone wishing to break into your system could connect to your ssh server and repeatedly enter user names and passwords in an attempt to find a valid combination. A more secure way to allow ssh access is called RSA Authentication and involves the copying of an ssh key from the client to the server. See the [[SME_Server:Documentation:User_Manual:Chapter1#Securing_SSH_With_Public_.2F_Private_Keys| User Manual ]] for details

* Allow ssh using standard passwords - If you choose Yes (the default), users will be able to connect to the server using a standard user name and password. This may be a concern from a security point of view, in that someone wishing to break into your system could connect to your ssh server and repeatedly enter user names and passwords in an attempt to find a valid combination. A more secure way to allow ssh access is called RSA Authentication and involves the copying of an ssh key from the client to the server. See the [[SME_Server:Documentation:User_Manual:Chapter1#Securing_SSH_With_Public_.2F_Private_Keys| User Manual ]] for details

* TCP Port for secure shell access - Change the port the ssh client connects to the server, choose a  random free port eg. 822 This provides some protection from attacks on the usual port of 22.

* TCP Port for secure shell access - Change the port the ssh client connects to the server, choose a  random free port eg. 822. This provides some protection from casual attacks on the usual port of 22 and reduce log noise, but will not deter a serious attacker.

{{Note box|By default, only two user names can be used to login remotely to the server: admin (to access the server console) and root (to use the Linux shell). Regular users are not permitted to login to the server itself. If you give another user the ability to login remotely to the server, you will need to access the underlying Linux operating system and manually change the user's shell.}}

{{Note box|By default, only two user names can be used to login remotely to the server: admin (to access the server console) and root (to use the Linux shell). Regular users are not permitted to login to the server itself. If you give another user the ability to login remotely to the server, you will need to access the underlying Linux operating system and manually change the user's shell.}}

* SSH clients

* SSH clients

A number of different free software programs provide ssh clients for use in a Windows, Macintosh or Linux environment. Several are extensions of existing telnet programs that include ssh functionality. A list of known clients can be found online at https://www.ssh.com/ssh/client, [https://www.ssh.com/ssh/putty/download putty] being the most popular  

A number of different free software programs provide ssh clients for use in a Windows, Macintosh or Linux environment. Several are extensions of existing telnet programs that include ssh functionality. A list of known clients can be found online at https://www.ssh.com/ssh/client, [https://www.ssh.com/ssh/putty/download PuTTY] being the most popular for Windows as it meets most requirements and is regularly updated. Linux workstations normally have direct ssh capability.

A commercial ssh client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note that the client is free for evaluation, academic and certain non-commercial uses.

A commercial ssh client is available from SSH Communications Security at: http://www.ssh.com/products/ssh/download.html. Note that the client is free for evaluation, academic and certain non-commercial uses.

=====FTP=====

 

=====FTPs=====

Another way to upload or download files to and from your server is to enable a protocol called FTP, or "file transfer protocol". This screen enables you to set your policy for FTP. Note that allowing liberal FTP access to your server does reduce your security. You have two options that you can set here.

Another way to upload or download files to and from your server is to enable a protocol called FTP, or "file transfer protocol". This screen enables you to set your policy for FTP. Note that allowing liberal FTP access to your server does reduce your security. You have two options that you can set here.

FTP user account access: Private FTP access allows only people on your internal network to write files to your server. Public FTP access allows users both inside and outside your local network to read or write files on your server, provided they have an account and password. If, for example, you want to be able to update your web site from home using FTP, you would choose the "Public" setting. We strongly recommend you leave this as Private unless you have a specific reason to do so.

FTP user account access: Private FTP access allows only people on your internal network to write files to your server. Public FTP access allows users both inside and outside your local network to read or write files on your server, provided they have an account and password. If, for example, you want to be able to update your web site from home using FTP, you would choose the "Public" setting. We strongly recommend you leave this as Private unless you have a specific reason to do so.

FTP access limits: This allows you to set an overall site-wide policy for FTP access. The setting you choose here will override all other FTP settings on your server . For example, if you choose "Disable public FTP access" here and then later configure an i-bay to allow public FTP access from the Internet, such access will be forbidden. Note that one of the choices here allows you to completely disable any use of FTP.

FTP access limits: This allows you to set an overall site-wide policy for FTP access. The setting you choose here will override all other FTP settings on your server . For example, if you choose "Disable public FTP access" here and then later configure an i-bay to allow public FTP access from the Internet, such access will be forbidden. Note that one of the choices here allows you to completely disable any use of FTP.

=====Telnet=====

<!--=====Telnet=====

Telnet has traditionally been one of the tools used to login remotely to other systems across a network or the Internet. However, when you use telnet, all user names and passwords are transmitted without any kind of encryption, dramatically reducing the security of your server. Because ssh usage has increased to an acceptable level, telnet access has been removed from the SME Server

Telnet has traditionally been one of the tools used to login remotely to other systems across a network or the Internet. However, when you use telnet, all user names and passwords are transmitted without any kind of encryption, dramatically reducing the security of your server. Because ssh usage has increased to an acceptable level, telnet access has been removed from the SME Server-->

====Local networks====

====Local networks====