bandwidth - typically FastEthernet. So targetting IIS
servers is a sure
way of maximizing your zombie power (the only more powerful
worm would be
an Apache zombie which has about 18M potential clients or a
bind worm-zombie).
Cut it out! You're making my blood run cold. Four years ago, I had three
systems cracked by mwsh. The entry was via BIND. They were a Linux boxen and
the exploit downloaded mwsh source code and compiled it. It could, just as
easily, do that with CodeRed sources. Fortunatelyy, most BIND installations
have been upgraded since then. But, I'll bet that there are a few that
haven't been. Is Raul Dhesi listening?
Hello All , I have charged myself with trying to find a statistic
on how many individuals responsible for IP core equipment
recommend telnet or ssh & why particularly . I will summarize .
Tia , JimL
Hello All , I have charged myself with trying to find a statistic
on how many individuals responsible for IP core equipment
recommend telnet or ssh & why particularly . I will summarize .
telnet is cleartext, that should be reason enough...
true, but i would point out that if its your core equipment that you are
accessing from your network that sits directly on the core then you should
be happy with the fact that no one is eavesdropping and it makes no
difference.
having said that, i use ssh where i can. i like RSA rather than passwords
as its so much more difficult for people to login as you, thats not ssh
specific tho, thats just an alternative authentication scheme that just
happens to ship with most ssh.
so thats my main logic, authentication... i cant understand the big
paranoia on people sniffing tho!
true, but i would point out that if its your core equipment that you are
accessing from your network that sits directly on the core then you should
be happy with the fact that no one is eavesdropping and it makes no
difference.
not everyone has out-of-band networks for management. Management of
devices is sometimes done thousands of miles away. Remember also that this
traffic can be sniffed before it gets to the core (yes, ssh is sniffable
aswell, but just not as easily, and atleast it's not in plaintext)
so thats my main logic, authentication... i cant understand the big
paranoia on people sniffing tho!
unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully
it's not as easy for the naughty eavesdropper to get into the right
position for that....
> true, but i would point out that if its your core equipment that you are
> accessing from your network that sits directly on the core then you should
> be happy with the fact that no one is eavesdropping and it makes no
> difference.
not everyone has out-of-band networks for management. Management of
devices is sometimes done thousands of miles away. Remember also that this
traffic can be sniffed before it gets to the core (yes, ssh is sniffable
aswell, but just not as easily, and atleast it's not in plaintext)
this is in-band. if as you say you are accessing from another network then
this is where the encryption kicks in being useful, however that raises
another question - do you just allow any host to connect providing they
can authenticate? i know my login ports are restricted at both network and
host level to specific authorized addresses...
> so thats my main logic, authentication... i cant understand the big
> paranoia on people sniffing tho!
unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully
it's not as easy for the naughty eavesdropper to get into the right
position for that....
exactly, its probably easier to hack the box by other means than sniffing
auth details!
But who said I am not on your network ? What if I penetrated your AAA
server, or, some other server on your network ?
well your not. and if you were, i'm pretty well screwed! altho having said
that, my network doesnt allow you to hop between machines.. but maybe you
compromised my security? okay, i'm screwed again!
And what about those that administer their networks from remote locations
?
see other response.. either they are on a trusted network or they have
their machines open to login from the entire internet? if the latter then
they deserve hacking!
> > so thats my main logic, authentication... i cant understand the big
> > paranoia on people sniffing tho!
>
> unfortunately ssh is just as sniffable if it's an arp spoof, but hopefully
> it's not as easy for the naughty eavesdropper to get into the right
> position for that....
Pardon for blowing your bubble but sniffing ssh keyexchange does not do you
any good. The symmetric key is exchanged via a channel aready secured. The
keys that is used to secure the channel used to exchange the symmetric key
are exchanged via DH-based protocol. If you want to spend your time
factoring primes for next 500 years to extract the key, you are more than
welcome to try. It is crypto-101.
But who said I am not on your network ? What if I penetrated your AAA
server, or, some other server on your network ?
if this is done, you may well already be f*cked, but not neccessarily
because of "sniffing" or "injecting ARP entries", all of which can be
prevented by a decent switch with VLANs, and for more protection, static
port ARP entries.
And what about those that administer their networks from remote locations
>
> how will that work, you're not on my network and my routers wont forward
> local packets to you?
>
> Steve
>
>
> >
> > > paranoia on people sniffing tho!
> >
> > Hmmm, how about I inject an arp entry into your workstation, and redirect
> > your traffic to where I want ?
> >
> > ...
> >
> > --Ariel
> > >
> > > Steve
> > >
> > >
> > > >
> > > > Hi
> > > >
> > > > > Hello All ,I have charged myself with trying to find a statistic
> > > > > on how many individuals responsible for IP core equipment
> > > > > recommend telnet or ssh & why particularly .I will summarize .
> > > >
> > > > telnet is cleartext, that should be reason enough...
> > > >
> > > > --Rob
> > > >
> > > >
> > >
> > > --
> > > Stephen J. Wilcox
> > > IP Services Manager, Opal Telecom
> > > http://www.opaltelecom.co.uk/
> > > Tel: 0161 222 2000
> > > Fax: 0161 222 2008
> > >
> >
> > --
> > Ariel Biener
> > e-mail: ariel@post.tau.ac.il
> > PGP(6.5.8) public key Ariel's PGP key
> >
> >
>
> --
> Stephen J. Wilcox
> IP Services Manager, Opal Telecom
> http://www.opaltelecom.co.uk/
> Tel: 0161 222 2000
> Fax: 0161 222 2008
>
Security is generally not an all-or-nothing game. Most script kiddies
have enough skill to run a prefab'd exploit on your IIS server; some have
enough skill to inject trojan ARP entries and use tcpdump; but far fewer
have the ability to decrypt ssh packets (although new tools are making
this easier). In cases where ssh is an option, why not use it?
If you can arp spoof as indicated in the message you are replying to, you
can perform a MTM attack which SSH offers only minimal security against
(in the form of stored host keys that users often choose to ignore or not
verify the fingerprint). Look to SRP for a MTM-less password
authentication solution.
true, but i would point out that if its your core equipment that you are
accessing from your network that sits directly on the core then you should
be happy with the fact that no one is eavesdropping and it makes no
difference.
this is based on the fantasy that nobody inside is rotten. this is amusing
at best, considering how much damage is done by inside jobs.
> Pardon for blowing your bubble but sniffing ssh keyexchange does not do you
> any good. The symmetric key is exchanged via a channel aready secured. The
> keys that is used to secure the channel used to exchange the symmetric key
> are exchanged via DH-based protocol. If you want to spend your time
> factoring primes for next 500 years to extract the key, you are more than
> welcome to try. It is crypto-101.
If you can arp spoof as indicated in the message you are replying to, you
can perform a MTM attack which SSH offers only minimal security against
(in the form of stored host keys that users often choose to ignore or not
verify the fingerprint). Look to SRP for a MTM-less password
authentication solution.
Monkey in the Middle attack on SSH is very difficult to perform. I'm cc'ing
Matt Bishop (bishop@cs.ucdavis.edu) who together with yours truly wrote a
paper on this in 1997.
The SSH security model is fundimentally weak against Man in the Middle,
because it provides no methodology to verify the transmitted key (beyond
crude manual methods... Not that PKI system used with SSL is all that
effective either).
> Monkey in the Middle attack on SSH is very difficult to perform. I'm cc'ing
> Matt Bishop (bishop@cs.ucdavis.edu) who together with yours truly wrote a
> paper on this in 1997.
Hard how? Are you talking about the complexity in coding the exploit app?
So what! It only has to be written once:
Really? And does it work on all hosts, no matter how they are configured?
Next...