3

I have been tasked with setting up and supporting some computers for some people who have sociological problems. Troubled teens/adults and the like. They need computers to do very basic tasks like web browse, but they know little about computers and will delete and destroy anything they can without care.

So I am building some cheap white boxes and plan to put a locked down version of Ubuntu on it with some built in recovery options. Any suggestions on a ChromeOS like Distro would be appreciated.

My big problem is remote administration. They will not have a fixed IP and I won't control anything about the network. So port forwarding is out.

An option is to buy an EC2 and have each client connect with OpenVPN when they come online. I could then SSH in and fix problems. But EC2 is not free and I will not be making any money from this.

My preferred way is BotNet style. I have a friend that runs a private IRC server. I could set up a channel and have all the clients log in and I could issue commands. A remote bash shell to IRC gateway would be nice.

I do something like this only over XMPP with Nagios with my servers. It's real handy to quickly look down a list and see who is online, who is having problems, and issue commands.

Anyone know of such an IRC bot like a BotNet? Or any better way to do this?

Porch
  • 680
  • 5
  • 12
  • The problem with VPN or autoSSH back to me is that I live off laptops and portable devices since I am in the field a lot. The only device running at home is a small book PC filesever and I am not comfortable using it as a SSH or VPN endpoint 24/7 for security reasons. It would also be a pain in the neck to admin as I would have to ssh into my box, then ssh into their box to see what is wrong. The IRC method would just require being in a chat and I can do that from anything/anywhere for a quick look. I may have to write my own bot if nothing better exist. – Porch May 07 '12 at 17:57

5 Answers5

1

How about installing autossh on these boxes to open an ssh tunnel to a central remote admin server every time the box starts up. Through that connection, tunnel their ssh port so you can have full ssh access anytime you want.

Oliver
  • 5,883
  • 23
  • 32
1

A couple of options.

1) How about a reverse SSH Tunnel? http://www.howtoforge.com/reverse-ssh-tunneling It's simple and works behind NAT. Try it and see if it works.

Not really certain if you need to know the source IP always. That could be a problem.

2) Teamviewer for linux. The way teamviewer works is it starts a service that connects to the teamviewer host (something you do not need to care about). You simply use the automatically generated ID to access the machine with a password. You can lock down the teamviewer service so that users can't mess it up as well.

It gives you a full desktop experience, I'm not sure if that's an issue for you or not.

hookenz
  • 14,132
  • 22
  • 86
  • 142
1

Its not exactly remote access, but if your friend has an irc server, you could perhaps convince them to either setup activemq for mcollective, or a puppetmaster. This would allow you to run commands on multiple systems, or always ensure a system has a certain configuration.

becomingwisest
  • 3,278
  • 19
  • 17
0

I could not find a BotNET style program that fit my simple needs, but it was easy to make my own in Perl using an example I found.

If anyone wants it, enjoy. http://pastebin.com/S03aZW1f

Thanks for the help.

Porch
  • 680
  • 5
  • 12
-2

Consider using DynDNS and an NX server with ssh for remote desktop administration. Oliver's idea is a good suggestion too.

atx
  • 1,281
  • 1
  • 9
  • 25
  • DynDNS etc. won't work in a NATed network when you can't control port forwarding on the NAT router. – Sven May 07 '12 at 07:27
  • They will have port forwarding and DynDNS has a client that updates the DNS record for your dynamic IP. It's basically what the service is used for (Dynamic DNS). – atx May 07 '12 at 11:53
  • You don't understand the problem: He doesn't control the router and the port forwading. With DynDNS you publish the public DNS address but you still don't have a way to connect to any machine inside the NATed network if you can't control the port forwarding. To reach any machine inside the network, you have to tell the router that he should forward e.g. port 2222 on the public address to port 22 on machine 192.168.23.23 inside the NATed network. If you don't control the port forwarding on the router, you can't do this mapping and therefore can't reach the machines inside the private network. – Sven May 07 '12 at 12:03
  • Oh I missed that part – atx May 07 '12 at 12:06