FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 02-03-2008, 12:42 AM
Grant
 
Default {OT} CUPS alternative?

> > port-knocking is the biggest load of fud (Microsoft products apart) I
> > have heard about in ages. The term snake-oil comes to mind, as
> > does "security by obscurity and obfuscation" which we all know is no
> > security at all.
>
> Uhm. Security by obscurity is not good because it hides something *that
> is known for sure to be there*. Port knocking, on the other hand, makes
> a computer appear as if nothing is there. No open ports.
> A computer with all ports closed which uses portknocking and a computer
> with just all ports closed cannot be told apart from remote, either by
> portscanning or whatever mean. What the attacker sees is just "no open
> ports". It could, of course, imagine that port knocking might be in use,
> but even in that case, he would have to discover the knock sequence.
> With a knock sequence long enough (say, 8 ports), the likeliness of such
> a discovery is really low (1/65535^8 in this case). And, even if he
> succeeds, he just opens a port (as if there was no portknocking), and
> still has to violate whatever security measure is in place for the
> service (eg, ssh authentication).
>
> > I don't care if the originating process knocks on the well known port
> > with gold plated gloves hand braided from the finest Unobtainium by
> > seductive alluring Puerto Rican virgins, the receiving machine still
> > has to open another port short thereafter. This is not a magic port
> > and is not wrapped in Star Trek's finest stealth cloak, it's a port
> > that does TCP/IP stuff.
> >
> > If the end process listening on the newly opened port is in any way
> > weak - and this is the only possible reason anyone would ever try the
> > port knocking workaround - it's just as weak when it's listening on an
> > obfuscated port number.
>
> This is not true, for at least two reasons:
>
> - the port stays open only for the duration of the connection, not all
> the time;
>
> - at least with some implementations, the port is opened *only to the IP
> address of the user who did the knock*, not to the whole world.
>
> > If it's open, I can find it. If it's weak, I can get in. Then it's game
> > over, go home, I win.
>
> See above.
>
> > I've yet to hear positive things about port knocking from someone who
> > actually implemented it fully. In truth it's just a major pain in the
> > arse that makes the admin's life miserable and gives the boss a warm
> > fuzzy feeling based on hot air.
>
> I don't know about large setups, where it might be very possible that
> port knocking becomes a major PITA as you say. But I have setup and used
> port knocking for remote ssh access lots of time in the past, and never
> had a problem. This is just my little experience, of course.

OK, port knocking is going back on the todo list.

- Grant
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-03-2008, 02:19 AM
Jerry McBride
 
Default {OT} CUPS alternative?

On Saturday 02 February 2008 08:42:25 pm Grant wrote:
> > > port-knocking is the biggest load of fud (Microsoft products apart) I
> > > have heard about in ages. The term snake-oil comes to mind, as
> > > does "security by obscurity and obfuscation" which we all know is no
> > > security at all.
> >
> > Uhm. Security by obscurity is not good because it hides something *that
> > is known for sure to be there*. Port knocking, on the other hand, makes
> > a computer appear as if nothing is there. No open ports.
> > A computer with all ports closed which uses portknocking and a computer
> > with just all ports closed cannot be told apart from remote, either by
> > portscanning or whatever mean. What the attacker sees is just "no open
> > ports". It could, of course, imagine that port knocking might be in use,
> > but even in that case, he would have to discover the knock sequence.
> > With a knock sequence long enough (say, 8 ports), the likeliness of such
> > a discovery is really low (1/65535^8 in this case). And, even if he
> > succeeds, he just opens a port (as if there was no portknocking), and
> > still has to violate whatever security measure is in place for the
> > service (eg, ssh authentication).
> >
> > > I don't care if the originating process knocks on the well known port
> > > with gold plated gloves hand braided from the finest Unobtainium by
> > > seductive alluring Puerto Rican virgins, the receiving machine still
> > > has to open another port short thereafter. This is not a magic port
> > > and is not wrapped in Star Trek's finest stealth cloak, it's a port
> > > that does TCP/IP stuff.
> > >
> > > If the end process listening on the newly opened port is in any way
> > > weak - and this is the only possible reason anyone would ever try the
> > > port knocking workaround - it's just as weak when it's listening on an
> > > obfuscated port number.
> >
> > This is not true, for at least two reasons:
> >
> > - the port stays open only for the duration of the connection, not all
> > the time;
> >
> > - at least with some implementations, the port is opened *only to the IP
> > address of the user who did the knock*, not to the whole world.
> >
> > > If it's open, I can find it. If it's weak, I can get in. Then it's game
> > > over, go home, I win.
> >
> > See above.
> >
> > > I've yet to hear positive things about port knocking from someone who
> > > actually implemented it fully. In truth it's just a major pain in the
> > > arse that makes the admin's life miserable and gives the boss a warm
> > > fuzzy feeling based on hot air.
> >
> > I don't know about large setups, where it might be very possible that
> > port knocking becomes a major PITA as you say. But I have setup and used
> > port knocking for remote ssh access lots of time in the past, and never
> > had a problem. This is just my little experience, of course.
>
> OK, port knocking is going back on the todo list.
>
> - Grant

Wow... that was easy...


:')




--


From the Desk of: Jerome D. McBride
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-03-2008, 10:39 AM
Etaoin Shrdlu
 
Default {OT} CUPS alternative?

On Sunday 3 February 2008, Grant wrote:

> OK, port knocking is going back on the todo list.

Note that I'm not claiming that portknocking is the solution to every
security problem. Only that it has its uses in certain scenarios.
A drawback of portknocking is that it requires modified clients
(==knock-aware) for the services, so I think it's not suitable for your
remote printing case.
It can, however, be useful in other situations.
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-03-2008, 02:15 PM
Dan Farrell
 
Default {OT} CUPS alternative?

On Sat, 2 Feb 2008 10:27:24 -0800
Grant <emailgrant@gmail.com> wrote:

> Well thank you for that. I had planned on setting up port knocking
> for ssh and cups but I guess I'm just as well off leaving them
> listening on 22 and 631?

Fail2Ban, though a little intensive, seems to be a decent method for
avoiding unwanted SSH traffic while accepting trusted traffic. I have
seen one deployment where it seems passably inconspicuous, at least.

Alternately, if you run SSH on an unusual port, you're unlikely to see
much Bot traffic. I would recommend this, if you're concerned, above
port knocking myself -- relying on a complicated "pre-authentication"
method rather than / in addition to a remote admin tool like SSH seems
to be asking for problems.

> As for printing from lpr to cups across the internet, I should be
> encrypting that data shouldn't I? Nothing too sensitive but it sounds
> like a good thing to do. It looks like cups can use ssl but I don't
> see any mention of it in man lpr.

SSH Tunneling and VPN come to mind too, but I must ask - what good is
printing a physical document across the net, unless the printer is
still only a little way away, and if so, what is it doing behind a
public network? I am curious about this deployment.

> - Grant
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-03-2008, 02:27 PM
Grant
 
Default {OT} CUPS alternative?

> > Well thank you for that. I had planned on setting up port knocking
> > for ssh and cups but I guess I'm just as well off leaving them
> > listening on 22 and 631?
>
> Fail2Ban, though a little intensive, seems to be a decent method for
> avoiding unwanted SSH traffic while accepting trusted traffic. I have
> seen one deployment where it seems passably inconspicuous, at least.
>
> Alternately, if you run SSH on an unusual port, you're unlikely to see
> much Bot traffic. I would recommend this, if you're concerned, above
> port knocking myself -- relying on a complicated "pre-authentication"
> method rather than / in addition to a remote admin tool like SSH seems
> to be asking for problems.

Do you mean problems in the form of hassles? So you're saying ssh
running on an unusual port is good enough?

> > As for printing from lpr to cups across the internet, I should be
> > encrypting that data shouldn't I? Nothing too sensitive but it sounds
> > like a good thing to do. It looks like cups can use ssl but I don't
> > see any mention of it in man lpr.
>
> SSH Tunneling and VPN come to mind too, but I must ask - what good is
> printing a physical document across the net, unless the printer is
> still only a little way away, and if so, what is it doing behind a
> public network? I am curious about this deployment.

I'd be happy to tell you more but I'm not sure what you mean. "Still
only a little way away"?

- Grant
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-03-2008, 02:41 PM
Dan Farrell
 
Default {OT} CUPS alternative?

On Sun, 3 Feb 2008 07:27:12 -0800
Grant <emailgrant@gmail.com> wrote:

> > > Well thank you for that. I had planned on setting up port
> > > knocking for ssh and cups but I guess I'm just as well off
> > > leaving them listening on 22 and 631?
> >
> > Fail2Ban, though a little intensive, seems to be a decent method for
> > avoiding unwanted SSH traffic while accepting trusted traffic. I
> > have seen one deployment where it seems passably inconspicuous, at
> > least.
> >
> > Alternately, if you run SSH on an unusual port, you're unlikely to
> > see much Bot traffic. I would recommend this, if you're concerned,
> > above port knocking myself -- relying on a complicated
> > "pre-authentication" method rather than / in addition to a remote
> > admin tool like SSH seems to be asking for problems.
>
> Do you mean problems in the form of hassles?

Yeah, hassles and potential misconfiguration, because if anything goes
wrong (rookie admin messes up knocking, for instance, on the
server/firewall) you can't log in from home and fix it, you have to
drive all the way out there to get in from the other side.

Port knocking seems like a decent security method to me, especially if
it was running on the firewall and opened ports only to the knocking IP
-- in that case, it certainly wouldn't be obvious to any other computer
that the port had been opened.

However, I tend to think it is more trouble than it's worth, and has a
tendency to make people think that they can be lazy about security
because 'intruders would have to port knock anyway'. I tend to prefer
strong firewalls, strong passwords, and, potentially, RSA certs or
something to _really_ make sure.

> So you're saying ssh
> running on an unusual port is good enough?

I'm no expert, but from my logs: SSH attempts (from bots in Shanghai
and the like) on port 22 number in the thousands, unexpected SSH
attempts on the nonstandard ports I run SSH on (actually it's
firewall-level port forwarding) have not yet been logged.

It's kind of an "obscuring for security" argument, but I think it's a
good balance between goofy port knocking setups and just running plain
old SSH on 22.

Of course, Nothing is a replacement for strong password enforcement,
and if the systems are important, I would probably require certificates
as well.

And again, I stress that I'm no expert. I have been using nonstandard
ports and the Bots seem none the wiser, but I can still log in on those
ports from any computer without having to aquire and configure port
knocking clients.

> > > As for printing from lpr to cups across the internet, I should be
> > > encrypting that data shouldn't I? Nothing too sensitive but it
> > > sounds like a good thing to do. It looks like cups can use ssl
> > > but I don't see any mention of it in man lpr.
> >
> > SSH Tunneling and VPN come to mind too, but I must ask - what good
> > is printing a physical document across the net, unless the printer
> > is still only a little way away, and if so, what is it doing behind
> > a public network? I am curious about this deployment.
>
> I'd be happy to tell you more but I'm not sure what you mean. "Still
> only a little way away"?
>

Thinking of all the times I printed something, I cant think of many
situations when I didn't have to walk over to the printer after
printing, grab the printout, and carry it to the intended destination.

I can imagine situations where you'd want to print invoices and the
like at front offices or even remote storefronts and locations, but
wouldn't you want a VPN up between your remote offices anyway?



--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-03-2008, 03:06 PM
kashani
 
Default {OT} CUPS alternative?

Grant wrote:

I don't know about large setups, where it might be very possible that
port knocking becomes a major PITA as you say. But I have setup and used
port knocking for remote ssh access lots of time in the past, and never
had a problem. This is just my little experience, of course.


OK, port knocking is going back on the todo list.


I don't free as strongly as Alan, but I've never been overly impressed
with the idea of port knocking. Mostly because any monitoring of
services would be a total nightmare. And troubleshooting it would suck.
Is the service down? Is it the knock? and so on.


What I do like is openvpn. Script kiddies don't look for it and I
prefer to have full access to my home boxes rather than having to mess
with port forwarding. As far as complexity goes its easy to setup in an
afternoon and there are clients for Windows, OSX, Linux, BSD, etc.


kashani
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-03-2008, 03:09 PM
Grant
 
Default {OT} CUPS alternative?

> > > > Well thank you for that. I had planned on setting up port
> > > > knocking for ssh and cups but I guess I'm just as well off
> > > > leaving them listening on 22 and 631?
> > >
> > > Fail2Ban, though a little intensive, seems to be a decent method for
> > > avoiding unwanted SSH traffic while accepting trusted traffic. I
> > > have seen one deployment where it seems passably inconspicuous, at
> > > least.
> > >
> > > Alternately, if you run SSH on an unusual port, you're unlikely to
> > > see much Bot traffic. I would recommend this, if you're concerned,
> > > above port knocking myself -- relying on a complicated
> > > "pre-authentication" method rather than / in addition to a remote
> > > admin tool like SSH seems to be asking for problems.
> >
> > Do you mean problems in the form of hassles?
>
> Yeah, hassles and potential misconfiguration, because if anything goes
> wrong (rookie admin messes up knocking, for instance, on the
> server/firewall) you can't log in from home and fix it, you have to
> drive all the way out there to get in from the other side.
>
> Port knocking seems like a decent security method to me, especially if
> it was running on the firewall and opened ports only to the knocking IP
> -- in that case, it certainly wouldn't be obvious to any other computer
> that the port had been opened.
>
> However, I tend to think it is more trouble than it's worth, and has a
> tendency to make people think that they can be lazy about security
> because 'intruders would have to port knock anyway'. I tend to prefer
> strong firewalls, strong passwords, and, potentially, RSA certs or
> something to _really_ make sure.
>
> > So you're saying ssh
> > running on an unusual port is good enough?
>
> I'm no expert, but from my logs: SSH attempts (from bots in Shanghai
> and the like) on port 22 number in the thousands, unexpected SSH
> attempts on the nonstandard ports I run SSH on (actually it's
> firewall-level port forwarding) have not yet been logged.
>
> It's kind of an "obscuring for security" argument, but I think it's a
> good balance between goofy port knocking setups and just running plain
> old SSH on 22.
>
> Of course, Nothing is a replacement for strong password enforcement,
> and if the systems are important, I would probably require certificates
> as well.
>
> And again, I stress that I'm no expert. I have been using nonstandard
> ports and the Bots seem none the wiser, but I can still log in on those
> ports from any computer without having to aquire and configure port
> knocking clients.

Sounds like I should forget port knocking and set up RSA certificates.

> > > > As for printing from lpr to cups across the internet, I should be
> > > > encrypting that data shouldn't I? Nothing too sensitive but it
> > > > sounds like a good thing to do. It looks like cups can use ssl
> > > > but I don't see any mention of it in man lpr.
> > >
> > > SSH Tunneling and VPN come to mind too, but I must ask - what good
> > > is printing a physical document across the net, unless the printer
> > > is still only a little way away, and if so, what is it doing behind
> > > a public network? I am curious about this deployment.
> >
> > I'd be happy to tell you more but I'm not sure what you mean. "Still
> > only a little way away"?
> >
>
> Thinking of all the times I printed something, I cant think of many
> situations when I didn't have to walk over to the printer after
> printing, grab the printout, and carry it to the intended destination.
>
> I can imagine situations where you'd want to print invoices and the
> like at front offices or even remote storefronts and locations, but
> wouldn't you want a VPN up between your remote offices anyway?

That's more or less what I'm trying to do. Is setting up a VPN
between my remote server and local network overkill? I think the only
thing I'd use it for is to hide the sending of these printouts.

- Grant
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-03-2008, 03:18 PM
Dan Farrell
 
Default {OT} CUPS alternative?

> That's more or less what I'm trying to do. Is setting up a VPN
> between my remote server and local network overkill? I think the only
> thing I'd use it for is to hide the sending of these printouts.

I would speculate that a VPN for one service might be overkill, if that
service is easy to secure. It is also a transparent mechanism for
encryption over the net that would work with other services too (email,
http, and the like).

If you are likely to set up these services, you might consider a VPN to
make your life easier in the long run. But if printing is the only
thing you need to do, you might want to avoid the configuration of a
VPN and just set up SSL.

Encrypting your print data, in my opinion, is a very good idea.
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-03-2008, 03:20 PM
Dan Farrell
 
Default {OT} CUPS alternative?

On Sun, 03 Feb 2008 08:06:47 -0800
kashani <kashani-list@badapple.net> wrote:

> Grant wrote:
> >> I don't know about large setups, where it might be very possible
> >> that port knocking becomes a major PITA as you say. But I have
> >> setup and used port knocking for remote ssh access lots of time in
> >> the past, and never had a problem. This is just my little
> >> experience, of course.
> >
> > OK, port knocking is going back on the todo list.
>
> I don't free as strongly as Alan, but I've never been overly
> impressed with the idea of port knocking. Mostly because any
> monitoring of services would be a total nightmare. And
> troubleshooting it would suck. Is the service down? Is it the knock?
> and so on.
>
> What I do like is openvpn. Script kiddies don't look for it
> and I prefer to have full access to my home boxes rather than having
> to mess with port forwarding. As far as complexity goes its easy to
> setup in an afternoon and there are clients for Windows, OSX, Linux,
> BSD, etc.
> kashani

Another openVPN vote from me. Makes deployment across geographically
distinct network much easier, and good security too.
--
gentoo-user@lists.gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 07:46 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org