Re: [Leaf-user] weblet howto, Updated again
On Thu, 24 Jan 2002, Jon Clausen wrote: > scheme, though: > > 1. A laptop is inherently in danger of getting 'lost'. If that should happen, > having the laptop (and the firewall) being configured so the laptop has a > (semi) automatic capability to write to hosts.allow would maybe make it a > little too easy for anyone who happens to 'find' it to gain access to the > firewall... > This is worrisome, and I have had a laptop walk off before. > 2. Said laptop might very well be some sort of windows-entity. And although > one *might* be able to create such a script for that platform, I would *not* > like the idea of letting windows have root-access to my firewall... If you > know what I mean. > This threat depends on the hosts involved; my work laptop is a Win2K installation using Perl or bash on Cygwin for any scripting needs (mainly creating PDFs and bzip2 backups). It'd be a funny rootkit that looked for Cygwin... but if the script is written as a DOS batch file (is that possible?) or set up with some super easy "click here to steal my stuff" icon > Maybe I'm just too paranoid, or maybe it's just that I'm a newbie in this > field, but writing to hosts.allow like that, on a routine basis... it just > seems... well... insecure? > Well if you really wanted it secure it'd be powered off :-) All of the ideas that have been posted can be compromised by a sufficiently determined bad guy, the point is to make it harder than the probable attacker will want to deal with. So if you look at laptop theft, chances are good they will spend an hour looking around for goodies, then wipe it for their own use or fence it (though apparently there are mouth-breathers that just use the stolen laptop and get caught, like that thing on /. today). > I must say that I like the idea better, of having a script on the firewall > listen on a predetermined port, for some kind of identifier, and then open up > for traffic from the laptop IP. And having this happen dynamically, so you > get one session at a time... > And of course the loophole closes after an hour. It would be really nifty to make the port increment by your favorite number every time you use it :-) Too bad my work has a good security policy, I can't get shell to save my life so I can't use all these tricks :-) > > If the laptop is on a private network, then the script uses > > the NAT gateway ip. Determinig the NAT ip could get tricky, > > but can be done easily enough with a script that when called > > makes traffic to somewhere that responds with the NAT ip. > > Sounds reasonable. Something like calling whatismyip.com or somesuch > perhaps? > > This is getting very interesting :) > > Jon > > ___ > Leaf-user mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/leaf-user > -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] weblet howto, Updated again
At 2002-01-24 15:25 -0600, guitarlynn wrote: >I just saw your page I don't like the new fonts... the old ones >were much easier to see. Lynn, The font change is a result of using utf-8 instead of iso-8859-1. It will revert back to the iso font when viewed on SF. They control the header information for DocManager documents. It will use your browsers default when viewing it in our pub/doc tree. The reason for specifying utf-8 in tidy is unicode compatibility. Take a look at this page for an example of what you can do. http://www.unicode.org/iuc/iuc10/x-utf8.html I'm trying to think ahead for our i18n users. I know we have a lot of German speaking users and some Spanish too. e.g. http://leaf.sourceforge.net/devel/ericw/ -- Mike Noyes <[EMAIL PROTECTED]> https://sourceforge.net/users/mhnoyes/ http://leaf.sourceforge.net/content.php?menu=1000&page_id=4 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] weblet howto, Updated again
> > The answer to the remote thing would be to have a script > > loaded on your remote laptop that, when run, determines the > > laptop ip and writes a one line file containing: > > > > sh-httpd: ip.add.re.ss/255.255.255.255 > > > > to the laptop temp directory, and then uses scp or ssh or rsync > > to append that one line temp file to the LEAF box /etc/host.allow. Close, but no cookie yet. /etc/hosts* accepts FQDN's, so why not just enter the host.dyndns.org FQDN. I can't say if sh-httpd will off the top of my head, but you could either limit control to /etc/hosts.allow and open sh-httpd to 0/0 or simply hack the ip with something like the ping utility (that sets the FQDN to ip in some variable form) like: ping FQDN | grep $SOME_VARIABLE | (set a global variable) I would think that sh-httpd would allow some kind of FQDN filtering though. I just saw your page I don't like the new fonts... the old ones were much easier to see. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] weblet howto, Updated again
On Thursday 24 January 2002 20:07, Matt Schalit wrote: > Jon Clausen wrote: > > > I put the draft at: http://bund.dk/~jon/weblethowto-pub.html > > O.k. done. Yet again. This time, take a look at the bottom left corner ;) > N1 Jon, Thanks > The answer to the remote thing would be to have a script > loaded on your remote laptop that, when run, determines the > laptop ip and writes a one line file containing: > > sh-httpd: ip.add.re.ss/255.255.255.255 > > to the laptop temp directory, and then uses scp or ssh or rsync > to append that one line temp file to the LEAF box /etc/host.allow. Hmm. Yeah I guess this would work. I have two objections to this kind of scheme, though: 1. A laptop is inherently in danger of getting 'lost'. If that should happen, having the laptop (and the firewall) being configured so the laptop has a (semi) automatic capability to write to hosts.allow would maybe make it a little too easy for anyone who happens to 'find' it to gain access to the firewall... 2. Said laptop might very well be some sort of windows-entity. And although one *might* be able to create such a script for that platform, I would *not* like the idea of letting windows have root-access to my firewall... If you know what I mean. Maybe I'm just too paranoid, or maybe it's just that I'm a newbie in this field, but writing to hosts.allow like that, on a routine basis... it just seems... well... insecure? I must say that I like the idea better, of having a script on the firewall listen on a predetermined port, for some kind of identifier, and then open up for traffic from the laptop IP. And having this happen dynamically, so you get one session at a time... > If the laptop is on a private network, then the script uses > the NAT gateway ip. Determinig the NAT ip could get tricky, > but can be done easily enough with a script that when called > makes traffic to somewhere that responds with the NAT ip. Sounds reasonable. Something like calling whatismyip.com or somesuch perhaps? This is getting very interesting :) Jon ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user