Re: doing an ssh into a compromised host
> Thanks for the idea. However, ssh-agent has to speak the ssh-agent > challenge-response protocol, and provides no way to call out to another > program for pass-phrases. So hooking it up to quintuple-agent would > require some work, I believe. it would be easier to hack ssh-agent to pop up a message 'host sth requested auth .. grant yes/no?' (although hack would be easy, doing this correctly may require some work) -- Dariush Pietrzak, Key fingerprint = 40D0 9FFB 9939 7320 8294 05E0 BCC7 02C4 75CC 50D9 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
On Wed, Nov 03, 2004 at 10:17:22AM +, Marcus Williams wrote: > On 03/11/2004, Andrew Pimlott wrote: > > Do you have such a thing? I would absolutely love an ssh agent that > > only asks for pass-phrases as needed, times them out eventually, and > > can prompt before answering a challenge. > > quintuple-agent does something like this. Not sure if it supports ssh > or not - its really for gpg and such. Looks like you could write a > wrapper script so that it supported ssh though. Thanks for the idea. However, ssh-agent has to speak the ssh-agent challenge-response protocol, and provides no way to call out to another program for pass-phrases. So hooking it up to quintuple-agent would require some work, I believe. Andrew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
TCP SYN packets which have the FIN flag set.
Is this a serious problem? When I pass Nessus: Test ID:11618 View Source Category:Firewalls Title:Remote host replies to SYN+FIN Summary:Sends a SYN+FIN packet and expects a SYN+ACK Description: The remote host does not discard TCP SYN packets which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules. See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html http://www.kb.cert.org/vuls/id/464113 Solution : Contact your vendor for a patch Risk factor : Medium Cross-Ref:BugTraq ID: 7487 Thanks, -- .''`. Luis Pérez Meliá : :' : `. `'` `- Debian GNU/Linux
TCP SYN packets which have the FIN flag set.
Is this a serious problem? When I pass Nessus: Test ID:11618 View Source Category:Firewalls Title:Remote host replies to SYN+FIN Summary:Sends a SYN+FIN packet and expects a SYN+ACK Description: The remote host does not discard TCP SYN packets which have the FIN flag set. Depending on the kind of firewall you are using, an attacker may use this flaw to bypass its rules. See also : http://archives.neohapsis.com/archives/bugtraq/2002-10/0266.html http://www.kb.cert.org/vuls/id/464113 Solution : Contact your vendor for a patch Risk factor : Medium Cross-Ref:BugTraq ID: 7487 Thanks, -- .''`. Luis Pérez Meliá : :' : `. `'` `- Debian GNU/Linux
Re: Pseudo-cluster firewall
On Wed, Nov 03, 2004 at 11:47:09AM +, Duncan Simpson wrote: The usual advice is *not* to connect two firewalls in parallel, lest traffic that should not can get throught the other. That's fairly silly advice. The only way that could happen is if you misconfigure the firewalls. You can do that as easily with one as with two. Mike Stone -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Pseudo-cluster firewall
On Tue, 2004-11-02 at 19:55, Raffaele D'Elia wrote: > Hi all, > > I have a firewall with 3 NICs (LAN,DMZ,ROUTER); this is a single point of > failure, of course! I've decided to build a backup firewall, with similar > hardware (just in case) and the same config. > Now the problem: I have only a cross-over cable from the router to the > firewall, so I cannot connect the backup firewall. The usual advice is *not* to connect two firewalls in parallel, lest traffic that should not can get throught the other. You could keep the other firewall as a spare that can be quickly applied if your current one fails. (I use an known clean CD image in a similar fashion). Sold state switches are pretty reliable these days but I can not get one in a box for the middle of an ethernet cable, so you would have to make one---the components are cheap but breadboard and scopes are not. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: doing an ssh into a compromised host
On 03/11/2004, Andrew Pimlott wrote: > Do you have such a thing? I would absolutely love an ssh agent that > only asks for pass-phrases as needed, times them out eventually, and > can prompt before answering a challenge. quintuple-agent does something like this. Not sure if it supports ssh or not - its really for gpg and such. Looks like you could write a wrapper script so that it supported ssh though. Marcus -- Marcus Williams -- http://www.quintic.co.uk Quintic Ltd, 39 Newnham Road, Cambridge, UK This message is private [ ] public [*] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
