Thank you for your kind words, they are much appreciated! I am glad the article is of interest to you.
The article you link to is indeed most interesting. It is true that the advice I endeavored to outline here, while good for a start, certainly should not be considered as the ultimate in security for state secrets and it would be dangerous to enable SSH on all secure servers, even by using a strong key-based authentication mechanism.
The article you mention however mostly mention misuse of SSH tunnels by users who forget that, even though SSH encrypts the connection between two machines, it does create a connection. In this regard, linking a secure server to an insecure server, no matter how strong the channel is still opens up ways for an attacker already "owning" the insecure server to crawl its way up into the secure zone of your network (if I am permitted to use such an image).
The advice outlined there certainly is not to be downplayed. It remains however (at least in this part of the series) focused on one problem that has much to do with carefree port forwarding.
FJ
Showing messages 1 through 2 of 2.
I return often . . .
2009-02-12 04:41:59
rbannon@mac.com
[Reply | View]
Yes, I'm back once again. This time however, I am trying to reconfigure my five year old machine to accept ssh (sftp) traffic after updating to Mac OS X 10.5. All seems well, but this time I am seeing some strange entires in my appfirewall.log, and it reads, "Feb 11 08:21:12 beelzebub Firewall[57]: Allow sshd-keygen-wrapper connecting from 220.225.110.237:39098 uid = 0 proto=6". Not just one entry, but repeated and persistent entries coming from multiple IPs. Yikes!
I don't recall this happening under 10.4 and I believe it's the same configuration as outlined in this tutorial.
Should I be concerned? I've turned off ssh for now, but would like to turn it back on. Any advice?
I return often . . .
2007-01-21 20:23:15
rbannon@mac.com
[Reply | View]
Alright, /. has a new (01/20/2007) piece on SHA-1 data encryption scheme and how a Chinese researcher has cracked the method wide open. Maybe old news, but is anyone willing to share their thoughts with regards to Apple's use of Openssh and how it might be improved?
Feb 11 08:21:12 beelzebub Firewall[57]: Allow sshd-keygen-wrapper connecting from 220.225.110.237:39098 uid = 0 proto=6". Not just one entry, but repeated and persistent entries coming from multiple IPs. Yikes!I don't recall this happening under 10.4 and I believe it's the same configuration as outlined in this tutorial.
Should I be concerned? I've turned off ssh for now, but would like to turn it back on. Any advice?