OT: Free OpenSource JAD/J2EE WAP SSH Client for Phones

Tue Nov 25 17:56:41 MST 2008

Lisa Kachold wrote:
> He's going to be stuck between usability and security with a two tierd 
> approach?  Plus we have not even started to dissect the web SSL/Apache 
> exploits (which is another HUGE subject)!
Very true, but I'd almost rather have a second layer of auth than to 
allow an entire class B to connect.
>
> I am waiting for end to end Cell BlackBerry Encryption (outside of 
> Enterprise Servers) and VPN applications for phones!
My co-worker has an Apple IPhone and they have a Cisco VPN client for it 
which seems to work nicely. I assumed they had something similar for the 
BlackBerry.
> His solution is going to be either their Unlimited Data Pack upgrade 
> [$49.99] with a static IP, or deploy "calculated risk" in leaving open 
> SSH to the WHOLE SWIP assigned ARIN AT&T block on his server to access 
> port 22 via the phone.
Agreed. The risky part can be made less risky by using your previous 
suggestions of running on non-standard port, using one of the various 
anti-brute-force packages, and putting some human eyeballs on the 
logfiles now and then.

> Server settings per security recommendations: (/etc/ssh/sshd_config):
>
> 1) Use Protocol 2
> 2) Disallow root access [Fools Rush in!]
> 3) Setup Keys
> 4) Really complex password [8 characters or greater]
> 5) Password Aging (bi-monthly)
> 6) Wrap SSH with SSHIT or SSHUTOUT [http://anp.ath.cx/sshit/]
> 7) Deploy the two line IPTABLES SSH overflow protection AND control 
> SSH port source and destination if possible (full SWIP'd IP Class A 
> for AT&T) 
> [http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/]
> 8) Run tripwire and rootkit comparison tools from /etc/cron.monthly.
Ah there we go. I should have read further before I made the comment 
above :-)
> Of course, he could run SSH on another port JUST for his phone [while 
> doing all of the above] (depending on which application he is using on 
> the phone) - some don't allow unique ports other than 22 (and he would 
> have to use SSHUTOUT [since it's one of the few that allow unqiue 
> custom ports]).
I knew someone once who had a crazy setup where ssh was only unblocked 
during certain times of the day, and running on a different port each 
time, that he had some mental algorithm to keep track of. So to try and 
hack his ssh you would have to find the right port at the right time, 
and the window was only open for a variable X minutes, haha.  Not very 
useful (what if you need to fix a problem NOW) but was kind of neat just 
by how overly-complicated it was. He also did odd things like modify his 
tcpip stack so that nmap fingerprinting would report his machine was an 
SGI IRIX box, so hackers tried all the wrong exploits, haha.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20081125/857e08a0/attachment.htm