[<prev] [next>] [day] [month] [year] [list]
Message-ID: <F5F7636A73726E46B073BE8DA062352816CE7E@ex1.uk.psinet-europe.com>
From: Robert.Moss at psinet.telstra.co.uk (Robert Moss)
Subject: Re: Re: open telnet port
Hi Peoples,
I've been following this thread, and there are some really good
examples of how to set up secure backup access.. Here is a way that I
have used in the past:
Usually I would use a Cisco console server (2511 with 16 async serial
ports, 2600 with AS32 async serial ports), which provides reverse telnet
(this has already been covered).
Alternatively, you could set up a simple unix server with a multiport
serial board and connect that up to each servers' serial/console port.
Lastly, in the case of a small server network of say 6 or less servers,
you can attatch null modem cables between each pair of servers, and fire
up mgetty/getty on the serial port for the server(s) that you are
working on. This provides a reasonably secure backup method of
connecting. Keeping in mind that serial ports can be sniffed just as
easily as a telnet session, but with the provision that someone needs
physical access to the server(s) or a shell with priveledges for
connecting to the serial port device.
There are some things that I consider reasonably obvious that I will
omit here, ask for more details
Cheers
Robert Moss.
-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Andrew
Haninger
Sent: 09 September 2004 21:46
To: Gary E. Miller
Cc: full-disclosure@...ts.netsys.com
Subject: Re: [Full-Disclosure] Re: Re: open telnet port
> Yo Andrew!
... Right.
> Then you update OpenSSL and it crashes all the ssh processes at the
> same time. Been, there, done that.
Thanks a lot.
After your suggestion that it couldn't be done, I tried it. While it
took thinking, I could have done it had I not killall'ed my sshd's
without changing the paths in my "restart-sshd" cron job to reflect the
new location of sshd. :-/
Well, on the bright side, this will encourage me to make my script such
that it restarts sshd from either location. (/usr/sbin, where Slackware
puts it, or /usr/local/sbin, where the OpenSSH "make install" script
puts it).
Anyway, this would also be a solution. I have a shell script that checks
for ssh to be running on a couple ports*. If it isn't running, the
script starts it. I then placed this script into /etc/cron.hourly.
So, if I had it scripted correctly, I could install a new version of
libssl, install a new version of sshd, kill all running sshd's and then
wait about an hour for my system to start them back up.
*Actually, it runs nmap on, say, port 22. If there's no response, it
considers sshd not to be running. Someone could fool it by running some
other program on that port, but this is sufficient for me on a NAT'ed
machine at home on a cable connection.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists