From owner-freebsd-security@FreeBSD.ORG Sat Dec 24 21:49:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 928AB106564A for ; Sat, 24 Dec 2011 21:49:55 +0000 (UTC) (envelope-from stuartb@4gh.net) Received: from smtp02.lnh.mail.rcn.net (smtp02.lnh.mail.rcn.net [207.172.157.102]) by mx1.freebsd.org (Postfix) with ESMTP id 564DC8FC08 for ; Sat, 24 Dec 2011 21:49:55 +0000 (UTC) Received: from mr16.lnh.mail.rcn.net ([207.172.157.36]) by smtp02.lnh.mail.rcn.net with ESMTP; 24 Dec 2011 16:21:06 -0500 Received: from smtp04.lnh.mail.rcn.net (smtp04.lnh.mail.rcn.net [207.172.157.104]) by mr16.lnh.mail.rcn.net (MOS 4.3.4-GA) with ESMTP id BMN88264; Sat, 24 Dec 2011 16:21:06 -0500 X-Auth-ID: stuartb.4gh@starpower.net Received: from unknown (HELO freeman.4gh.net) ([208.58.6.134]) by smtp04.lnh.mail.rcn.net with ESMTP; 24 Dec 2011 16:21:06 -0500 Received: by freeman.4gh.net (Postfix, from userid 1001) id 47129130DA9; Sat, 24 Dec 2011 16:21:06 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by freeman.4gh.net (Postfix) with ESMTP id 41917130CF4 for ; Sat, 24 Dec 2011 16:21:06 -0500 (EST) Date: Sat, 24 Dec 2011 16:21:06 -0500 (EST) From: Stuart Barkley To: freebsd-security@freebsd.org In-Reply-To: Message-ID: References: <4EF4A120.1000305@freebsd.org> <20111223195713.GA61589@server.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Mailman-Approved-At: Sat, 24 Dec 2011 21:59:48 +0000 Subject: Re: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Dec 2011 21:49:55 -0000 On 12/23/11, Peter Jeremy wrote: > I thought everyone had but an acquaintance explained that he has to > run telnet because his employer doesn't permit any encrypted outside > access so the employer can monitor all traffic. It is possible to run ssh on port 23. This can be a good way to run a "more secure telnet" service. This might not work if the firewall does deep packet inspection on the telnet traffic. As usual, be cautious in doing this. On Fri, 23 Dec 2011 at 17:12 -0000, Oliver Pinter wrote: > The solution for this situation is BalaBit SCB. > > http://www.balabit.com/network-security/scb This had me scared for a bit, but it looks like an interesting box. It seems intended to control/audit/log ssh (and other protocol) administrative access to systems you own and control. It can play man-in-the-middle if you are willing to give it your host private keys. It looks like it can also man-in-the-middle if you accept it's own host keys (e.g. don't already have the host public key or don't verify the fingerprint on a new public key). In other modes of operation you know you are connecting to this device and it then forwards connection on to the remote systems. It could probably be abused to used on outgoing connections, but I doubt is has the necessary capacity for large traffic volumes. Since outside systems shouldn't give out their private keys, it should be obvious if something like this is in use. Stuart Barkley -- I've never been lost; I was once bewildered for three days, but never lost! -- Daniel Boone