I would handle it like this: 4 - no, wrong start port. Treat as random hit and ignore, or log IP with a timestamp. 6 - yes, that's OK. Start of sequence. 4 - yes, second port OK. 9 - Oops! Wrong. Port knock failure. Log failure. 6 - yes, start of sequence. 4 - yes, second port OK. 5 - yes, third port OK. 4 - yes, sequence COMPLETE. Log successful knock. 2, 1, 9 - Ignore, as sequence is done. Pause for a few random secs and open SSH acces for this IP.
If you get lots of failed attempts after the first or second port, that's when you really need to get paranoid and block and/or report. Random port scans should not be allowed to DOS your port knock server by filling logs. Brute force attacks should get blocked. I would use sequences of perhaps 20-30 ports. Perhaps in range 1025-65536? And 10-20% random ports prepended and appended. Should give a nice set of possible sequences for your one-time pad?:-)
I haven't looked at the way this is implemented (in true Slashdot fashion), but here's what I would do:
From client: Send a random number, say [1-10] of port knocks, toward random ports. Send the true port knock sequence, this has to complete before a certain time has elapsed. Send a random number of port knocks again. Wait a second or two, then connect to the real port.
Now, the server side waits for the first correct port and hence ignores you random garbage. Once your first port comes through it waits for a short duration (3 sec?) for the second port knock. If that comes across OK it waits for the next etc.
A wrong port from the same IP or a timeout causes the entire knock attempt to fail and get logged.
Once the correct sequence is sent, there is a random delay of a few seconds before the real port (e.g. SSH) is opened so sniffers can't tell exactly when the sequence started and ended within the total port knocks sent.
Now you are logged in, and since you are connected via some form of encryption (again, SSH or whatever) you are free to change the port knock sequence. Perhaps even done automatically every successful login, with a logged failback to previous sequence if you get out of sync.
Unless you log in to the opened port within 30 secs it closes and you have to wait 90 secs to send the sequence again.
You could additionally add individual sequences for static IPs (or even DynDNS?) or even certain individual logins allowed to authenticate after that sequence was received. I expect netfilter modules to be written to handle all of this.
By the way, anyone who thinks an open SSH port is *safer* than port knocking + SSH is an idiot in my opinion. The first discussions here were full of such comments, they seem to have died off as people decided to RTFA? Still, port knocking is not the best option for frequent connects by many users, and can be DOS'ed with IP spoofing or some kind of packet injection.
I know there is a boot-time switch for changing the I/O scheduler, but I still believe you are stuck with one for all devices. How about using different algorithms for different partitions? There is quite a lot of difference between a database device, a filesystem holding binaries, shared libaries,/tmp, spool directories etc. etc. etc. When I/O schedulers are so different in their theoretical foundations, why do you have to choose only one? This should be a mount option, not a boot option.
Do you want to know which version I liked? WP 5.1 on... can I say it here? SCO OpenServer! OK, the platform was just what my employer at that time happened to have running on their 486DX 50MHz server, shared by tens of terminal users.
Of course, being told to produce a nice desktop-publishing-type document caused a lot of printer paper to go wasted and frequent use of "display markup codes". But it worked just fine, all in a curses-style app. Haven't used it since then, but I sometimes miss my console based DTP/editor.
If someone feels like spending a lot of time in court, start writing an app for the following specs:
0) Install spare HD and set BIOS to boot from CD, restart. 1) Knoppix-based CD boots the server 2) VMWare installation on CD boots the Windows OS from the HD on top of Linux. 3) Various scripts portscan the VMWare-running server and scans the filesystem for info, creates a Linux installation on the empty disk and copies all services and shared files to this new installation. Creates Samba server to host login/password info if needed (PDC). Copies Exchange server, IIS, DNS etc. etc. Shutdown when finished. 4) Swap the old intact primary HD with the brand new disk and restart, booting the new Linux clone. Test and apply any manual changes if needed. 5) Sell these scripts as Linux Migration Kit. 6) Get sued.
This will of course disappear deep down in the thread where nobody reads it, but still:
http://www.nsrl.ttu.edu/chernobyl/wildlifepreserve.htm"In reality, radioactivity at the level associated with the Chornobyl meltdown does have discernible, negative impacts on plant and animal life [4,5]. However, the benefit of excluding humans from this highly contaminated ecosystem appears to outweigh significantly any negative cost associated with Chornobyl radiation [8]."
...in your car within 10-15 years if you want to have a normal insurance cost or perhaps just to prove in court what happened when someone dented your car. Even while parked on the street it would be guarded against burglary and accidents. Of course, it would have superimposed text with your registration plate, speed and other data. And if the speed of your vehicle exceeds the legal speed of the area (as transmitted to the car), a video clip would go via the nearest signpost WiFi hub to the police.
Although this is Slashdot, I did actually RTFA before posting. By paying for this license he acknowledges SCO's right to demand money for his Red Hat installation. Several others have commented that he is pretty stupid if he has signed the license agreement that is publicly available. Perhaps he cut a deal and got a more sane license, but he has still become SCO's new poster boy.
My point is that by signing anything from SCO you are not covering your ass, you actually setting yourself up to get screwed later on.
I am willing to chip in for any company that gets into legal trouble with SCO, and so are plenty of others (individuals and companies). Considering SCO's progress in their case with IBM, you can forget about ever having legal expenses due to a SCO suit before they are wiped off the ticker.
And what IP may that be? Elaborate, please. What does SCO own that you had to pay for when you are using Red Hat Linux, from a company that will cover the risk for you?
I wonder what long-term consequences this has for EV1 when they publically say that they believe SCO is right and their server OS (Linux) was more or less pirated from SCO. I suspect that no matter what the result of the trial is, this guy is f*cked because he signed SCOs papers.
"When we interviewed Richard Stallman, founder of the Free Software Foundation, last month we asked what the most pressing needs are for the GNU operating system (of which Linux is the kernel), he said: 'We need a free complete Java platform.'"
Hehe... GNU OS - currently with a Linux kernel, to be released with Hurd RSN. Perhaps the quote is right on its mark: "[FSF] need a free complete Java platform [for Hurd]" is their most pressing need!:-)
Slashdot is not a person, it is a community with no entrance tests. Expect varying opinions on copyright, the Iraq war, flying saucers and anything else. Or are you saying the same individuals "defending" crackers are now attacking spammers?
As for 2), I recently saw some stats about e-mail last year. I believe the number was estimated to 67% of all e-mail! So yes, spammers waste a little more than $50 and many of the unsolicited e-mails I receive are scams. Scams may be a different legal area, but to me it's just another unwanted e-mail. Banning spam would make newbies more aware of scam mails since they would stick out from the Viagra, pirated software, porn and get rich quick mails.
SCO will keep on going down their list as long as they hit clueless CIOs/CEOs/sysadmins who advice their business to pay for the "infringing" software they are using and then migrate to whatever they find more "compliant" with SCOs wet dreams.
This means that every company with the slightest interest in Linux needs to read up on the truth behind this tragical rubbish SCO serves us all! Start some proactive work by letting your managers read the OSI paper and whatever else they want from Groklaw and this list. Challenge anyone who claims this is the work of Linux zealots to come up with anything resembling proof coherent with the delusions of SCO.
Convince your managers before they get a letter!
I'm sure most of the biggies like Google and other mentioned companies know, but a mid-sized company with sufficient bueraucracy may be intimidated and pay before the trial is up, which will feed back into SCOs ugly propaganda machinery!
Let's show the world how Open Source cooperation is able to unveil the SCO scam and innoculate against it! When the trial is over we'll see who's still standing and who has to bleed cash...
I used to work in a global virtual team for a software company and I was (once again) shocked at the ignorance of the MIS department. A lot of people just decided to use MSN Messenger and so it suddenly became our standard communication program, so far it was even written into work procedures.
I expect the new IM worms to be the next major disaster to these tech companies, just like Slammer was for their unmanaged MS SQL installations.
It surprised me that noone listened to my suggestions on setting up an internal server. OK, not every luser knows IRC, but surely there are many IMs that can be set up to use an internal server and block everything else at the firewall. We tried the Lotus Notes clone of AOLs AIM and it sucked (as everything Notes), apart from using encrypted line data.
I remember trying to get hold of a senior developer I was working with using plain old talk in a terminal and he didn't know it... He got the notification in his shell and called me instead. Sort of explains the renaissance of these dummy IM clients.
The true power of Open Source work
on
The Voice of Groklaw
·
· Score: 5, Insightful
If the legal department of IBM ever doubted Open Source and that model of cooperation, I expect Groklaw has convinced them of the success you can achieve by free discussion. If I were an IBM lawyer I would check Groklaw several times every day and keep notes. I really believe Pamela Jones has made a difference that will work in favor of Linux. Thanks, PJ!!
Sinclair Research first created the ZX80, then the ZX81 and then the ZX Spectrum. I believe they were all created around the Zilog Z80 processor (as were other home computers such as the Jupiter Ace which used Forth instead of BASIC !).
The ZX80 used a Z80 CPU clone running at 3.5 MHz and was delivered with 1KB or RAM, expandable up to 16KB. ZX Spectrum featured 16KB of RAM (upgradable to 48K) and color display.
See http://directory.google.com/Top/Computers/Systems/ Sinclair
Been using SuSE for many years, can't remember whether kernel 2.0 was out then. Was hoping for kernel 2.6 with KDE 3.2 in a few months, but I think I'll teach myself something else. Either Debian (via Knoppix) or Mandrake. Or why not actually make the switch to FreeBSD? That keeps me even safer from ever getting a $699 bill from the SCO Ferenghi.
[My sig got messed up, add "/dev/audio`" to the end to get the joke]
Slashdot Mirror
Just remember that the knack lies in learning how to throw yourself at the ground and miss.
Isn't that how satelites work?
I would handle it like this:
:-)
4 - no, wrong start port. Treat as random hit and ignore, or log IP with a timestamp.
6 - yes, that's OK. Start of sequence.
4 - yes, second port OK.
9 - Oops! Wrong. Port knock failure. Log failure.
6 - yes, start of sequence.
4 - yes, second port OK.
5 - yes, third port OK.
4 - yes, sequence COMPLETE. Log successful knock.
2, 1, 9 - Ignore, as sequence is done.
Pause for a few random secs and open SSH acces for this IP.
If you get lots of failed attempts after the first or second port, that's when you really need to get paranoid and block and/or report. Random port scans should not be allowed to DOS your port knock server by filling logs. Brute force attacks should get blocked.
I would use sequences of perhaps 20-30 ports. Perhaps in range 1025-65536? And 10-20% random ports prepended and appended. Should give a nice set of possible sequences for your one-time pad?
I haven't looked at the way this is implemented (in true Slashdot fashion), but here's what I would do:
From client:
Send a random number, say [1-10] of port knocks, toward random ports.
Send the true port knock sequence, this has to complete before a certain time has elapsed.
Send a random number of port knocks again.
Wait a second or two, then connect to the real port.
Now, the server side waits for the first correct port and hence ignores you random garbage. Once your first port comes through it waits for a short duration (3 sec?) for the second port knock. If that comes across OK it waits for the next etc.
A wrong port from the same IP or a timeout causes the entire knock attempt to fail and get logged.
Once the correct sequence is sent, there is a random delay of a few seconds before the real port (e.g. SSH) is opened so sniffers can't tell exactly when the sequence started and ended within the total port knocks sent.
Now you are logged in, and since you are connected via some form of encryption (again, SSH or whatever) you are free to change the port knock sequence. Perhaps even done automatically every successful login, with a logged failback to previous sequence if you get out of sync.
Unless you log in to the opened port within 30 secs it closes and you have to wait 90 secs to send the sequence again.
You could additionally add individual sequences for static IPs (or even DynDNS?) or even certain individual logins allowed to authenticate after that sequence was received. I expect netfilter modules to be written to handle all of this.
By the way, anyone who thinks an open SSH port is *safer* than port knocking + SSH is an idiot in my opinion. The first discussions here were full of such comments, they seem to have died off as people decided to RTFA?
Still, port knocking is not the best option for frequent connects by many users, and can be DOS'ed with IP spoofing or some kind of packet injection.
I know there is a boot-time switch for changing the I/O scheduler, but I still believe you are stuck with one for all devices. How about using different algorithms for different partitions? There is quite a lot of difference between a database device, a filesystem holding binaries, shared libaries, /tmp, spool directories etc. etc. etc. When I/O schedulers are so different in their theoretical foundations, why do you have to choose only one?
This should be a mount option, not a boot option.
Do you want to know which version I liked?
WP 5.1 on... can I say it here? SCO OpenServer!
OK, the platform was just what my employer at that time happened to have running on their 486DX 50MHz server, shared by tens of terminal users.
Of course, being told to produce a nice desktop-publishing-type document caused a lot of printer paper to go wasted and frequent use of "display markup codes". But it worked just fine, all in a curses-style app. Haven't used it since then, but I sometimes miss my console based DTP/editor.
Plan B:
Step 1) Break into NORAD and steal the source for their guidance systems.
Greetings, Professor Falken.
Would you like to play a game?
If someone feels like spending a lot of time in court, start writing an app for the following specs:
0) Install spare HD and set BIOS to boot from CD, restart.
1) Knoppix-based CD boots the server
2) VMWare installation on CD boots the Windows OS from the HD on top of Linux.
3) Various scripts portscan the VMWare-running server and scans the filesystem for info, creates a Linux installation on the empty disk and copies all services and shared files to this new installation. Creates Samba server to host login/password info if needed (PDC). Copies Exchange server, IIS, DNS etc. etc. Shutdown when finished.
4) Swap the old intact primary HD with the brand new disk and restart, booting the new Linux clone. Test and apply any manual changes if needed.
5) Sell these scripts as Linux Migration Kit.
6) Get sued.
http://www.nsrl.ttu.edu/chernobyl/wildlifepreserve .htm"In reality, radioactivity at the level associated with the Chornobyl meltdown does have discernible, negative impacts on plant and animal life [4,5]. However, the benefit of excluding humans from this highly contaminated ecosystem appears to outweigh significantly any negative cost associated with Chornobyl radiation [8]."
"Andreesssen"? THREE "s"'es? In the headline? Seriously. :-)
At least you could have called him "Adreesson" like everybody else does.
Is
1) Open Sauce Cooking
2) A decent recipe application for Linux. We've been waiting 20 years for the killer app for mom's recipes, now is the time.
...in your car within 10-15 years if you want to have a normal insurance cost or perhaps just to prove in court what happened when someone dented your car. Even while parked on the street it would be guarded against burglary and accidents. Of course, it would have superimposed text with your registration plate, speed and other data. And if the speed of your vehicle exceeds the legal speed of the area (as transmitted to the car), a video clip would go via the nearest signpost WiFi hub to the police.
Welcome to the future.
> Anybody else thought...what a nice place to hide a bomb" when he saw that huge flowerpot
No, that was just you. Because you are a wacko. Go look at some Rorschachs and tell us what those make you think.
Open Sauce!
Thank you, I'll be here all week. Don't forget to tip your waiter.
Although this is Slashdot, I did actually RTFA before posting. By paying for this license he acknowledges SCO's right to demand money for his Red Hat installation. Several others have commented that he is pretty stupid if he has signed the license agreement that is publicly available. Perhaps he cut a deal and got a more sane license, but he has still become SCO's new poster boy.
My point is that by signing anything from SCO you are not covering your ass, you actually setting yourself up to get screwed later on.
I am willing to chip in for any company that gets into legal trouble with SCO, and so are plenty of others (individuals and companies). Considering SCO's progress in their case with IBM, you can forget about ever having legal expenses due to a SCO suit before they are wiped off the ticker.
"We did, however, license certain IP from SCO."
And what IP may that be? Elaborate, please. What does SCO own that you had to pay for when you are using Red Hat Linux, from a company that will cover the risk for you?
I wonder what long-term consequences this has for EV1 when they publically say that they believe SCO is right and their server OS (Linux) was more or less pirated from SCO. I suspect that no matter what the result of the trial is, this guy is f*cked because he signed SCOs papers.
See for instance:s iness
http://ei.cs.vt.edu/~history/Gates.Mirick.html#bu
Qoute:
:-)
"When we interviewed Richard Stallman, founder of the Free Software Foundation, last month we asked what the most pressing needs are for the GNU operating system (of which Linux is the kernel), he said: 'We need a free complete Java platform.'"
Hehe... GNU OS - currently with a Linux kernel, to be released with Hurd RSN. Perhaps the quote is right on its mark: "[FSF] need a free complete Java platform [for Hurd]" is their most pressing need!
...and from the Hollywod Bowl performance, Mr. Smoke-Too-Much explaims at this revelation:
"Oh, what a silly bunt I am"
Slashdot is not a person, it is a community with no entrance tests. Expect varying opinions on copyright, the Iraq war, flying saucers and anything else. Or are you saying the same individuals "defending" crackers are now attacking spammers?
As for 2), I recently saw some stats about e-mail last year. I believe the number was estimated to 67% of all e-mail! So yes, spammers waste a little more than $50 and many of the unsolicited e-mails I receive are scams. Scams may be a different legal area, but to me it's just another unwanted e-mail. Banning spam would make newbies more aware of scam mails since they would stick out from the Viagra, pirated software, porn and get rich quick mails.
This means that every company with the slightest interest in Linux needs to read up on the truth behind this tragical rubbish SCO serves us all! Start some proactive work by letting your managers read the OSI paper and whatever else they want from Groklaw and this list. Challenge anyone who claims this is the work of Linux zealots to come up with anything resembling proof coherent with the delusions of SCO.
Convince your managers before they get a letter!
I'm sure most of the biggies like Google and other mentioned companies know, but a mid-sized company with sufficient bueraucracy may be intimidated and pay before the trial is up, which will feed back into SCOs ugly propaganda machinery!
Let's show the world how Open Source cooperation is able to unveil the SCO scam and innoculate against it! When the trial is over we'll see who's still standing and who has to bleed cash...
I expect the new IM worms to be the next major disaster to these tech companies, just like Slammer was for their unmanaged MS SQL installations.
It surprised me that noone listened to my suggestions on setting up an internal server. OK, not every luser knows IRC, but surely there are many IMs that can be set up to use an internal server and block everything else at the firewall. We tried the Lotus Notes clone of AOLs AIM and it sucked (as everything Notes), apart from using encrypted line data.
I remember trying to get hold of a senior developer I was working with using plain old talk in a terminal and he didn't know it... He got the notification in his shell and called me instead. Sort of explains the renaissance of these dummy IM clients.
If the legal department of IBM ever doubted Open Source and that model of cooperation, I expect Groklaw has convinced them of the success you can achieve by free discussion. If I were an IBM lawyer I would check Groklaw several times every day and keep notes. I really believe Pamela Jones has made a difference that will work in favor of Linux. Thanks, PJ!!
Sinclair Research first created the ZX80, then the ZX81 and then the ZX Spectrum. I believe they were all created around the Zilog Z80 processor (as were other home computers such as the Jupiter Ace which used Forth instead of BASIC !).
/ Sinclair
The ZX80 used a Z80 CPU clone running at 3.5 MHz and was delivered with 1KB or RAM, expandable up to 16KB.
ZX Spectrum featured 16KB of RAM (upgradable to 48K) and color display.
See http://directory.google.com/Top/Computers/Systems
..."Its for you"...
Been using SuSE for many years, can't remember whether kernel 2.0 was out then. Was hoping for kernel 2.6 with KDE 3.2 in a few months, but I think I'll teach myself something else. Either Debian (via Knoppix) or Mandrake. Or why not actually make the switch to FreeBSD? That keeps me even safer from ever getting a $699 bill from the SCO Ferenghi.
[My sig got messed up, add "/dev/audio`" to the end to get the joke]