| 1 |
> > > > If someone then argues about source IP spoofing, just let him. If |
| 2 |
> > > > someone in your organisation is able to do it, make him your |
| 3 |
> > > > network admin. |
| 4 |
> > > |
| 5 |
> > > You're right, access to the printer can be given only to certain |
| 6 |
> > > hosts. So simply using 'lpr file.pdf' on the remote machine |
| 7 |
> > > doesn't strike you as a bad idea? |
| 8 |
> > |
| 9 |
> > Might this be an opportunity to use 'port-knocking' ? |
| 10 |
> > |
| 11 |
> > http://www.linuxjournal.com/article/6811 |
| 12 |
> > |
| 13 |
> > just a thought, never really tried this before. |
| 14 |
> |
| 15 |
> port-knocking is the biggest load of fud (Microsoft products apart) I |
| 16 |
> have heard about in ages. The term snake-oil comes to mind, as |
| 17 |
> does "security by obscurity and obfuscation" which we all know is no |
| 18 |
> security at all. |
| 19 |
> |
| 20 |
> I don't care if the originating process knocks on the well known port |
| 21 |
> with gold plated gloves hand braided from the finest Unobtainium by |
| 22 |
> seductive alluring Puerto Rican virgins, the receiving machine still |
| 23 |
> has to open another port short thereafter. This is not a magic port and |
| 24 |
> is not wrapped in Star Trek's finest stealth cloak, it's a port that |
| 25 |
> does TCP/IP stuff. |
| 26 |
> |
| 27 |
> If the end process listening on the newly opened port is in any way |
| 28 |
> weak - and this is the only possible reason anyone would ever try the |
| 29 |
> port knocking workaround - it's just as weak when it's listening on an |
| 30 |
> obfuscated port number. If it's open, I can find it. If it's weak, I |
| 31 |
> can get in. Then it's game over, go home, I win. |
| 32 |
> |
| 33 |
> I've yet to hear positive things about port knocking from someone who |
| 34 |
> actually implemented it fully. In truth it's just a major pain in the |
| 35 |
> arse that makes the admin's life miserable and gives the boss a warm |
| 36 |
> fuzzy feeling based on hot air. |
| 37 |
> |
| 38 |
> End of rant. |
| 39 |
|
| 40 |
Well thank you for that. I had planned on setting up port knocking |
| 41 |
for ssh and cups but I guess I'm just as well off leaving them |
| 42 |
listening on 22 and 631? |
| 43 |
|
| 44 |
As for printing from lpr to cups across the internet, I should be |
| 45 |
encrypting that data shouldn't I? Nothing too sensitive but it sounds |
| 46 |
like a good thing to do. It looks like cups can use ssl but I don't |
| 47 |
see any mention of it in man lpr. |
| 48 |
|
| 49 |
- Grant |
| 50 |
-- |
| 51 |
gentoo-user@l.g.o mailing list |
Archives