|On Wed, 7 May 2003 08:53:40 +0200 Michael Bergbauer
|<[EMAIL PROTECTED]> writes:
|If you
|> think SSH (or any other component) is not trustworthy, just look for
|> alternatives (or create them yourself).
|
|what would be a more secure alternative to ssh?
|
what about ssh over vpn (vtun, openvpn
|On Wed, 7 May 2003 08:53:40 +0200 Michael Bergbauer
|<[EMAIL PROTECTED]> writes:
|If you
|> think SSH (or any other component) is not trustworthy, just look for
|> alternatives (or create them yourself).
|
|what would be a more secure alternative to ssh?
|
what about ssh over vpn (vtun, openvpn
On Wed May 07, 2003 at 03:3721PM -0400, Robert B Wilson wrote:
>
> On Wed, 7 May 2003 08:53:40 +0200 Michael Bergbauer
> <[EMAIL PROTECTED]> writes:
> If you
> > think SSH (or any other component) is not trustworthy, just look for
> > alternatives (or create them yourself).
>
> what would be a
On Wed, May 07, 2003 at 11:27:16AM +0200, Tim van Erven wrote:
> On Wed, 07/05/2003 07:40 +0200, Hans Spaans wrote:
> >
> > How are you going to handle firewalls and stuff? This because you need
> > to accept traffic for those ports.
>
> You always need to let the trigger through your firewall.
On Wed, 7 May 2003 12:48:45 +0200 Alexander Reelsen <[EMAIL PROTECTED]>
writes:
> > what if the trigger sequence changed each time? then if someone
> > intercepted the trigger sequence, it wouldn't do them any good,
> unless
> > they collected enough trigger sequences to be able to determine
>
On Wed, 7 May 2003 08:53:40 +0200 Michael Bergbauer
<[EMAIL PROTECTED]> writes:
If you
> think SSH (or any other component) is not trustworthy, just look for
> alternatives (or create them yourself).
what would be a more secure alternative to ssh?
> Michael Bergbauer <[EMAIL PROTECTED]>
--
Ro
On Wednesday 07 May 2003 13:54, Jay Kline wrote:
> This is still prety complex, if the end result is just to allow access to
> port 22.
>
> SSH is pretty secure, there have been very few problems with ssh that allow
> someone without an account to gain access to the system its on. If you
> take a
On Tuesday 06 May 2003 06:29 pm, Alain Tesio wrote:
> On Tue, 06 May 2003 13:07:24 -0500
>
> Mark Edgington <[EMAIL PROTECTED]> wrote:
> > it doesn't matter if others are
> > connecting to port 80, etc. while he is doing these connections, as long
> > as no-one else is trying to connect to any of t
Hi
On Tue, May 06, 2003 at 11:26:35PM +0200, Horst Pflugstaedt wrote:
> On Tue, May 06, 2003 at 01:07:24PM -0500, Mark Edgington wrote:
> > 2) the port(s) to make available upon receiving this trigger sequence
> > 3) whether the ports to be made available are available for a) the next n
> > conne
Hi
On Tue, May 06, 2003 at 06:22:54PM -0600, Will Aoki wrote:
> I believe that there are rootkits in the wild which do this.
Yepp. Found some standard rootkits with that thing as addition.
> Although I can't find the reference I had to it, I believe that some
> listen for traffic on a rare or una
Hi
On Tue, May 06, 2003 at 10:05:49PM -0400, Robert B Wilson wrote:
> On Tue, 06 May 2003 20:13:41 + Deger Cenk Erdil
> <[EMAIL PROTECTED]> writes:
> > But, if I can intercept your "trigger sequence messages" as an
> > attacker
> > on your subnet, or even on the Net, I can replicate the same
my idea is to add some rules to iptables eg
iptables -A INPUT -p tcp --dport 1985 -j LOG --prefix "key port 1:"
iptables -A INPUT -p tcp --dport 1985 -j DROP
iptables -A INPUT -p tcp --dport 12731 -j LOG --prefix "key port 2:"
iptables -A INPUT -p tcp --dport 12731 -j DROP
iptables -A INPUT -p
On Wed, 07/05/2003 07:40 +0200, Hans Spaans wrote:
> On Wed, May 07, 2003 at 01:14:04AM +0200, Tim van Erven wrote:
>> On Tue, 06/05/2003 13:07 -0500, Mark Edgington wrote:
>>> incorporate functionality into inetd/xinetd/rinetd which listens for a
>>> predefined sequence of connection attempts on
Mark Edgington wrote:
Hi,
[..]
Guess it's not a very good idea. An attacker could find out your
sequence, by listening your trafic. So you there is no additional
security by your trigger.
There is a very simple Denial-Of-Service Attack to such a system, for
someone who can listen to you
On Tue May 06, 2003 at 01:0724PM -0500, Mark Edgington wrote:
> Hi,
> I'm not sure whether this idea has been considered or implemented
> anywhere, but I have been thinking about it, and believe it would provide a
> fairly high-level of security for systems which only run a few public
> serv
On Wed, May 07, 2003 at 01:14:04AM +0200, Tim van Erven wrote:
> On Tue, 06/05/2003 13:07 -0500, Mark Edgington wrote:
> > incorporate functionality into inetd/xinetd/rinetd which listens for a
> > predefined sequence of connection attempts on certain ports. Upon noticing
> > the correct sequenc
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, 06 May 2003 20:13:41 + Deger Cenk Erdil
<[EMAIL PROTECTED]> writes:
> But, if I can intercept your "trigger sequence messages" as an
> attacker
> on your subnet, or even on the Net, I can replicate the same
> sequence
> quite easily!
Hi.
There are two serious problems to this security scheme, either of which
would be enough to make it not worthwhile to implement.
1) Ease of implementation. To implement this security measure for, let's
say, ssh, every legitimate user would need special ssh client software, or
a software wra
On Tue, May 06, 2003 at 01:07:24PM -0500, Mark Edgington wrote:
> Hi,
> I'm not sure whether this idea has been considered or implemented
> anywhere, but I have been thinking about it, and believe it would provide a
> fairly high-level of security for systems which only run a few public
> se
On Tue, 06 May 2003 13:07:24 -0500
Mark Edgington <[EMAIL PROTECTED]> wrote:
>
> it doesn't matter if others are
> connecting to port 80, etc. while he is doing these connections, as long as
> no-one
> else is trying to connect to any of the ports in the trigger-sequence list --
> this is
>
On Tue, 06/05/2003 13:07 -0500, Mark Edgington wrote:
> incorporate functionality into inetd/xinetd/rinetd which listens for a
> predefined sequence of connection attempts on certain ports. Upon noticing
> the correct sequence (as specified somewhere in the config file), it opens
> up certain p
On Tue, May 06, 2003 at 01:07:24PM -0500, Mark Edgington wrote:
> Hi,
> I'm not sure whether this idea has been considered or implemented
> anywhere, but I have been thinking about it, and believe it would provide a
> fairly high-level of security for systems which only run a few public
> se
Hi
On Tue, May 06, 2003 at 01:07:24PM -0500, Mark Edgington wrote:
> I'm not sure whether this idea has been considered or implemented
> anywhere, but I have been thinking about it, and believe it would provide a
> fairly high-level of security for systems which only run a few public
> serv
Looks like a good idea. I am not sure it has been implemented but it has
some problems though..
About the case if someone is connected to your "secret sequence" ports,
you can configure your machine so that there will be a server that is
always listening to those ports and not allowing any con
Hi,
I'm not sure whether this idea has been considered or implemented anywhere, but I
have been thinking about it, and believe it would provide a fairly high-level of
security for systems which only run a few public services. The gist of it is this:
incorporate functionality into inetd/xinetd
25 matches
Mail list logo