Prev: FBSD 8.10 And VirtualBox 3.1
Next: Point-to-point link without PPP on freebsd? Is it possible?
From: Moe Trin on 22 Dec 2009 20:27
On Mon, 21 Dec 2009, in the Usenet newsgroup comp.unix.bsd.freebsd.misc, in
article <aaa47b0c-7ac7-4828-a906-598f3b9e3cfc(a)v30g2000yqm.googlegroups.com>,
John Rushford wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>Moe Trin) wrote:

>> Why are you allowing everywhere else? World traveler who might be
>> in Kazakhstan, Kenya, Kiribati, Korea, or Kuwait tomorrow?

>I do travel, I spent 3 weeks in the Philippines the summer before
>last building homes with a church group in one of the provinces.

That was what - 15 months ago?

>It was handy to ssh into my mail server when I could get an internet
>connection. I had asterisk running on it back then and used it to
>make phone calls to relatives in the states.

"World travelers" are better suited using a crude port knocking
technique. I'm _not_ referring to quickie connection attempts to 5
to 10 different ports in a given sequence, and using that as the
authentication _replacement_ scheme. Rather, make a single attempt
to some _unused_ (meaning closed) port such as 70/tcp, 113/tcp or
similar. The firewall notes the (failed) connection attempt, and opens
the port where the SSH server lives for a one minute period for the
address that tried to connect. The remote has a minute to connect
and the "established" rule then holds the port open for that
"conversation". You mention using a port blocker thingy that's a
perl script - you can do the same thing by just causing the script
to monitor the logs for connection attempts to your secret port and
making the temporary firewall rule change. This isn't "security
through obscurity" because when the port opens, you still have to
supply the existing login and authentication tokens. All this is
doing is dramatically reducing the number of people able to access
the SSH server to run dictionary attacks by adding an additional hoop
to jump through. The concept isn't new - I worked at a place that
used this technique to protect their "telnet" server, which might
give a clue that it was close to twenty years ago.

The reason I do not recommend complicated port knocking sequences is
that they are a pain to set up, and those secret ports that you may
want to use may be blocked by the firewall at the site you are trying
to connect from. An example is port 25/tcp - smart providers block
users trying to connect to that port on systems OUTSIDE of their net
in an attempt to prevent being abused by spammers and causing the ISP
to wind up on one or more DNSbl. If you as a customer want to send
mail, you forward it to the local ISPs mail or mail-submission server,
and they do the forwarding to the eventual destination (sendmail calls
it "smarthost"). Some providers block direct web access, preferring
you to connect through their proxy (for any number of reasons) as
another example of blocked ports.

Words to live by: Don't overdo it - it's your foot you're shooting.

>So what to allow and what to block.....

The standard answer is to block address ranges that you don't have
a reason to think you will need to use in the immediate future. 15
months is not "immediate".

>Currently, I have about 2300 blocked IP's in the table and have been
>watching it for a performance problem. Have not seen any problems
>thus far. I may fiddle with the script and keep track of when the
>rule was added and then have another script remove them after they've
>aged for say an hour.

That would work if you want to roll your own. There are a number of
these tools around - most are some form of script. I don't bother
using them, because my server only accepts connections from a limited
number of addresses (and I do use the above style of port-knocking
when traveling and not knowing the suitable addresses at the remote
site).

>As far as using google groups is concerned, its all I can find that's
>free.

The 'NOTE:' is automatically added by my news tool when ever I am
replying to a post originating at google. The rational is that there
is enough spam/abuse from that source that people set their news tool
to filter off such posts - and filtered means not seen or read.

google is a search engine. So how about an article posted to the
Usenet newsgroup "news.software.readers" on 3 Oct 2008 12:12:05 -0700
with Message-ID <qdWdnUqP5sgc83vVnZ2dnUVZ_s_inZ2d(a)earthlink.com>
which lists a few, or hit the newsgroups "alt.free.newsservers" or
"alt.comp.freeware". Here's an example snippet from one post:

--------
The following brief list of free text news servers is in alphabetical
order without editorial comment. It's a short list. Check out the
servers and decide for yourself which one is best for you. No one knows
what works for you better than you do.

AIOE http://news.aioe.org/
Albasani http://albasani.net/index.html.en
CNNTP http://www.cnntp.org/cnntp
ETT http://news.ett.com.ua/
Eternal September (Formerly Motzarella) http://www.eternal-september.org/
Solani http://news.solani.org/
Tornevall http://news.tornevall.net/
Usenet4all http://www.usenet4all.se (blocks all posts from Google)
--------

Another place to look might be
http://www.dmoz.org/Computers/Usenet/Public_News_Servers/)

Old guy
From: Michael Sierchio on 23 Dec 2009 12:58


> "World travelers" are better suited using a crude port knocking
> technique. I'm _not_ referring to quickie connection attempts to 5
> to 10 different ports in a given sequence, and using that as the
> authentication _replacement_ scheme. Rather, make a single attempt
> to some _unused_ (meaning closed) port such as 70/tcp, 113/tcp or
> similar.

Far better to use one of the authenticate firewall traversal
port knockers, such as doormand.

- M
From: Moe Trin on 23 Dec 2009 20:46
On Wed, 23 Dec 2009, in the Usenet newsgroup comp.unix.bsd.freebsd.misc, in
article <97KdnQ-wJ8uzx6_WnZ2dnUVZ_vRi4p2d(a)speakeasy.net>, Michael Sierchio
wrote:

>> "World travelers" are better suited using a crude port knocking
>> technique. I'm _not_ referring to quickie connection attempts to 5
>> to 10 different ports in a given sequence, and using that as the
>> authentication _replacement_ scheme. Rather, make a single attempt
>> to some _unused_ (meaning closed) port such as 70/tcp, 113/tcp or
>> similar.

>Far better to use one of the authenticate firewall traversal
>port knockers, such as doormand.

Is 'doormand' even being maintained? Latest I see is from 2005.
What benefit does it offer? At what disadvantages? As I see it:

Benefit: Requires a UDP packet with known content that can only
be used once.

What disadvantages: Requires some media to carry raw data and some
tool to create the UDP packet. Loose that, and you are cut off.
This implies that the tool to create the UDP packet will be dependent
on the type of operating system at the remote site, and that you are
allowed to run untrusted (to them) software on their system (or you
are going to run it on a system you provide and that assumes they
will allow you to connect to their network) and that their firewall
isn't blocking the UDP ports you intend to use. It also seems to
want to know the remote IP address _in_advance_ and if I knew
that, I'd set the firewall in advance and not worry about this.

This technique won't work if you visited sites where I work. We/they
don't allow non-company computers into the building, and few of the
computers have the capability of any removable media. And these
setup/rules are not unusual in secure environments.

Sorry, but this program violates common sense, never mind the KISS
rule. Repeating:

Words to live by: Don't overdo it - it's your foot you're shooting.

The whole idea of the simple knock technique is that it requires
nothing special on the remote computer - if that system has an SSH
client, you can use that client to knock the port by telling it to
connect to the knock port rather than the actual port where the SSH
server is hiding. _Nothing_ else is needed. Oh, did someone sniff
your knock and recognize it as such? Well, then you are no worse
than if you weren't using port knocking, because the bad guy still
has to guess the username and authentication mechanism. You aren't
going to allow 'root' or 'toor' to SSH in without a password (or
use something complicated like the 86 passwords that the 'deloader'
worm of 2003 used to 0wn a shedload of windoze boxes) are you?
Port knocking is NOT a replacement for proper authentication. It's
sole purpose is to reduce the probability of the bad guys doing
dictionary attacks on the server they happened to find.

Old guy
From: Michael Sierchio on 23 Dec 2009 22:54
Moe Trin wrote:

> Benefit: Requires a UDP packet with known content that can only
> be used once.

Not known content - authenticated content that requires proof-of-possession
of a private key of a registered user, using the Diffie-Hellman pairwise
master secret.
From: Frank Merlott on 27 Dec 2009 21:53
On Wed, 23 Dec 2009 02:28:42 +0100, Moe Trin
<ibuprofin(a)painkiller.example.tld.invalid> wrote:

> On Tue, 22 Dec 2009, in the Usenet newsgroup comp.unix.bsd.freebsd.misc,
> in
> article <hgpl6a$rp7$1(a)news.albasani.net>, bob prohaska's usenet account
> wrote:
>
>> I've tried news.albasani.net and news.eternal-september.org, the
>> former seems to work well. Didn't have much luck (nor try very hard)
>> with the latter.
>
> A quick glance through my news spool suggests eternal-september.org
> may be more popular, but popularity is a personal opinion only.
>

I am posting this through eternal-september and so far so good. I have been
with them for a month, no downtime, great wide range of groups and great
support
at their own eternal-september.moderated group. SSL supported and posting
IP is
concealed.


--
http://www.privacylover.com
First  |  Prev  |  Next  |  Last
Pages: 1 2 3 4
Prev: FBSD 8.10 And VirtualBox 3.1
Next: Point-to-point link without PPP on freebsd? Is it possible?