I’ve probably said this a million times, but it’s worth repeating: with so much of security based entirely on the strength of passwords, it is absolutely critical that you choose a strong password. Weak passwords are a hackers wet dream; don’t give them the pleasure. Studies have been done on the strength of "pass phrases" versus passwords, and they found that pass phrases are just as strong as passwords, and much easier to remember. The idea behind a pass phrase is that you use a phrase as the basis for you password, like this:

Phrase: How much wood would a woodchuck chuck if a woodchuck could chuck wood?

Password: Hmwwawciawccw?

See, it’s simple. Just take the first letter of each word in the phrase, including capitalization and special characters, and turn it into your password. That’s all there is too it. The strength of passwords like that are just as good as a random password of the same length. And it’s easier to remember. Two caveats, though: 1) Make sure the resulting password is long; short passwords, no matter the phrase, are subject to attack with Rainbow tables and are effectively useless, and 2) for goodness sake don’t use a common phrase, or my example, or any other example. Make the phrase something only you would know, and not anything common. Any questions?!

continue reading.....

So I’ve been playing around with PortKnocking for some time, trying to find a good implementation that didn’t create potential vulnerabilities itself – or at least presented as few as possible. I can’t say that I’m done with that search yet, but I can report that I’m happy with one interesting implementation that I’ve been toying with. Whats also nice about this implementation is that it should be portable across Linux distributions, and should also work on almost anything else that support BASH scripts.

Yep, you heard right, BASH scripts. What you got here is a 100% shell based portknocking server and client, with neither directly exposed to the traffic coming into the box its protecting. This is a really handy feature, not being a service and not parsing packets directly, because that means we don’t have to directly worry about our client and server handling them. You can find out more in the forums as well:

www.gotroot.com/tiki-view_forum.php?forumId=26

The client being written as a script means that we can use it on almost any OS, provided that we have sha1sum on the client and it can parse bash scripts.

The server and client are posted in the forums as attachments.

continue reading.....

So I’ve been playing around with PortKnocking for some time, trying to find a good implementation that didn’t create potential vulnerabilities itself – or at least presented as few as possible. I can’t say that I’m done with that search yet, but I can report that I’m happy with one interesting implementation that I’ve been toying with. Whats also nice about this implementation is that it should be portable across Linux distributions, and should also work on almost anything else that support BASH scripts.

Yep, you heard right, BASH scripts. What you got here is a 100% shell based portknocking server and client, with neither directly exposed to the traffic coming into the box its protecting. This is a really handy feature, not being a service and not parsing packets directly, because that means we don’t have to directly worry about our client and server handling them. You can find out more in the forums as well:

www.gotroot.com/tiki-view_forum.php?forumId=26

The client being written as a script means that we can use it on almost any OS, provided that we have sha1sum on the client and it can parse bash scripts.

The server and client are posted in the forums as attachments.

continue reading.....

So I’ve been playing around with PortKnocking for some time, trying to find a good implementation that didn’t create potential vulnerabilities itself – or at least presented as few as possible. I can’t say that I’m done with that search yet, but I can report that I’m happy with one interesting implementation that I’ve been toying with. Whats also nice about this implementation is that it should be portable across Linux distributions, and should also work on almost anything else that support BASH scripts.

Yep, you heard right, BASH scripts. What you got here is a 100% shell based portknocking server and client, with neither directly exposed to the traffic coming into the box its protecting. This is a really handy feature, not being a service and not parsing packets directly, because that means we don’t have to directly worry about our client and server handling them. You can find out more in the forums as well:

www.gotroot.com/tiki-view_forum.php?forumId=26

The client being written as a script means that we can use it on almost any OS, provided that we have sha1sum on the client and it can parse bash scripts.

The server and client are posted in the forums as attachments.

continue reading.....

So I’ve been playing around with PortKnocking for some time, trying to find a good implementation that didn’t create potential vulnerabilities itself – or at least presented as few as possible. I can’t say that I’m done with that search yet, but I can …

continue reading.....

So I’ve been playing around with PortKnocking for some time, trying to find a good implementation that didn’t create potential vulnerabilities itself – or at least presented as few as possible. I can’t say that I’m done with that search yet, but I can report that I’m happy with one interesting implementation that I’ve been toying with. Whats also nice about this implementation is that it should be portable across Linux distributions, and should also work on almost anything else that support BASH scripts.

Yep, you heard right, BASH scripts. What you got here is a 100% shell based portknocking server and client, with neither directly exposed to the traffic coming into the box its protecting. This is a really handy feature, not being a service and not parsing packets directly, because that means we don’t have to directly worry about our client and server handling them. You can find out more in the forums as well:

www.gotroot.com/tiki-view_forum.php?forumId=26

The client being written as a script means that we can use it on almost any OS, provided that we have sha1sum on the client and it can parse bash scripts.

The server and client are posted in the forums as attachments.

continue reading.....

UDP is a connectionless protocol. As such, that means your firewall won’t be able to tell so easily what UDP packets it should, and shouldn’t, let into your network. For instance, its a trivial matter to create a bi-directional tunnel through any firewall, even a set of firewalls, using just UDP, unprivilged accounts, and fully NAT boxes on both ends. Impossible you say? Well, not with UDP it isn’t. Read on for more about this.

Basically, it works like this:

A -> NAT_A -> inet -> NAT_B -> B

A sends packets to NAT_B on some UDP port, preferably a high port so B can setup a listener with no priviliges on that high port, but it doesn’t have to be, the port could be anything. Lets say port 10000.

NAT_B will drop those packets, because its not listening for anything on that port. Just let A happily hammer away on that port. Meanwhile, have B send packets to NAT_A with a source port of 10000. NAT_A will accept those packets in and send them on A, because its already waiting for packets on that port, meanwhile, NAT_B, seeing UDP packets go out on its port 10000 will now allow in that steady stream from A. NAT_B will then send the packets on to B, and bingo! We have a bi-directional tunnel thru two NAT firewalls, from two NATed hosts.

So, what we have now is A and B talking directly to one another, with two firewalls doing all the heavy lifting and getting the packets to each other. Since we’re using UDP, we can route an protocol we want over UDP, such as IP, or TCP. UDP is the protocol of choice for this sort of tunneling as it won’t choke or stall trying to do all that nifty traffic management tricks that TCP would – and TCP is a terrible protocol to build tunnels over. You can do it, but things can go horribly wrong (we’ll cover that in another article).

So, what can you do now? Anything you like. Which is why you don’t want to let UDP out of your network. Tis a frightfully easy protocol to open your network up with.

continue reading.....

UDP is a connectionless protocol. As such, that means your firewall won’t be able to tell so easily what UDP packets it should, and shouldn’t, let into your network. For instance, its a trivial matter to create a bi-directional tunnel through any firewall, even a set of firewalls, using just UDP, unprivilged accounts, and fully NAT boxes on both ends. Impossible you say? Well, not with UDP it isn’t. Read on for more about this.

Basically, it works like this:

A -> NAT_A -> inet -> NAT_B -> B

A sends packets to NAT_B on some UDP port, preferably a high port so B can setup a listener with no priviliges on that high port, but it doesn’t have to be, the port could be anything. Lets say port 10000.

NAT_B will drop those packets, because its not listening for anything on that port. Just let A happily hammer away on that port. Meanwhile, have B send packets to NAT_A with a source port of 10000. NAT_A will accept those packets in and send them on A, because its already waiting for packets on that port, meanwhile, NAT_B, seeing UDP packets go out on its port 10000 will now allow in that steady stream from A. NAT_B will then send the packets on to B, and bingo! We have a bi-directional tunnel thru two NAT firewalls, from two NATed hosts.

So, what we have now is A and B talking directly to one another, with two firewalls doing all the heavy lifting and getting the packets to each other. Since we’re using UDP, we can route an protocol we want over UDP, such as IP, or TCP. UDP is the protocol of choice for this sort of tunneling as it won’t choke or stall trying to do all that nifty traffic management tricks that TCP would – and TCP is a terrible protocol to build tunnels over. You can do it, but things can go horribly wrong (we’ll cover that in another article).

So, what can you do now? Anything you like. Which is why you don’t want to let UDP out of your network. Tis a frightfully easy protocol to open your network up with.

continue reading.....

UDP is a connectionless protocol. As such, that means your firewall won’t be able to tell so easily what UDP packets it should, and shouldn’t, let into your network. For instance, its a trivial matter to create a bi-directional tunnel through any firewall, even a set of firewalls, using just UDP, unprivilged accounts, and fully NAT boxes on both ends. Impossible you say? Well, not with UDP it isn’t. Read on for more about this.

Basically, it works like this:

A -> NAT_A -> inet -> NAT_B -> B

A sends packets to NAT_B on some UDP port, preferably a high port so B can setup a listener with no priviliges on that high port, but it doesn’t have to be, the port could be anything. Lets say port 10000.

NAT_B will drop those packets, because its not listening for anything on that port. Just let A happily hammer away on that port. Meanwhile, have B send packets to NAT_A with a source port of 10000. NAT_A will accept those packets in and send them on A, because its already waiting for packets on that port, meanwhile, NAT_B, seeing UDP packets go out on its port 10000 will now allow in that steady stream from A. NAT_B will then send the packets on to B, and bingo! We have a bi-directional tunnel thru two NAT firewalls, from two NATed hosts.

So, what we have now is A and B talking directly to one another, with two firewalls doing all the heavy lifting and getting the packets to each other. Since we’re using UDP, we can route an protocol we want over UDP, such as IP, or TCP. UDP is the protocol of choice for this sort of tunneling as it won’t choke or stall trying to do all that nifty traffic management tricks that TCP would – and TCP is a terrible protocol to build tunnels over. You can do it, but things can go horribly wrong (we’ll cover that in another article).

So, what can you do now? Anything you like. Which is why you don’t want to let UDP out of your network. Tis a frightfully easy protocol to open your network up with.

continue reading.....

UDP is a connectionless protocol. As such, that means your firewall won’t be able to tell so easily what UDP packets it should, and shouldn’t, let into your network. For instance, its a trivial matter to create a bi-directional tunnel through any fir…

continue reading.....

UDP is a connectionless protocol. As such, that means your firewall won’t be able to tell so easily what UDP packets it should, and shouldn’t, let into your network. For instance, its a trivial matter to create a bi-directional tunnel through any firewall, even a set of firewalls, using just UDP, unprivilged accounts, and fully NAT boxes on both ends. Impossible you say? Well, not with UDP it isn’t. Read on for more about this.

Basically, it works like this:

A -> NAT_A -> inet -> NAT_B -> B

A sends packets to NAT_B on some UDP port, preferably a high port so B can setup a listener with no priviliges on that high port, but it doesn’t have to be, the port could be anything. Lets say port 10000.

NAT_B will drop those packets, because its not listening for anything on that port. Just let A happily hammer away on that port. Meanwhile, have B send packets to NAT_A with a source port of 10000. NAT_A will accept those packets in and send them on A, because its already waiting for packets on that port, meanwhile, NAT_B, seeing UDP packets go out on its port 10000 will now allow in that steady stream from A. NAT_B will then send the packets on to B, and bingo! We have a bi-directional tunnel thru two NAT firewalls, from two NATed hosts.

So, what we have now is A and B talking directly to one another, with two firewalls doing all the heavy lifting and getting the packets to each other. Since we’re using UDP, we can route an protocol we want over UDP, such as IP, or TCP. UDP is the protocol of choice for this sort of tunneling as it won’t choke or stall trying to do all that nifty traffic management tricks that TCP would – and TCP is a terrible protocol to build tunnels over. You can do it, but things can go horribly wrong (we’ll cover that in another article).

So, what can you do now? Anything you like. Which is why you don’t want to let UDP out of your network. Tis a frightfully easy protocol to open your network up with.

continue reading.....