diggler

I thought this was a good read. Attached the ebook too. Enjoy... http://en.wikipedia....Robert_Cialdini http://www.amazon.co...i/dp/0688128165 https://dl.dropbox.com/u/18742874/Influence%20%287Summits%29.pdf

Definitely interested in using fwknop. It just looked like a bitch to implement correctly. Would definitely use it if there was a tutorial. Cheers..

From creators of fwknop: "> After weeks of reading about port knocking, security and its > implications I went on a hunt to find the best tool for implementing > 'secure' port knocking. I came across your website and tool, fwknop at > http://www.cipherdyne.org/fwknop/. From what I have read I think it's > the best possible tool. Obviously you're biased, but perhaps there's > other options you've grown fond of as well? I would say that the most interesting competing implementation is Moxie Marlinspike's "knockknock". However, fwknop makes several design decisions that are at odds with those made by knockknock, so the solution you choose probably depends on which of these design decisions you agree with. Here are a few decisions made by fwknop that are direct opposites of those made by knockknock: - fwknop does not require a heavyweight interpreter like perl or python to be installed on the server (or the client). - fwknop does not require trusting an IP address in the network header (it is possible to mount a MITM attack against any SPA implementation that does trust the source IP in the header vs. an IP that is encrypted within the SPA payload - the later is what fwknop does with -a or -R on the fwknop client command line). - fwknop does not require root access on the client side because it doesn't manipulate raw packet headers - this brings SPA functionality to devices like the iPhone and allows any normal user to use it. - fwknop does not require specialized logging support on the server side, and a consequence is that it easily supports multiple firewalls (it currently supports iptables, ipfw, and pf). - fwknop is able to run on embedded systems. - fwknop is scalable to lots of users. > I write to you today because I'm attempting to implement fwknop on VPS > powered Ubuntu servers, ranging from 10.10 to 12.04, for securing SSH > (port 443) and a HTTP web gui (http://x.x.x.x:5000). I found a 'how > to' guide (http://ubuntuforums.org/showthread.php?t=1926699) but > haven't came across much else. > > Am I correct in assuming that what fwknop does (not how it works) is > it essentially opens up the remote server port for a set period of > time to allow for the normal operation of the services? Yes, that is a fair description of how fwknop works. I might add that: 1) The opened port is only open for the specific IP that is encrypted within the SPA packet 2) There are tricky ways to leverage NAT on iptables firewalls such that connections to one port can be translated into actually accessing other ports, and this can apply to connections both to the system where fwknopd is running or connections through to other systems too. > Do you have any recommendations or "setup guides" that may help me in > my quest to setup fwknop securely? Do you have any scripts, or other > recommendations that may make the process easier? I'm working on this - there is some information on my blog, but it needs to be extended." From Moxie: " > - fwknop does not require a heavyweight interpreter like perl or python > to be installed on the server (or the client). This is probably the biggest difference. It seems fwknop considers this a bad thing, where as I consider it a good thing. Basically, I see the purpose of port knocking as protection against network services written in "unsafe" languages like C. So naturally, I don't want to replace them with... another network service written in an unsafe language, using an enormous library written in an unsafe language (libpcap). knockknock is designed to be extremely simple, and not dependent on any complex native code. It's just a small python script that tails a log file -- can't get much safer than that."

I'm trying to "hide" the fact that SSH + deluge are running when port scanned. I think my options are I can firewall the server, open SSH port and keep it visible, and get to the deluge by going to localhost:8112 after a ssh -D $someport. Or, I can use knockknock and hide SSH and Deluge but need to keep 1outbound+1inbound tcp port open for deluge xfers (or use knockknock-proxy). - Server(s) running Ubuntu 10.10 --> 12.04 - knockknock --> http://www.thoughtcr...are/knockknock/ - SSH - deluge-torrent.org/ 1. Has anyone on the forums attempted to setup port knocking with knockknock before? 2. Am I correct in assuming that it would be wise to NOT use UFW to configure my firewall and instead rely strictly on iptables? I believe this to be true because knockknock will need custom iptable entries to work. 3. SSH seems simple to think through. Knock on one port and connect. All Inbound+Outbound traffic flows over one port after the connection is established -- easy enough. 4. I threw in an application like Deluge because I can't get my head around the firewall logic. "deluged" runs as a local daemon on the server. Once a Torrent is added it needs two ports to operate (1 Inbound + 1 Outbound). "deluge-web --fork" is a web gui to add/remove Torrents. It runs on a separate port (8112 by default), for a total of three. My best guess is to create a knockknock rule for the web gui (8112) and leave deluge's inbound (5000) + outbound (6000) ports open and standard SSH knockknock rule. OR should I use the knockknock-proxy? Can anyone contribute/comment on how this should be setup? THANKS

Hi Jason, Interesting reply. Thanks. I have a couple of questions from your post: - I have the TOR browser bundle installed - Am I correct in assuming that TOR (browser bundle) listens on local port 9050 for exactly these types of proxy situations without the need to configure/modify the TOR browser bundle? What we're doing is telling SSH to route its traffic to local port 9050, where TOR is listening, then forward traffic through TOR 80 HTTP or 443 HTTPS - Is it then possible for me to run other applications, like 'Chicken of the VNC' through TOR as well? Do you know how this would be done? *I think I can use this piece of software to accomplish my goal: http://code.google.com/p/torsocks/ **I think my best bet is to launch TOR through BT5, use VNC, and proxy chains... http://bent.latency.net/bent/git/goto-san-connect-1.85/src/connect.html

Hi All, Scenario/Background: I'm on a boat. We use VSAT + two year old Cisco router. Router has been locked down. The only ports open are 80 (http), 443 (https), 25 (mail), 3389 (RDP). When travelling I used to be able to use OpenVPN (udp), PPTP VPN (tcp), or a socksified (-D) SSH connection to tunnel my traffic. That's no longer the case. I borked my VPS server trying to get around the above stated issue. It's left me in a bit of a pickle. I can use TOR to get to my VPS's CPANEL (control panel). I have to use a service like TOR, because the CPANEL is on a non-standard web port (5454). I can't reinstall the server though. To do that I need to VNC to the VPS. I use 'Chicken of the VNC' which doesn't support proxying, like a web browser. I've looked at a few options, like NoVNC, etc which are browser based HTML5 implementations of a VNC client but they rely on a companion server which my VPS is not running. Any ideas? (1A) Help! *I'm asking a friend to remotely reconfigure my server, and to run SSH on port 443 so I'll have SSH access and web proxying ability, but it has led me to even more questions. I hope that the firewall doesn't filter to the Layer 7 networking stack, otherwise I might need a better solution. What are some ways to accomplish this? (2A) Below is what I've found so far. Please help me add to the list of possibilites. Is there a software solution (Mac OS X or Ubuntu) that allows a user to specify which application uses the socksified SSH connection (ex ssh -D 8080 username@y.y.y.y) on the local machine? (3A) It woud be ideal if an application could force traffic over the SSH connection. Example, tell 'Chicken of the VNC', Adium, etc to route through SSH without having to set a proxy in their individual preferences (most don't even have the option/ability). Future Solutions 1B. #Ubuntu wiki says this might be a problem on some VPS's - https://help.ubuntu....y/IptablesHowTo #execute on remote server iptables -t nat -I PREROUTING -p tcp -m conntrack --ctstate NEW -s x.x.x.x -d y.y.y.y --dport 443 -j REDIRECT --to-port 22 or #execute on remote server iptables -t nat -I PREROUTING --src x.x.x.x --dst y.y.y.y -p tcp --dport 443 -j REDIRECT --to-ports 22 sudo iptables -t nat -L -n -v #execute on local machine in Terminal ssh -p 443 -D 8080 username@y.y.y.y 2B. http://www.thoughtcr...tware/firemole/ 3B. http://dag.wieers.co...http-tunneling/ *anyone know of a more current way to do this? (4A) software doesn't look like it's been updated since 2009 4B. sudo nano /etc/ssh/sshd_config change the line "Port 22" to "Port 443" to save --> hit ctrl+o, then ctrl+x sudo restart ssh *how does encrypted web traffic (https 443) still work if SSH is now using port 443 on the VPS? (5A)

.

that's what aireplay does with the aircrack-ng suite of tools. the only way to crack WPA2 is to capture the handshake after a deauth and bruteforce it.... just use reaver now :)

Problem with a "roll your own", is many people aren't competent enough to setup a server properly. Especially to disable all logs + enable encryption + keep box secure by configuring everything correctly. If there was a server ISO that I could install which was pre-configured to be a riseup.net functionality clone but hosted by myself, and all I would need to do is forward the correct domain info, I would be doing that in a heartbeat.... FYI, Moxie M, endorses the guys and the riseup.net project. I regard his comments and recommendations highly. I wish riseup.net would move their colo from NY and Seattle to some offshore island... I like riseup.net more for their 3mbit up/down OpenVPN that you get with an account. Very secure (not anonymous), but they don't keep logs. Don't use it to DL. It was said before, email is shit and even if you do roll your own solution and are secure the other parties likely will not be. Thats why I like OTR over anything ATM. There is also a new service which looks interesting at pidder.com (Germans always build the coolest stuff :)

I look at it from a different perspective. I don't want companies crawling my content to advertise to me, or creating a profile about my behaviour. I also don't want my e-mail provider to know where I log in from, or have a record of that. I get lazy and don't always TOR / VPN / SSH -D / etc, so I like services like riseup.net who don't keep records. They also strip header info. People in our circles should use adium / pidgin and stick to OTR.

I can issue enough invites to get people accounts at riseup.net; if interested pm me...

Good Evenin'... Caveat: I realize that this practice may be "un-safe" because you won't have a record for auditing your server incase of a breach However, I have a few reasons for why I'd like to do this. An example of an e-mail/VPN provider who currently offers these (potential) advantages (riseup.net) For setting up Debian (Ubuntu) based VPS server's can anyone provide expertise on how to anonymize SSH, or how to 'do-not-track' who comes and goes on the server, from which ever services may be logging this type of information (SSH, logrotate, etc). ex) no log files, no ip logging, etc ex) if I run a command like 'who -H' it will list the users and their IP addresses connected to the box and store the list of whose come and gone; also when logging in, it shows from what IP the last user logged in Any other expertise you can provide would be greatly appreciated. Thanks, diggs

For the real noobies you could add the LAN's DHCP address 192.168.1.100 showing the ICS to 172.16.42.42 adress as well

Thanks for the response, much appreciated. That script IS bad ass. Now on to the next puzzle : /

IT WORKED! I let the script run for an hour and that seemed to do the trick. I guess I was just impatient. So strange though, because I couldn't see the hard-drive seeking or doing much of anything. UNREAL!