Lisa Kachold wrote:
> He's going to be stuck between usability and security with a two tierd
> approach? Plus we have not even started to dissect the web SSL/Apache
> exploits (which is another HUGE subject)!
Very true, but I'd almost rather have a second layer of auth than to
allow an entire class B to connect.
>
> I am waiting for end to end Cell BlackBerry Encryption (outside of
> Enterprise Servers) and VPN applications for phones!
My co-worker has an Apple IPhone and they have a Cisco VPN client for it
which seems to work nicely. I assumed they had something similar for the
BlackBerry.
> His solution is going to be either their Unlimited Data Pack upgrade
> [$49.99] with a static IP, or deploy "calculated risk" in leaving open
> SSH to the WHOLE SWIP assigned ARIN AT&T block on his server to access
> port 22 via the phone.
Agreed. The risky part can be made less risky by using your previous
suggestions of running on non-standard port, using one of the various
anti-brute-force packages, and putting some human eyeballs on the
logfiles now and then.
> Server settings per security recommendations: (/etc/ssh/sshd_config):
>
> 1) Use Protocol 2
> 2) Disallow root access [Fools Rush in!]
> 3) Setup Keys
> 4) Really complex password [8 characters or greater]
> 5) Password Aging (bi-monthly)
> 6) Wrap SSH with SSHIT or SSHUTOUT [http://anp.ath.cx/sshit/]
> 7) Deploy the two line IPTABLES SSH overflow protection AND control
> SSH port source and destination if possible (full SWIP'd IP Class A
> for AT&T)
> [http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/]
> 8) Run tripwire and rootkit comparison tools from /etc/cron.monthly.
Ah there we go. I should have read further before I made the comment
above :-)
> Of course, he could run SSH on another port JUST for his phone [while
> doing all of the above] (depending on which application he is using on
> the phone) - some don't allow unique ports other than 22 (and he would
> have to use SSHUTOUT [since it's one of the few that allow unqiue
> custom ports]).
I knew someone once who had a crazy setup where ssh was only unblocked
during certain times of the day, and running on a different port each
time, that he had some mental algorithm to keep track of. So to try and
hack his ssh you would have to find the right port at the right time,
and the window was only open for a variable X minutes, haha. Not very
useful (what if you need to fix a problem NOW) but was kind of neat just
by how overly-complicated it was. He also did odd things like modify his
tcpip stack so that nmap fingerprinting would report his machine was an
SGI IRIX box, so hackers tried all the wrong exploits, haha.
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss