![](/i/fill.gif) |
![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On Tue, 13 Sep 2011 17:14:02 -0400, Jim Henderson wrote:
>> So how do you prevent somebody connecting to your server a thousand
>> times per second and feeding it duff credentials, thereby preventing
>> any legitimate users logging in, and wasting lots of CPU power?
>
> On my system, I use a tool called blockhosts. After 5 failed attempts,
> the portmapper won't allow them to connect to the service any more -
> which slows them down (because it doesn't send an ack) and allows legit
> users to login - even on the same port/service - and doesn't waste any
> CPU power at all.
Additionally, if I wanted to be more secure on my system, I could run sshd
on a non-standard port (or forward from a non-standard port in my
firewall). Then they have to find the service first, and most of the
scripts that do that won't bother, because there are easier targets.
Jim
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 9/13/2011 7:00 AM, Warp wrote:
> Invisible<voi### [at] dev null> wrote:
>> On 13/09/2011 11:40 AM, Warp wrote:
>>> Invisible<voi### [at] dev null> wrote:
>>>> I said that Windows allows it *by default*
>>>
>>> So how exactly would I transfer a file to you from my Windows?
>
>> You can't. My PC is firewalled.
>
>> You also can't transfer a file using Unix, for the same reason.
>
> Most firewalls have the ssh port open because it's considered safe.
> (And if it's not, it's easy to open in most distros).
>
> Then you can use scp, rsync or any equivalent tool to transfer files.
> (There probably isn't any linux distro that doesn't come by default with
> scp and rsync.)
>
> (Btw, the great thing about rsync is that it can resume interrupted file
> transfers, a rather important feature that, oddly, most file transfer tools
> completely lack.)
>
And even if you do have them.. Sometimes, at least in Windows, it
doesn't work. Remember a few years back. Bad connection (disconnects
after about 5-10 minutes), a tendency of files to almost complete, but
then not, and a 1GB download, which Sony decided should be on a
non-resumable server... WTF?
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
> On 13/09/2011 07:00 PM, Francois Labreque wrote:
>>>>> No, I mean there's a *hardware* firewall in the way. You know, with
>>>>> the
>>>>> big Cisco sticker on it and the 3-digit price tag? (Although obviously
>>>>> that's only because I'm at work right now. My house doesn't have
>>>>> one of
>>>>> those...)
>>>>
>>
>> You're off by two orders of magnitude. Most Cisco firewalls are in teh 5
>> digit price tag.
>
> True. But not this particular one.
>
>
http://www.ebuyer.com/135532-cisco-asa-5505-firewall-edition-bundle-asa5505-50-bun-k9
>
Ok. you got me. I usually don't deal with small-office/home-office gear.
>
> (Go on, hack me. You know you want to.)
>
>>>> And that hardware firewall is completely incapable of forwarding ssh
>>>> connections? Pretty useless, I'd say.
>>>
>>> No, I don't have the password to configure it.
>
> Still stands.
>
>>> (And besides, have *you*
>>> tried configuring Cisco stuff? It's not exactly intuitive. You probably
>>> need Certified Engineer status to figure it out.)
>>
>> You don't need to be a Cisco Certified Internetwork Expert to figure it
>> out. The Cisco manuals are usually pretty easy to follow, and freely
>> available on their web site.
>
> Really? That might be worth reading...
>
This is a good place to start:
For routers and switches:
http://www.cisco.com/en/US/docs/ios-xml/ios/fundamentals/command/cf-cr-book.html
Or "Support | IOS & NX OS | IOS 12.4 Mainline " from the home page.
Firewalls are a little different, but the syntax is still related.
Kinda like French and Italian.
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/conf_gd.html
Or "Support | Security | PIX firewall software | Configuration Guide |
Version 8.0" from the home page.
Note: Even though Cisco firewall appliances are now called ASAs, their
documentation still cals them PIXes all over the place.
>> And it is actually pretty intuitive...
>>
>> - Give each interface an ip address.
>> - Create your NAT tables.
>> - And off you go.
>
> From what I've seen, you telnet into the router, enter a password, and
> then enter lines of gibberish such as "enh eth gw all". You would
> *definitely* need a manual to figure out WTH that actually means, or
> what the name of the command you want is.
Two things:
First thing, typing ? at any point will list all the available commands
at that point.
Second thing, you don't have to enter gibberish. the commands are plain
english words. They can be abbreviated for speed, but
sh ip int fa0/0 bri
Is exactly the same as typing
show ip interface fastethernet0/0 brief
which would show you a brief summary of all the stats it keeps for the
IP protocol on interface fastethernet0/0. (protocol distribution, packet
counts, etc...)
>
>> The only difference between a Cisco firewall and a D-link or NetGear
>> home router, besides performance and scalability, is that you can (and
>> should!) override the basic "everything outbound is ok, nothing inbound
>> can come in" configuration.
>
> I'm still guessing that, between the configuration for routing to
> multiple LANs, multiple VPN endpoints, and remote access, adding a line
> that forwards SSH to a port on a desktop PC who's IP address is
> configured via DHCP is probably going to take some doing. (!)
Routing for the multiple lans actually comes straigh out of the box.
You confiugre an ip address on all the interfaces and it will know that
any packets it receives whose destination is on another lan interface,
it will forward it (let's disregard security rules, for the moment!).
Remote lans are handled the same way they would be on a Windows or Unix
machine. By either configuring a routing protocol, or by adding static
routes.
On Windows, you'd type:
route add 192.168.200.0 mask 255.255.255.0 192.168.1.1
On a router, you'd type:
ip route 192.168.200.0 255.255.255.0 192.168.1.1
On a firewall, you'd type:
ip route [interfacename] 192.168.200.0 255.255.255.0 192.168.1.1
You have to specify the interface name because, as opposed to a router,
the firewall will drop any packet that has to be routed back out the
same interface it came in.
VPN endpoints are not more complicated than on any other platform, but
that's a bit like saying that changing the transmission of a Formula One
is not more complicated than changing it on a Toyota... It may not Be
for a complete noob.
Allowing inbound ssh connections will need that PC to have a static NAT
address, and therefore a static local IP address. Your Netgear or
Linksys home router can work around this because it also acts as the
DHCP server, so it knows to which MAC adress to send the traffic, but in
an entreprise where the firewall is a separate piece of hardware, there
is simply no way to do this.
>
> And we still have the minor issue that I don't have the password. :-P
>
If you have physical access to the box, you can do a password recovery
and put a new password in, but since this would likely cost you your job
and may very well land you in jail, I do not recommend you try it at the
office....
> Actually, I have a NetGear router in my house. I used it to create a VPN
> between my house and my grandparents' house. It lets you do all sorts of
> port forwarding and stuff. The only trouble is... it's not reliable.
> Like, when certain datagrams pass through it, the firmware crashes, and
> you have to power-cycle it to get the Internet back. Eventually I was
> forced to take it out of the circuit, because it was pissing me off so
> much! (No, there isn't a firmware update available.)
>
> Given the price of the Cisco ASA, I'm almost tempted...
>
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
> On 13/09/2011 07:17 PM, Francois Labreque wrote:
>>> Puzzling thing: There are many, many SSH clients for Windows. There are
>>> no SSH *servers*. And I have literally no idea why.
>>
>> Really?
>>
>> http://www.freesshd.com/?ctt=download
>>
>> Or maybe, running OpenSSH's sshd under Cygwin?
>> http://www.petri.co.il/setup-ssh-server-vista.htm
>>
>> Or buying one of the many commercial versions available?
>
> Let me rephrase: There are no SSH servers that are free software.
>
> (At least, 5 years ago I wasted weeks searching for one, and never found
> one.)
>
And how much does Cygwin or openssh's sshd cost?
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Le 2011-09-13 15:17, Orchid XP v8 a écrit :
> On 13/09/2011 08:03 PM, Jim Henderson wrote:
>> On Tue, 13 Sep 2011 19:53:17 +0100, Orchid XP v8 wrote:
>>
>>> I still think the main problem is that to allow somebody to send you
>>> data, you have to figure out how to prevent anybody *else* sending you
>>> data.
>>
>> No, that's easy. It's called "authentication and authorisation".
>
> Ah, I see.
>
> So how do you prevent somebody connecting to your server a thousand
> times per second and feeding it duff credentials, thereby preventing any
> legitimate users logging in, and wasting lots of CPU power?
>
> See, security isn't so simple...
>
by having a real firewall (such as the aforementioned Cisco ASA)
configured to throttle individual connections. ;)
Now the /b/tard in question would have to use zombie PCs to do his DOS
against your machine.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
Le 2011-09-13 14:53, Orchid XP v8 a écrit :
> Oh, wait, you can set the remote display to not take up the whole
> screen, can't you?
>
Yes. I run my work laptop at 1440x900, but the screen sizes for my
remote desktops are 1152x864, so that I still have the contact list of
my work IM program and my local taskbar visible. Makes it easier to
switch from one server to the other, hunt for local files, chat with the
boss, or surf the internet while still keeping an occasional eye on the
Oracle indexes rebuilding themselves.
--
/*Francois Labreque*/#local a=x+y;#local b=x+a;#local c=a+b;#macro P(F//
/* flabreque */L)polygon{5,F,F+z,L+z,L,F pigment{rgb 9}}#end union
/* @ */{P(0,a)P(a,b)P(b,c)P(2*a,2*b)P(2*b,b+c)P(b+c,<2,3>)
/* gmail.com */}camera{orthographic location<6,1.25,-6>look_at a }
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On Tue, 13 Sep 2011 19:48:55 +0100, Orchid XP v8 wrote:
> Let me rephrase: There are no SSH servers that are free software.
openssh is released under the GPL, and has been around for quite some
time now (certainly more than 5 years - I'd say more than a decade).
And there are versions that run on Windows - using cygwin or not.
Jim
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
>>> You're off by two orders of magnitude. Most Cisco firewalls are in teh 5
>>> digit price tag.
>>
>> True. But not this particular one.
>>
>>
http://www.ebuyer.com/135532-cisco-asa-5505-firewall-edition-bundle-asa5505-50-bun-k9
>
> Ok. you got me. I usually don't deal with small-office/home-office gear.
I was surprised myself. Our network switches cost about 3x what every
other manufacturer wanted.
(I soon discovered, however, that these "switches" are actually just
24-port *routers*...)
>>> You don't need to be a Cisco Certified Internetwork Expert to figure it
>>> out. The Cisco manuals are usually pretty easy to follow, and freely
>>> available on their web site.
>>
>> Really? That might be worth reading...
>>
>
> This is a good place to start:
OK.
> Note: Even though Cisco firewall appliances are now called ASAs, their
> documentation still cals them PIXes all over the place.
Yeah, we've still got a PIX 506e in the corner. Though damned if I know
why; that thing was starting to become quite unreliable...
>> From what I've seen, you telnet into the router, enter a password, and
>> then enter lines of gibberish such as "enh eth gw all". You would
>> *definitely* need a manual to figure out WTH that actually means, or
>> what the name of the command you want is.
>
> Two things:
>
> First thing, typing ? at any point will list all the available commands
> at that point.
So... it's some kind of hierarchical menu system? (I had assumed that
all commands are available all the time.)
> Second thing, you don't have to enter gibberish. the commands are plain
> english words. They can be abbreviated for speed, but
>
> sh ip int fa0/0 bri
>
> Is exactly the same as typing
>
> show ip interface fastethernet0/0 brief
I see.
I'm guessing that unless you do this kind of thing all day, you'll
quickly forget what the name for each command is, and so you'll need the
manual open constantly. (I really hope the manuals contain more than
just a reference list of every command name and what it does...)
>> I'm still guessing that, between the configuration for routing to
>> multiple LANs, multiple VPN endpoints, and remote access, adding a line
>> that forwards SSH to a port on a desktop PC who's IP address is
>> configured via DHCP is probably going to take some doing. (!)
>
> Routing for the multiple lans actually comes straigh out of the box. You
> confiugre an ip address on all the interfaces and it will know that any
> packets it receives whose destination is on another lan interface, it
> will forward it (let's disregard security rules, for the moment!).
Even though there's only one connection from the firewall to the
(multiple) switches?
> Remote lans are handled the same way they would be on a Windows or Unix
> machine. By either configuring a routing protocol, or by adding static
> routes.
>
> On Windows, you'd type:
>
> route add 192.168.200.0 mask 255.255.255.0 192.168.1.1
1. I didn't know you could do that.
2. What does it do?
> VPN endpoints are not more complicated than on any other platform, but
> that's a bit like saying that changing the transmission of a Formula One
> is not more complicated than changing it on a Toyota... It may not Be
> for a complete noob.
Presumably you have to specify protocol types and encryption keys and so
forth...
> Allowing inbound ssh connections will need that PC to have a static NAT
> address, and therefore a static local IP address. Your Netgear or
> Linksys home router can work around this because it also acts as the
> DHCP server, so it knows to which MAC adress to send the traffic, but in
> an entreprise where the firewall is a separate piece of hardware, there
> is simply no way to do this.
Quite. The only way this could work is if you wanted to /temporarily/
forward SSH (probably on a different port number) to the IP address that
my desktop PC /currently/ has.
>> And we still have the minor issue that I don't have the password. :-P
>
> If you have physical access to the box, you can do a password recovery
I am *so* not trying this! :-D
Incidentally, I gather that there's two ways to control the ASA. One
involves telnet. The other involves a serial cable...
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 13/09/2011 10:01 PM, Darren New wrote:
> On 9/13/2011 11:45, Orchid XP v8 wrote:
>> So what changed then? Certainly X hasn't changed since prehistoric
>> times...
>
> ssh port forwarding, for one. It was never hard to forward X. It was
> hard to forward X securely and hard to forward X without first logging
> in over a command line interface.
You mean SSH hasn't existed since before System V as well?
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
On 13/09/2011 10:05 PM, Darren New wrote:
> On 9/13/2011 11:45, Orchid XP v8 wrote:
>> OK, let me put it this way: X lets you install an application on a
>> central
>> server, and have multiple X "servers" (i.e. *clients*) connect to that
>> server and have their own instance of the application appear on their
>> screen.
>
> Yep. You still need a computer for each user, tho.
Sure. But I mean, you can set up an application server that more than
one person can access, without doing anything particularly special.
>> If you want to do that with RDP, you need the multi-thousand dollar
>> "server"
>> version of Windows.
>
> Um, it's $117 online, and that's with five client licenses.
>
> Even if you don't find a deal, it's $525. Far from "multi-thousand
> dollars".
OK, well maybe it's the cost of the client licenses I'm thinking of then...
Post a reply to this message
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |
|
![](/i/fill.gif) |
| ![](/i/fill.gif) |
|
![](/i/fill.gif) |