He's going to be stuck between usability and security with a two tierd approach? Plus we have not even started to dissect the web SSL/Apache exploits (which is another HUGE subject)!
I am waiting for end to end Cell BlackBerry Encryption (outside of Enterprise Servers) and VPN applications for phones!
His solution is going to be either their Unlimited Data Pack upgrade [$49.99] with a static IP, or deploy "calculated risk" in leaving open SSH to the WHOLE SWIP assigned ARIN AT&T block on his server to access port 22 via the phone.
Server settings per security recommendations: (/etc/ssh/sshd_config):
1) Use Protocol 2
2) Disallow root access [Fools Rush in!]
3) Setup Keys
4) Really complex password [8 characters or greater]
5) Password Aging (bi-monthly)
6) Wrap SSH with SSHIT or SSHUTOUT [
http://anp.ath.cx/sshit/]
7) Deploy the two line IPTABLES SSH overflow protection AND control SSH port source and destination if possible (full SWIP'd IP Class A for AT&T) [
http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/]
8) Run tripwire and rootkit comparison tools from /etc/cron.monthly.
Of course, he could run SSH on another port JUST for his phone [while doing all of the above] (depending on which application he is using on the phone) - some don't allow unique ports other than 22 (and he would have to use SSHUTOUT [since it's one of the few that allow unqiue custom ports]).
www.Obnosis.com |
http://en.wiktionary.org/wiki/Citations:obnosis |
http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452
Catch the January PLUG HackFest! Kristy Westphal, CSO for the Arizona Department of Economic
Security will provide a one hour
presentation on forensics.
> Date: Tue, 25 Nov 2008 17:13:28 -0700
> From: charles.jones@ciscolearning.org
> To: plug-discuss@lists.plug.phoenix.az.us
> Subject: Re: OT: Free OpenSource JAD/J2EE WAP SSH Client for Phones
>
> James Finstrom wrote:
> > On the original note, locking down to white listed IP addresses... I
> > have a blackberry through AT&T over their EDGE network and not through
> > BES. I get a new IP every connection. I thought a compromise between
> > "wide-open come have your way with me" and "no soup for you" would be
> > to allow a subnet. Well come to find out the ip addresses varry all
> > theway up to class B subnets. I am stuck at "no soup for you" at this
> > point. Does anyone have the AT&T EDGE subnet list :)
>
> What if you made a simple (SSL) web app, that you login with a username
> and password, and it then updates your access list IP :-) Sort of like
> smtp-after-pop auth heh.
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
_________________________________________________________________
Color coding for safety: Windows Live Hotmail alerts you to suspicious email.
http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_safety_112008 ---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss 
(text/plain)