VPN / FTP (Arguably OT!)

On *nix, I would install OpenSSH (secure shell server) and enable SFTP which is a secure variant of ftp that works over SSH. You can get GUI SFTP clients for windows.

I'm pretty sure you can get an SSH/SFTP server for windows.

This limits him to file access and shell terminal access (and that can be nobbled) over a secure encrypted link requiring a login. Easier than a VPN and more limited.

Your other problem re NAT can be solved in 2 ways:

1) Get a static IP address (may involve a new ISP)

2) Set up with

so that your one variable but public IP (that lives on the ADSL router) can be resolved from outside.

Then, in either case, set the ADSL router to either map the entire IP down to your main server PC, or port forward port 22 (SSH) to that PC.

There are a million other solutions too...

I got Hamachi to work quite easily:

It's free for non-commercial use.

Refraining from saying how much easier under linux..some ponts.

I have done this (under Linux) Avoid windows file sharing over WANS,. It's horribly slow.

FTP is good, but a shade trickier on the NAT..

I am not sure what FTP servers are available for windows, or whether they can be configured read only.

If possible use some arbitrary high number ports for it so the bot scanners wont pick you up and try and do stuff..or your whole hard drive appear on google etc.

Another possibility is to use a web server on windows: that's read only by default.

Be aware that the whole exercise may f*ck your bandwidth for considerable periods. You only have 448kbps upstream.

Consider buying some hosted space on a server somewhere and uploading everything to it as an alternative.

None of that souns a major problem, as others have said. However, beware of any but the simplest solution - not only for the reasons you state, but because it might violate any terms of service on the academic network

- be worth checking those.

Incidentally, you don't really make it clear if you have 'old' ADSL or something like ADSL2+. If the latter, TNP's point about swamping your upload bandwidth still applies, but it'll not be quite as bad as you'll probably have about 1Mb/s to play with. You may end up wanting to put in traffic shaping to limit what he does.

Lastly, if your ISP applies data transfer limits to 'uploads', your son could help to use that up rather quickly too.

Thanks, that's all really helpful.

Yeah, I just found that. It looks quite promising, thanks!

Thanks Bob - I've often wanted to throttle the little sod, this might be my final opportunity... :o)

TBH I'd do it using VPN and providing him access to local SMB shares. You may not think of security as high on the list, but it should be and a VPN solution will give him the ability to use the home network as if he were logged in locally.

I'd also suggest that the best way to do this is to get hold of a Draytek ADSL router because the built in VPN server is good and relatively easy to set up.

... sends passwords in clear text. So I wouldn't use SFTP for anything.

No it doesn't.

I think you mean FTP - SFTP is an SSH service, so unless you install a null cipher...

OH, NO IT DOESN'T!

Hmmm, NIST claims that it does. Or did in the last bulletin I had from them. Is it a version dependent feature? It's specifically banned from certain classes of network.

Bluurt, brain fade. I now recognise what my "It's Sunday I'm not at work" brain was trying to tell me. It's banned because it's susceptible to man in the middle attacks, I'm really not concentrating on computery stuff on my days off anymore.

Umm how many of you, exactly, are going to jump in on this?

Indeed. I'm back at work at a uni again. Generally, two things will get a student in trouble:

1) Swamping bandwidth (that'll get him noticed and then they are liable to start looking more closely). But this won;t be a problem vis the conenction to home as the ADSL uplink is so pitiful compared to the uni connection. 2) Uploading/downloading "illegal" (real illegal and against uni T&Cs) materials - this generally includes copyright violations.

Some places do have fancy monitoring boxes that watch the entire uni connection (no mean feat when that might well be 10gig/sec or more) or at least monitor the feeds to student labs and accomodation.

However, TBF, they'd be hard pushed to introspect an SSH stream - and if the bandwidth is limited to ADSL upload rates, I doubt whether he'll either be noticed, or that they actually care that much. Bittorrent of illegal material however will get him busted pretty fast.

But it is something to watch out for if the OP has a collection of movies or music from dubious sources. If however, it's to view family photos or legit content, they'll almost certainly be no issues.

VPN might be against T&Cs if it in any way could lead to network problems. SSHFS or SFTP is unlikely to be a problem in itself.

Traffic shaping really does work very well. The ADSL moden might have the ability to do that, otherwise it could be done on the media PC.

Yeah - already did that once today re immersion heaters :)

MITMA could be applied to so many things that once you get down that route you might as well give up.

I tend to work against a rule of "reasonable risk". Telnet and FTP are crap because the passwords are sent in the clear so that makes simple network sniffing useful (more of a problem that it used to be if people are picking up unsecured wifi).

But a MITMA requires somewhat more determination, skill and possibly access to parts of the network that might be difficult. So for everyday use, I gave up worrying too much otherwise we'd never get anything done :)

If we're talking bank, miltary or something else that might be the subject of skilled and determined crackers who have a goal, then it is a problem.

However, for joe bloggs and the vast amount of ordinary and academic uses, most of the attacks I see are worms, stupid script kiddies and botnet farmers looking to collect easy hosts for nefarious purposes. They tend to reap the low handing fruit and are unlikely to be interested in determined hacking of a random unspecified PC on an ADSL link.

These days, I find SSH my friend. Only one thing to monitor and keep patched, one port through the firewall, filesystems can be accessed securely (enough IMHO) over it and almsot anything else can be tunnelled through it, either via simple port-port tunnels or SOCKS5.

Cheers

Tim

The problem is him swamping your upload bandwidth. When that happens your Internet connection will be locked solid and you won't be able to upload or download anything. That's likely to happen if he starts retrieving graphics files over an unthrottled connection.

I agree; remember I work at one too!