The Shrine

To those of us not programming nerds, what is SSH?

Speaking of which, i've had my Pearl for about a year now and continue to love it. If i ever needed a new phone, i would probably go with the bold... for some reason i have no desire to ever get a touch screen phone.

Zeus wrote:To those of us not programming nerds, what is SSH?

Secure Shell, which essentially allows secure TelNet style interface using a remote device. This version is for J2ME device in particular.

It is mostly used for remote access to a linux box's command line.

I love my Instinct, but the Blackberry is more established of a platform and has a ton more applications, etc for it.

On a side note, I also have a Blackberry Curve, but I haven't used it since I got my N93.

So it's just a script which allows you to use your Curve to remotely control a Linux-based (or J2ME) device? What's the percentage of people that would use this? 0.05%?

I'm not being an ass, I'm actually asking an honest question. I may just be misunderstanding the use of such an option.

To people who deal with computers for a living, from system administrators to programmers, ssh is to them as a phone is to a telemarketer. The first thing I do when I get into the office in the morning is ssh into the head node to our cluster, and from that prompt I get my work done for the rest of the day.

Also, it's for a JSME device, it's not for logging into one. Keep in mind that Seeker probably doesn't actually know what he's talking about, so his copy-pasted explanation is awkward.

I'm fully aware of what SSH does and how it's useful, but like Zeus I still fail to see how this is all that useful.

IT in businesses would have the most to gain... but if your company's security policies are worth their weight in toilet paper there's no way in hell you'd be able to use this during work. The Blackberry's sitting on the internet, how the hell are you getting SSH access to your servers inside your company's network? If the server's ON the internet then your system is pretty much guaranteed to already be compromised. The only option is through a VPN tunnel but as far as I know Blackberry isn't supported on most leading corporate VPN solutions (I know for a fact Juniper doesn't support it, and I doubt Cisco does either).

So maybe Sine can use this to admin the Shrine server, but how is this worthwhile for corporate IT?

If the server's ON the internet then your system is pretty much guaranteed to already be compromised.

Wrong. All of our computers are visible to the outside world - our desktops, file servers and experimental clusters. I've used DOE resources that only required an ssh login - getting that login and maintaining the passwords for that account were a pain in the ass, but it was on the internet. As are some computing resources we're using in Barcelona, Spain. I guarantee you that the DOE supercomputers that I've used are not compromised.

Our resources are visible to the world because if they weren't, they'd be useless. Companies don't put their resources on the internet because it's not needed - most people who are going to use it will be physically in the building, and those that won't can deal with VPNs. There is some risk with making a server visible to the world, and in the case where most people are going to be in the same physical location, it's not worth taking it.

Also keep in mind where Sine works: an ISP. I'm going to guess that some (most?) of the servers he deals with everyday, by definition of their jobs, have to be public to the internet.

Zeus wrote:So it's just a script which allows you to use your Curve to remotely control a Linux-based (or J2ME) device? What's the percentage of people that would use this? 0.05%?

I'm not being an ass, I'm actually asking an honest question. I may just be misunderstanding the use of such an option.

It means that right now, as I type on my BlackBerry, I can reboot the web server, or log into MySQL and change every instance of the word "Zeus" to "poopyhead"...all while I "enjoy" this company Christmas party.

Kupek wrote:

If the server's ON the internet then your system is pretty much guaranteed to already be compromised.

Wrong. All of our computers are visible to the outside world - our desktops, file servers and experimental clusters. I've used DOE resources that only required an ssh login - getting that login and maintaining the passwords for that account were a pain in the ass, but it was on the internet. As are some computing resources we're using in Barcelona, Spain. I guarantee you that the DOE supercomputers that I've used are not compromised.

Our resources are visible to the world because if they weren't, they'd be useless. Companies don't put their resources on the internet because it's not needed - most people who are going to use it will be physically in the building, and those that won't can deal with VPNs. There is some risk with making a server visible to the world, and in the case where most people are going to be in the same physical location, it's not worth taking it.

Also keep in mind where Sine works: an ISP. I'm going to guess that some (most?) of the servers he deals with everyday, by definition of their jobs, have to be public to the internet.

Wrong. Obviously there are exceptions to this rule as to whatever you're talking about with the DOE (still don't see why a desktop would EVER need an internet presence but whatever), but if you put a server on the internet you only open up the ports it requires in order to complete its purpose for being ON the internet. For example: Web server would normally only have 80 and 443 open (HTTP/HTTPS). While SSH would be used to administer it, this would be a port only open to the internal company network, NOT the internet. Administration of ANY internet server should be done via the internal network (or remotely through a VPN) unless there are some other decent compensating controls in place such as an ACL put on the access to SSH. Sure you have to trade off some convenience for security, but there are way too many exploits out these days for SSH, Apache, PHP, etc in the wild to take such an unnecessary risk as putting it out on the internet just so your admin doesn't need to VPN in.

is this thread about trains yet?

SineSwiper wrote:

Zeus wrote:So it's just a script which allows you to use your Curve to remotely control a Linux-based (or J2ME) device? What's the percentage of people that would use this? 0.05%?

I'm not being an ass, I'm actually asking an honest question. I may just be misunderstanding the use of such an option.

It means that right now, as I type on my BlackBerry, I can reboot the web server, or log into MySQL and change every instance of the word "Zeus" to "poopyhead"...all while I "enjoy" this company Christmas party.

Question still wasn't answered :-)

Tessian, I don't think you understand how I, and others like me, use computers. Remotely logging in is how we get work done. My desktop is on the internet so that I can use it. It allows me to use it for work from anywhere. You open up port 22 (which is used by ssh), and that's it. All other ports are closed - I'm not running a webserver on it.

I administer our computers using ssh, but that's only 5% of the time. The other 95% of the time, I use ssh to get my work done.

These are primarily computing resources. They exist for people to log into them and get work done. Your claim that a computer visible to the internet is guaranteed to be compromised is wrong. Almost every single machine I use during a day is visible to the outside world, and they're not compromised. Lots of people try - our logs are filled with attempts - but they don't get in.

Kupek wrote:Your claim that a computer visible to the internet is guaranteed to be compromised is wrong.

I never made such a claim, it's all about risk. A device is at much greater risk being on the internet like that, but as long as your company knows that, has mitigating factors (HIDS, NIDS, ACLs, etc) and accepts that risk then it's alright. I am a Information Security Analyst, this is what my job's all about: calculating risk and mitigating it. I've just been saying that in my professional analysis I would never find it acceptable to open up SSH on a server to the internet for people to work; that's what a VPN is for.

Out of curiosity now, why in the world does your stuff need to be directly accessible from the internet? Why is an IPSEC/SSL VPN an unacceptable alternative? You definitely have a need to access that stuff remotely, as does almost any company, but most meet that need with a VPN for their employees, not by putting all their systems directly on the internet.

I definitely understand the uses of SSH and it's extremely popular, but why would you have 100+ workstations all on the internet with SSH open when instead you can have 1 hardened VPN appliance on the internet with HTTPS/IPSEC open that grants access to their workstations on SSH? It's still reachable anywhere and it's a single device to secure, not 100. That's what I'm not understanding; the existing technology out there to grant remote access would work just as well in this case, so why needlessly increase your risk? I don't see any additional benefit here.

Tessian wrote:I'm fully aware of what SSH does and how it's useful, but like Zeus I still fail to see how this is all that useful.

IT in businesses would have the most to gain... but if your company's security policies are worth their weight in toilet paper there's no way in hell you'd be able to use this during work. The Blackberry's sitting on the internet, how the hell are you getting SSH access to your servers inside your company's network? If the server's ON the internet then your system is pretty much guaranteed to already be compromised. The only option is through a VPN tunnel but as far as I know Blackberry isn't supported on most leading corporate VPN solutions (I know for a fact Juniper doesn't support it, and I doubt Cisco does either).

So maybe Sine can use this to admin the Shrine server, but how is this worthwhile for corporate IT?

Cisco has a client for Blackberry VPN. A quick google search confirms this. All you would have to do is download the VPN client to the phone and then the phone can have access to the network desired. That is just as secure as someone running into a Starbucks and getting on the wireless there and starting a VPN connection or starting a VPN connection from their home.

Many of my co-workers do this especially if they get calls during lunch. Saves them from having to run back to the office to take care of something.

Kupek wrote:Tessian, I don't think you understand how I, and others like me, use computers. Remotely logging in is how we get work done. My desktop is on the internet so that I can use it. It allows me to use it for work from anywhere. You open up port 22 (which is used by ssh), and that's it. All other ports are closed - I'm not running a webserver on it.

I administer our computers using ssh, but that's only 5% of the time. The other 95% of the time, I use ssh to get my work done.

These are primarily computing resources. They exist for people to log into them and get work done. Your claim that a computer visible to the internet is guaranteed to be compromised is wrong. Almost every single machine I use during a day is visible to the outside world, and they're not compromised. Lots of people try - our logs are filled with attempts - but they don't get in.

Kupek is 100% spot on here.

Remote login is how I get 100% of my calls done inside and outside of the time I'm in the office. If I did not have a VPN or Citrix via Secure Gateway/SSL site access into my network, I would have to drive to the datacenter, hook up a dongle to said computer in question, and use Raritan or Avocent KVM systems to troubleshoot the problem. Not only that, but if I did not have access to a fileserver where I could store tools and updates for software and that server did not have access to that, then I would be constantly burning software to disc. Not having a remote login solution, especially away from the office, is purely idiotic today.

If I didn't have RDP access to my entire environment then I would not be able to do any of my daily checks and tickets that call for changes to be made on servers. I would not be able to delete files to free up disk space. I can login to my network from my Windows Mobile device if I so saw fit but windows is more designed to be administered from a desktop or laptop and not a 2.5" screen on a phone. SSH is a whole different creature especially on a blackberry.

Tessian wrote:I definitely understand the uses of SSH and it's extremely popular, but why would you have 100+ workstations all on the internet with SSH open when instead you can have 1 hardened VPN appliance on the internet with HTTPS/IPSEC open that grants access to their workstations on SSH? It's still reachable anywhere and it's a single device to secure, not 100. That's what I'm not understanding; the existing technology out there to grant remote access would work just as well in this case, so why needlessly increase your risk? I don't see any additional benefit here.

What's the difference? Both grant you access to the internal network. Both use encrypted channels to access the servers. Both have been around for years. Both have the potential for getting broken into, if they aren't patched periodically.

VPNs are mainly used for Windows machines, and SSH is mainly used for UNIX machines. From a SSH client, I can still do just as much as a VPN, including SSH tunnels for direct access to different networks. Though, if I need to go from a public Internet PC to a private server inside the firewall, I could just log into an SSH public server on that network, and from there, SSH to the private server.

This is generally how the UNIX world works. Yes, you could have a VPN server to gain access to the corporate network, but you're just going to SSH to the server after you VPN, anyway. As far as a more public model with 100 of servers, instead of a DMZ firewall model, both are valid and work fine, as long as you patch regularly.

You shouldn't rely on your DMZ model to hide any security holes in your other servers, as they should ALL be secure and properly patched. If somebody hacks into the VPN, you're still fucked. If somebody from the inside hacks into another server, you're also fucked. (Nine out of ten robberies are done by former or current employees. I imagine the same is true for network break-ins.)

Geez... alright

Barret: I was unaware there is a Blackberry client for Cisco's IPSEC VPN, that's pretty cool. I have only largely worked with Juniper SSL VPNs and I know they do not (but they do support Windows Mobile). However, in the 2nd part of your post you say Kupek's 100% correct, yet you start talking about how you do this through remote access on a VPN (SSL Gateway = VPN), which was MY point not Kupek's. His shit is directly on the internet, there is no VPN in the middle. I totally agree with what you said, I never said VPNs weren't necessary, they're vital these days.

Sine: You're wrong. VPNs are IN NO WAY OS specific! That's just flat out wrong. SSH is to RDP if you really want to make a comparison, SSH is not to VPN. Are SSH tunnels and SSL VPN tunnels similar? Very. But VPNs are a lot more better protected, flexible, and powerful than SSH is alone.

Nobody EVER said you use a DMZ model to hide security holes; any company with a semi-competent security program regularly scans for and patches vulnerabilities both internally and externally. The reason FOR a DMZ is that IF that server gets compromised at least it's still restricted to what it can reach on the internal network.

If one of your 100 servers on the internet gets compromised your internal network is fucked. If all your internet systems are inside a DMZ that is properly ACLed then you are at a much lower risk. As I said: IT'S ALL ABOUT RISK. What's less risky and easier to maintain? 1 VPN server on the internet, or 100 servers on the internet? You have to keep them all secure and patched yes, but the risk of exposure and compromise is much less.

You also can't try to argue that a VPN is as vulnerable as a regular server running SSH. A VPN appliance (assuming you bought a good one) is specifically designed with this in mind. It's whole purpose is to provide a secure gateway into your network and is MUCH more hardened than any normal Unix server. The only way to compromise a VPN is to either a) attack a vulnerability in its transport mechanism such as middle-manning the SSL connection, or b) having a crappy VPN admin who didn't properly secure it.

Most of this is moot, however, because if your company handles credit card transactions (and I can assume that an ISP would do this) then you MUST be certified by PCI-DSS. PCI is the set of 12 security controls that the credit card industry has said you MUST adhere to in order to do business with them. I've been through the process many times at this point and there are many rules that are hard set that would require this:
1) Any and all ports open to the internet have to be justified
2) All remote access must have 2 factor authentication (the 3 factors of authentication are: Something you know, something you have, something you are)
3) All systems on the internet must be secured in a DMZ with both ingress and egress ACLs

Those are the 3 I can remember off hand... so unless you actually do require 2 factor authentication on all the servers running SSH AND you have all those servers in a DMZ you're out of compliance with PCI and such a violation can ruin any business. If your company isn't PCI certified yet they are either a) working towards it now, or b) getting fined on a regular basis (or of course just not handling any credit cards). So you can argue with me the merits of VPN vs SSH sitting on the internet, but in the end you don't have a choice anymore if you want to do business. It's always easier for me to secure ONE gateway into my company than 100.

Tessian wrote:
Barret: I was unaware there is a Blackberry client for Cisco's IPSEC VPN, that's pretty cool. I have only largely worked with Juniper SSL VPNs and I know they do not (but they do support Windows Mobile). However, in the 2nd part of your post you say Kupek's 100% correct, yet you start talking about how you do this through remote access on a VPN (SSL Gateway = VPN), which was MY point not Kupek's. His shit is directly on the internet, there is no VPN in the middle. I totally agree with what you said, I never said VPNs weren't necessary, they're vital these days.

I think Kupek was referring to his workstation at work and how at his office location they open port 22 internally from his client's firewall to his office network to allow connections from his workstation to the client's environment. My desktop is behind a firewall and all of our clients are behind their own firewalls as well. In order for me to have access over RDP or any windows ports (139 and 445) the firewall must allow that connection over our internal network. If I'm interpreting Kupek correctly he accesses his workstation similarly to how I access mine, either by VPN or Citrix SSL. Once he's established said connection he can then connect to his workstation and begin his remote administration when he is out of the office. In the office he would be at his desktop and already on the internal network which has all access to his client's servers over port 22. The only thing that it seems that is internet facing would be the servers he would connect to via VPN to authenticate his connection and allow him access. Kupek am I correct without going more specific?

I read Kupek's a few times... unless he worded it poorly he made it sound like there was NO VPN involved and all their workstations and servers at on the internet with their own IP's and SSH open. If he actually was describing a VPN connection of some sort then we've been arguing about the same thing, but I don't see that.

Tessian wrote:Sine: You're wrong. VPNs are IN NO WAY OS specific! That's just flat out wrong. SSH is to RDP if you really want to make a comparison, SSH is not to VPN. Are SSH tunnels and SSL VPN tunnels similar? Very. But VPNs are a lot more better protected, flexible, and powerful than SSH is alone.

I didn't say that it was OS-specific, but that it was generally done that way, since SSH is more of a text-based protocol. Sure, at my work, I VPN to the network and then SSH into the box. But, that's because I'm on a Windows laptop going into a network that has lots of Windows servers, and SSH just doesn't work as well.

However, a lot of college networks are old-school UNIX with dumb terminals that hit an X server, or command-line based utilities on various servers. They don't need a VPN at all. Everything can be managed with SSH alone. It doesn't make it any less secure.

Tessian wrote:Nobody EVER said you use a DMZ model to hide security holes; any company with a semi-competent security program regularly scans for and patches vulnerabilities both internally and externally. The reason FOR a DMZ is that IF that server gets compromised at least it's still restricted to what it can reach on the internal network.

Ummm...if somebody gets into your VPN, they are in your network. Yes, they need to get the IPs, UN/PWs, etc., but there could be weak or common passwords in the system and you can still do a lot of damage just being in the network itself. (Sniffing, spamming, DoS, etc.)

Tessian wrote:If one of your 100 servers on the internet gets compromised your internal network is fucked. If all your internet systems are inside a DMZ that is properly ACLed then you are at a much lower risk. As I said: IT'S ALL ABOUT RISK. What's less risky and easier to maintain? 1 VPN server on the internet, or 100 servers on the internet? You have to keep them all secure and patched yes, but the risk of exposure and compromise is much less.

See? You said what I thought you'd say. "What's easier to maintain"? None of your servers should be any different than the rest, in terms of how and when you patch them. If all of the SSH servers are on the latest version, and the passwords are secure, there's no problem.

Tessian wrote:It's whole purpose is to provide a secure gateway into your network and is MUCH more hardened than any normal Unix server. The only way to compromise a VPN is to either a) attack a vulnerability in its transport mechanism such as middle-manning the SSL connection, or b) having a crappy VPN admin who didn't properly secure it.

How the hell is this different than SSH? Your a and b pretty much sums up the only ways to compromise a SSH daemon. You think they didn't think about making "Secure SHell" secure? VPN is a SSL tunnel into the network, and SSH is a SSL tunnel to a server shell. It's about the same fucking difference!

Tessian wrote:Most of this is moot, however, because if your company handles credit card transactions (and I can assume that an ISP would do this) then you MUST be certified by PCI-DSS. PCI is the set of 12 security controls that the credit card industry has said you MUST adhere to in order to do business with them.

Heh, I knew you would bring that up. Yeah, I'm pretty familiar with PCI myself. We went through some network reorganization for that a year or so ago. (Our mail servers and some web servers needed to be DMZed.)

Look, I'm not saying that a DMZed network isn't secure. I'm just saying that SSH is not some glass protocol that somebody can bang lightly to break in. A properly managed network of servers on SSH can be just as secure as a DMZed network.

Tessian wrote:I never made such a claim, it's all about risk.

Tessian wrote:If the server's ON the internet then your system is pretty much guaranteed to already be compromised.

Keep in mind I'm not in a company. I'm in a university. When I interned at IBM, everything was behind a VPN. But this was just as much about protecting company secrets as it was about preventing people from screwing up systems. Getting an account on a machine requires convincing whoever administers it to give you one - or stealing someones. Getting VPN access required approval from several levels of management.

I'm in in a university. We don't have company secrets. In fact, half of our work involves convincing other people that what we do is relevant. It's just not worth it for each department to set up a VPN.

Not every computer is visible to the world - but all of the ones I use are, because I want access to them from everywhere. We make a request to the tech staff for a static IP address for a machine, and for them to open up port 22. Barret, this is almost what you described, except I don't need another step beyond "ssh montoya.cs.vt.edu". Yes, that's my desktop.

SineSwiper wrote:
Look, I'm not saying that a DMZed network isn't secure. I'm just saying that SSH is not some glass protocol that somebody can bang lightly to break in. A properly managed network of servers on SSH can be just as secure as a DMZed network.

No it can't, or did you mean servers on SSH can be as secure as a VPN? Because that's a little closer to true. A DMZ basically says your internet facing servers are no longer trusted, so even if they are compromised their access is limited to what they can reach inside the network. This is outside of how you're even connecting to those servers. Now is a server with SSH in a DMZ as secure as a VPN that lets you connect to servers internally? That's debatable and largely depends on what is actually on that server running SSH. A VPN has a lot more control over how it functions than just SSH. With a VPN I can specify exactly what you have access to, what ports, and how much authentication I'll require. Hell, I can even check and make sure your AV is up to date before I let you log in or throw you into a secured ad-hoc desktop I can control.

And Kup-- My sentence there initially was misleading, I was making the assumption that a company that would put their servers on the internet like that, which shows quite a disregard for security, would bother patching them or securing them anyway. Also, I still don't see the reason for putting your stuff directly on the internet unless them being that way has a specific purpose for what you're doing and it's not just for accessibility. A VPN would provide the same exact functionality and convenience but with more security and less risk.

So I totally got pissed last night at my cellphone and chucked it on the floor. It had been dropping calls and having odd hicups for the last few months. It still works... but I swapped my SIM card into the phone I had before, which still works great and has no issues.

So I want a new phone, but not sure I want to re-up the contract to take advantage of the price cut. Any suggestions? I am with AT&T

I was hoping to wait till more Android phones were on the market, but *sigh* no such luck. If I buy a smart phone though I gotta throw on a data plan... God I hate cellphones and contracts.

Any cellphone review sites to look at?

Anarky wrote:So I totally got pissed last night at my cellphone and chucked it on the floor. It had been dropping calls and having odd hicups for the last few months. It still works... but I swapped my SIM card into the phone I had before, which still works great and has no issues.

So I want a new phone, but not sure I want to re-up the contract to take advantage of the price cut. Any suggestions? I am with AT&T

I was hoping to wait till more Android phones were on the market, but *sigh* no such luck. If I buy a smart phone though I gotta throw on a data plan... God I hate cellphones and contracts.

Any cellphone review sites to look at?

pdaphonehome.com has a great community for PDA phones.

phonearena.com has great reviews along with engadgetmobile.com.