Hi Swinogers,
I'm currently thinking about deploying a Sheevaplug or similar with mosh (http://mosh.mit.edu) as a login jumphost since I am several hours in mobile mode every day and I need a space outside of my network to host a *jump host*
please contact me offlist and offer me housing for something like that: http://www.plugcomputer.eu/
All I am taking up is some bandwith (expected bandwith in average probably 1mbit max, half of it for keepalives for outbound vpn tunnels, Power consumption apparently less than 10watts.
Need v6 and v4 connection, 1 IP each, public, not firewalled, 1 Plug in the power strip
Since this is a rather non-standard thing I'm looking for, but I need it in a datacenter outside my infrastructure, I thought it's best to ask here.
Btw, for anyone experienced already or looking into mosh, looking forward for exchange here
Good Evening!
Silvan
Silvan, I would highly recommend pcengines.ch instead. They are quickly available (usually shipped the next day after ordering) from a Swiss store, and so far they are the cheapest linux boxes that I could find. I'm using them exactly for the same purpose - as ssh jumphosts :)
http://linux.voyage.hk/%C2%A0 is a flavor of Debian specifically tailored for these boxes. It mounts the root in read-only mode by default, so your CF storage is written only when needed.
here I put a few related notes in my blog: http://txlab.wordpress.com/tag/voyage-linux/
From: Silvan M. Gebhardt gebhardt@openfactory.ch To: swinog@swinog.ch Sent: Thursday, May 31, 2012 11:10 PM Subject: [swinog] hosting for 1 powersupply with lan port
Hi Swinogers,
I'm currently thinking about deploying a Sheevaplug or similar with mosh (http://mosh.mit.edu) as a login jumphost since I am several hours in mobile mode every day and I need a space outside of my network to host a *jump host*
please contact me offlist and offer me housing for something like that: http://www.plugcomputer.eu/
All I am taking up is some bandwith (expected bandwith in average probably 1mbit max, half of it for keepalives for outbound vpn tunnels, Power consumption apparently less than 10watts.
Need v6 and v4 connection, 1 IP each, public, not firewalled, 1 Plug in the power strip
Since this is a rather non-standard thing I'm looking for, but I need it in a datacenter outside my infrastructure, I thought it's best to ask here.
Btw, for anyone experienced already or looking into mosh, looking forward for exchange here
Good Evening!
Silvan
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
but actually for your purpose, I would just buy the cheapest VPS at http://www.buildyourvps.com/
I've got one for about $35 a year. The machine (or probably the network) is heavily oversubscribed, but you get a virtual machine on a dedicated IP address.
From: Stanislav Sinyagin ssinyagin@yahoo.com To: "swinog@swinog.ch" swinog@swinog.ch Sent: Friday, June 1, 2012 10:24 AM Subject: Re: [swinog] hosting for 1 powersupply with lan port
Silvan, I would highly recommend pcengines.ch instead. They are quickly available (usually shipped the next day after ordering) from a Swiss store, and so far they are the cheapest linux boxes that I could find. I'm using them exactly for the same purpose - as ssh jumphosts :)
http://linux.voyage.hk/%C2%A0 is a flavor of Debian specifically tailored for these boxes. It mounts the root in read-only mode by default, so your CF storage is written only when needed.
here I put a few related notes in my blog: http://txlab.wordpress.com/tag/voyage-linux/
From: Silvan M. Gebhardt gebhardt@openfactory.ch To: swinog@swinog.ch Sent: Thursday, May 31, 2012 11:10 PM Subject: [swinog] hosting for 1 powersupply with lan port
Hi Swinogers,
I'm currently thinking about deploying a Sheevaplug or similar with mosh (http://mosh.mit.edu) as a login jumphost since I am several hours in mobile mode every day and I need a space outside of my network to host a *jump host*
please contact me offlist and offer me housing for something like that: http://www.plugcomputer.eu/
All I am taking up is some bandwith (expected bandwith in average probably 1mbit max, half of it for keepalives for outbound vpn tunnels, Power consumption apparently less than 10watts.
Need v6 and v4 connection, 1 IP each, public, not firewalled, 1 Plug in the power strip
Since this is a rather non-standard thing I'm looking for, but I need it in a datacenter outside my infrastructure, I thought it's best to ask here.
Btw, for anyone experienced already or looking into mosh, looking forward for exchange here
Good Evening!
Silvan
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hello Stanislav and List
There are two reasons why I want this plug PC:
1) security through obscurity. if someone by whatever means take this thing apart - an alix is very easy to dump the content off it. a VPS is even worse.
2) such a Plug PC has at least double the ram an alix has, the moment you want to also run mutt on it it starts to become a bit relevant, with a few dozend openvpn client connections as well.... I do run a lot of Alixes globally already, I do know the whole box quite good.
I'd love to keep this box in switzerland as well ;)
Thanks for the input, mosh will be a topic I will update the ML if the interest is there - I'm looking forward to see how it behaves on sat connections etc.
Silvan
Am 01.06.2012 10:36, schrieb Stanislav Sinyagin:
but actually for your purpose, I would just buy the cheapest VPS at http://www.buildyourvps.com/
I've got one for about $35 a year. The machine (or probably the network) is heavily oversubscribed, but you get a virtual machine on a dedicated IP address.
------------------------------------------------------------------------ *From:* Stanislav Sinyagin <ssinyagin@yahoo.com> *To:* "swinog@swinog.ch" <swinog@swinog.ch> *Sent:* Friday, June 1, 2012 10:24 AM *Subject:* Re: [swinog] hosting for 1 powersupply with lan port Silvan, I would highly recommend pcengines.ch <http://pcengines.ch> instead. They are quickly available (usually shipped the next day after ordering) from a Swiss store, and so far they are the cheapest linux boxes that I could find. I'm using them exactly for the same purpose - as ssh jumphosts :) http://linux.voyage.hk/ is a flavor of Debian specifically tailored for these boxes. It mounts the root in read-only mode by default, so your CF storage is written only when needed. here I put a few related notes in my blog: http://txlab.wordpress.com/tag/voyage-linux/ ------------------------------------------------------------------------ *From:* Silvan M. Gebhardt <gebhardt@openfactory.ch> *To:* swinog@swinog.ch *Sent:* Thursday, May 31, 2012 11:10 PM *Subject:* [swinog] hosting for 1 powersupply with lan port Hi Swinogers, I'm currently thinking about deploying a Sheevaplug or similar with mosh (http://mosh.mit.edu) as a login jumphost since I am several hours in mobile mode every day and I need a space outside of my network to host a *jump host* please contact me offlist and offer me housing for something like that: http://www.plugcomputer.eu/ All I am taking up is some bandwith (expected bandwith in average probably 1mbit max, half of it for keepalives for outbound vpn tunnels, Power consumption apparently less than 10watts. Need v6 and v4 connection, 1 IP each, public, not firewalled, 1 Plug in the power strip Since this is a rather non-standard thing I'm looking for, but I need it in a datacenter outside my infrastructure, I thought it's best to ask here. Btw, for anyone experienced already or looking into mosh, looking forward for exchange here Good Evening! Silvan _______________________________________________ swinog mailing list swinog@lists.swinog.ch <mailto:swinog@lists.swinog.ch> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog _______________________________________________ swinog mailing list swinog@lists.swinog.ch <mailto:swinog@lists.swinog.ch> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
security by obscurity? you know, with a JTAG adapter and a bit of knowledge, one can read the onboard flash from those plugs too. so, probably a better approach is to have a system which doesn't expose your data when the disk is compromised. The simplest example is SSH with public key authentication and authentication forwarding (-A flag).
From: Silvan Gebhardt gebhardt@openfactory.ch To: swinog@lists.swinog.ch Sent: Friday, June 1, 2012 10:28 PM Subject: Re: [swinog] hosting for 1 powersupply with lan port
Hello Stanislav and List
There are two reasons why I want this plug PC:
- security through obscurity. if someone by whatever means take
this thing apart - an alix is very easy to dump the content off it. a VPS is even worse.
- such a Plug PC has at least double the ram an alix has, the
moment you want to also run mutt on it it starts to become a bit relevant, with a few dozend openvpn client connections as well.... I do run a lot of Alixes globally already, I do know the whole box quite good.
I'd love to keep this box in switzerland as well ;)
Thanks for the input, mosh will be a topic I will update the ML if
the interest is there - I'm looking forward to see how it behaves on sat connections etc.
Silvan
Am 01.06.2012 10:36, schrieb Stanislav Sinyagin:
but actually for your purpose, I would just buy the cheapest VPS at http://www.buildyourvps.com/
I've got one for about $35 a year. The machine (or probably the network) is heavily oversubscribed, but you get a virtual machine on a dedicated IP address.
From: Stanislav Sinyagin ssinyagin@yahoo.com To: "swinog@swinog.ch" swinog@swinog.ch Sent: Friday, June 1, 2012 10:24 AM Subject: Re: [swinog] hosting for 1 powersupply with lan port
Silvan, I would highly recommend pcengines.ch instead. They are quickly available (usually shipped the next day after ordering) from a Swiss store, and so far they are the cheapest linux boxes that I could find. I'm using them exactly for the same purpose - as ssh jumphosts :)
http://linux.voyage.hk/%C2%A0 is a flavor of Debian specifically tailored for these boxes. It mounts the root in read-only mode by default, so your CF storage is written only when needed.
here I put a few related notes in my blog: http://txlab.wordpress.com/tag/voyage-linux/
From: Silvan M. Gebhardt gebhardt@openfactory.ch To: swinog@swinog.ch Sent: Thursday, May 31, 2012 11:10 PM Subject: [swinog] hosting for 1 powersupply with lan port
Hi Swinogers,
I'm currently thinking about deploying a Sheevaplug or similar with mosh (http://mosh.mit.edu) as a login jumphost since I am several hours in mobile mode every day and I need a space outside of my network to host a *jump host*
please contact me offlist and offer me housing for something like that: http://www.plugcomputer.eu/
All I am taking up is some bandwith (expected bandwith in average probably 1mbit max, half of it for keepalives for outbound vpn tunnels, Power consumption apparently less than 10watts.
Need v6 and v4 connection, 1 IP each, public, not firewalled, 1 Plug in the power strip
Since this is a rather
non-standard thing I'm looking for, but I need it in a datacenter outside my infrastructure, I thought it's best to ask here.
Btw, for anyone experienced already or looking into mosh, looking forward for exchange here
Good Evening!
Silvan
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Interesting topic, especially looking at the current cloud trends. We've been discussing this internally and came to the conclusion, that as long as someone has physical access to a server, he will always be capable of reading the data on that server with more or less effort.
Even using a high level of physical security to ensure, nobody has physical access to the box can be broken with enough time and effort, especially from the people housing the box.
In the end, all you need is trust. If you trust the people housing your box and if you trust their ability to keep the bad guys physically away, everything is fine. If you can't trust them you are lost in any case.
Kind regards, Viktor
Am 02.06.2012 01:05, schrieb Stanislav Sinyagin:
security by obscurity? you know, with a JTAG adapter and a bit of knowledge, one can read the onboard flash from those plugs too. so, probably a better approach is to have a system which doesn't expose your data when the disk is compromised. The simplest example is SSH with public key authentication and authentication forwarding (-A flag).
Good Morning!
The cloud is completely anonymous, that makes the feeling to do something (as a provider) much lower in my opinion. Knowing someone, even the face, is much better. Since I know this point I did not call it "physical security" but "security through obscurity" on purpose. Since such a plug PC makes extraction of data a bit more complex - possible always - I gain time. Time when the box is offline to revoke my keys ;)
I do have to trust the people I will be hosting it with, there is a reason I do it in switzerland. (Yes, I belive after beeing the nation of money we will be the *data bankers* soon)
@Stanislav: Interesting flag with SSH -A - I will have to read there futher, is this something like PFS with IPSEC? never heard about that flag.
I think we are creating a topic for next swinog here. "Networking for Mobile workers (Mosh) with paranoia"
Am 02.06.2012 08:57, schrieb Viktor Steinmann:
Interesting topic, especially looking at the current cloud trends. We've been discussing this internally and came to the conclusion, that as long as someone has physical access to a server, he will always be capable of reading the data on that server with more or less effort.
Even using a high level of physical security to ensure, nobody has physical access to the box can be broken with enough time and effort, especially from the people housing the box.
In the end, all you need is trust. If you trust the people housing your box and if you trust their ability to keep the bad guys physically away, everything is fine. If you can't trust them you are lost in any case.
Kind regards, Viktor
Am 02.06.2012 01:05, schrieb Stanislav Sinyagin:
security by obscurity? you know, with a JTAG adapter and a bit of knowledge, one can read the onboard flash from those plugs too. so, probably a better approach is to have a system which doesn't expose your data when the disk is compromised. The simplest example is SSH with public key authentication and authentication forwarding (-A flag).
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Good morning,
If you care so much about physical penetration of your equipment, why bother with local storage anyway.
There are enough solution out there, which do not need to have a installed system.
As example: Coreboot with etherboot (payload) this combination allows you to load a system with a http server and there is even a so called SafeBootMode with verification of your boot-image. After that you only need an local storage, which could be a ramdisk or an encrypted tmp / swap hard or flash drive.
So there wouldn't be any necessity to obscure your hardware anyhow and all further penetration vectors would need a higher sophistication.
PS: I do agree that PCengines do need more RAM. A version with at least 512MB would be highly appreciated.
Saludos Miguel
On 02.06.12 11:50, Silvan Gebhardt wrote:
Good Morning!
I do have to trust the people I will be hosting it with, there is a reason I do it in switzerland. (Yes, I belive after beeing the nation of money we will be the *data bankers* soon)
@Stanislav: Interesting flag with SSH -A - I will have to read there futher, is this something like PFS with IPSEC? never heard about that flag.
I think we are creating a topic for next swinog here. "Networking for Mobile workers (Mosh) with paranoia"
ok, more to the details.
I. SSH auth. forwarding =================
on my PC, I have my private SSH key, encrypted with a good password. As I control this environment, I make sure this is the only copy of my private key, and all backup copies are encrypted with other passwords.
On my VPS that I use as a jumphost, I have my public key in .ssh/authorized_keys. So my login does not even have a password on that server.
When I'm logged in to the VPS, I can do
ssh -A ssinyagin@1.2.3.4 with this command, the server 1.2.3.4 authenticates me through my public key, and the VPS acts as the SSH agent proxy. So, if that server has my public key in .ssh/authorized_keys, I'm easily in, and no security breach on the VPS would affect my security.
II. Secure data on a foreign machine ==========================
so, your VPS is in an untrusted environment, and you need to store sensitive data on it (e.g. VPN configuration and keys).
You create a cryptfs folder, mount it with a manually entered password, and store your sensitive data on it. As long as the server is running, your processes can access the data. If the server reboots, it needs to notify the operator via email or SMS, and the operator logs in and mounts the cryptfs again.
Of course depending on the virtualization technology, your provider may log in from the VM console and see your data. So, you either trust your provider, or use a physical machine like pcengines. On the latest DENOG meeting, there was an interesting report that offline RAM chips still hold traces of your data for few hours, so be careful with that too :)
As an alternative to cryptfs, you can mount a RAM disk and initialize its content from your home location via an SSH tunnel. If you use Git, you can also do incremental updates to the running system.
III. Off-site backups ==============
what I do is let my home NAS pack the data directory, encrypt it with AES256, and push towards the VPS server. So, nightly I transfer a few hundred megabytes. It works fine as long as I keep the footprint within reasonable limits.
As an alternative, there was somewhere a project that modifies rsync in a way that it can work with encrypted data on the remote site.
did I miss something?
From: Silvan Gebhardt gebhardt@openfactory.ch To: swinog@lists.swinog.ch Sent: Saturday, June 2, 2012 11:50 AM Subject: Re: [swinog] hosting for 1 powersupply with lan port
Good Morning!
The cloud is completely anonymous, that makes the feeling to do
something (as a provider) much lower in my opinion. Knowing someone, even the face, is much better. Since I know this point I did not call it "physical security" but "security through obscurity" on purpose. Since such a plug PC makes extraction of data a bit more complex - possible always - I gain time. Time when the box is offline to revoke my keys ;)
I do have to trust the people I will be hosting it with, there is a
reason I do it in switzerland. (Yes, I belive after beeing the nation of money we will be the *data bankers* soon)
@Stanislav: Interesting flag with SSH -A - I will have to read there
futher, is this something like PFS with IPSEC? never heard about that flag.
I think we are creating a topic for next swinog here. "Networking
for Mobile workers (Mosh) with paranoia"
Am 02.06.2012 08:57, schrieb Viktor Steinmann: Interesting topic, especially looking at the current cloud trends. We've been discussing this internally and came to the conclusion, that as long as someone has physical access to a server, he will always be capable of reading the data on that server with more or less effort.
Even using a high level of physical security to ensure, nobody has
physical access to the box can be broken with enough time and effort, especially from the people housing the box.
In the end, all you need is trust. If you trust the people housing
your box and if you trust their ability to keep the bad guys physically away, everything is fine. If you can't trust them you are lost in any case.
Kind regards, Viktor
Am 02.06.2012 01:05, schrieb Stanislav Sinyagin: security by obscurity?
you know, with a JTAG adapter and a bit of knowledge, one can read the onboard flash from those plugs too. so, probably a better approach is to have a system which doesn't expose your data when the disk is compromised. The simplest example is SSH with public key authentication and authentication forwarding (-A flag).
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
On 2 Jun 2012, at 05:49, Stanislav Sinyagin ssinyagin@yahoo.com wrote:
When I'm logged in to the VPS, I can do ssh -A ssinyagin@1.2.3.4 with this command, the server 1.2.3.4 authenticates me through my public key, and the VPS acts as the SSH agent proxy. So, if that server has my public key in .ssh/authorized_keys, I'm easily in, and no security breach on the VPS would affect my security.
Unless the attacker is on the jumpbox as root as then they can also forward in the same way, but this should not happen ofcourse ;)
For this reason, I tend to use a key per device and keep all authorized key files in svn, which makes it easy to identify which nodes are possibly compromised or at least quickly remove access. You could use the forward trick and keep the private key etc on your local device.
Remote syslogging is for this reason a good idea. Jumphosts in general should also solely run an sshd and nothing else. But that is what you are aiming for, any access is then easily noticed.
On the latest DENOG meeting, there was an interesting report that offline RAM chips still hold traces of your data for few hours, so be careful with that too :)
Cold boot attacks are quite old by now ;) there is a reason there are TPMs in quite some hardware, if possible use those or other dedicated crypto storage.
As an alternative, there was somewhere a project that modifies rsync in a way that it can work with encrypted data on the remote site.
Check duplicity for this purpose.
did I miss something?
To start with defining who you think your adversaries are, that is the most important step in something like this.
Greet, Jeroen
From: Jeroen Massar jeroen@unfix.org To: Stanislav Sinyagin ssinyagin@yahoo.com Cc: Silvan Gebhardt gebhardt@openfactory.ch; "swinog@lists.swinog.ch" swinog@lists.swinog.ch Sent: Saturday, June 2, 2012 4:05 PM Subject: Re: [swinog] hosting for 1 powersupply with lan port
On 2 Jun 2012, at 05:49, Stanislav Sinyagin ssinyagin@yahoo.com wrote:
When I'm logged in to the VPS, I can do
ssh -A ssinyagin@1.2.3.4 with this command, the server 1.2.3.4 authenticates me through my public key, and the VPS acts as the SSH agent proxy. So, if that server has my public key in .ssh/authorized_keys, I'm easily in, and no security breach on the VPS would affect my security.
Unless the attacker is on the jumpbox as root as then they can also forward in the same way, but this should not happen ofcourse ;)
yes
From: Jeroen Massar jeroen@unfix.org
On 2 Jun 2012, at 05:49, Stanislav Sinyagin ssinyagin@yahoo.com wrote:
When I'm logged in to the VPS, I can do
ssh -A ssinyagin@1.2.3.4 with this command, the server 1.2.3.4 authenticates me through my public key, and the VPS acts as the SSH agent proxy. So, if that server has my public key in .ssh/authorized_keys, I'm easily in, and no security breach on the VPS would affect my security.
Unless the attacker is on the jumpbox as root as then they can also forward in the same way, but this should not happen ofcourse ;)
yes, in theory if the attacker is logged in as root, then during my SSH session they may make an SSH connection using my credentials. But it would be difficult to stay unnoticed, and it's only possible while I'm logged in.
another way to avoid the ssh agent intrusion is to use TCP tunneling through SSH. Then the intermediate host is only used for TCP connection bridging, but all the authentication is happening outside of your jumphost.
----- Original Message -----
From: Stanislav Sinyagin ssinyagin@yahoo.com
From: Jeroen Massar jeroen@unfix.org
On 2 Jun 2012, at 05:49, Stanislav Sinyagin ssinyagin@yahoo.com
wrote:
When I'm logged in to the VPS, I can do
ssh -A ssinyagin@1.2.3.4 with this command, the server 1.2.3.4 authenticates me through my public
key, and the VPS acts as the SSH agent proxy. So, if that server has my public key in .ssh/authorized_keys, I'm easily in, and no security breach on the VPS would affect my security.
Unless the attacker is on the jumpbox as root as then they can also forward
in the same way, but this should not happen ofcourse ;)
yes, in theory if the attacker is logged in as root, then during my SSH session they may make an SSH connection using my credentials. But it would be difficult to stay unnoticed, and it's only possible while I'm logged in.
Hi,
Does someone know if there is a tool for linux which can send a neighbor advertisement for a fast update of the neighbor table of a router? Like to good old "arping -U" for ipv4 which sends gratuitous/unsolicited arp messages...
Have a nice evening!
Cheers, Tobias
Here you have: http://www.remlab.net/ndisc6/
Roque
On Mon, Jun 4, 2012 at 9:59 PM, Tobias Brunner tobias.brunner@nine.chwrote:
Hi,
Does someone know if there is a tool for linux which can send a neighbor advertisement for a fast update of the neighbor table of a router? Like to good old "arping -U" for ipv4 which sends gratuitous/unsolicited arp messages...
Have a nice evening!
Cheers, Tobias
-- Nine Internet Solutions AG, Albisriederstr. 243a, CH-8047 Zuerich Support +41 44 637 40 40 | Tel +41 44 637 40 00 | Direct +41 44 637 40 13 Skype nine.ch_support
______________________________**_________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-**bin/mailman/listinfo/swinoghttp://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
On 2012-06-04 12:59, Tobias Brunner wrote:
Hi,
Does someone know if there is a tool for linux which can send a neighbor advertisement for a fast update of the neighbor table of a router? Like to good old "arping -U" for ipv4 which sends gratuitous/unsolicited arp messages...
# apt-get install ndisc6
Description: IPv6 diagnostic tools ndisc6 gathers a few diagnostic tools for IPv6 networks including: - ndisc6, which performs ICMPv6 Neighbor Discovery in userland, - rdisc6, which performs ICMPv6 Router Discovery in userland, - rltraceroute6, a UDP/ICMP IPv6 implementation of traceroute, - tcptraceroute6, a TCP/IPv6-based traceroute implementation, - tcpspray6, a TCP/IP Discard/Echo bandwidth meter, - addrinfo, easy script interface for hostname and address resolution, - dnssort, DNS sorting script.
On various BSDs and Solaris platforms and other such unices you will find separate ndsol (client) and ndsold (daemon) too btw.
Greets, Jeroen
On Mon, 4 Jun 2012, Tobias Brunner wrote:
Hi,
Does someone know if there is a tool for linux which can send a neighbor advertisement for a fast update of the neighbor table of a router? Like to good old "arping -U" for ipv4 which sends gratuitous/unsolicited arp messages...
ndp(1) auf FreeBSD, "ip neighbour" kann so was bei Linux.
//Saper
Hi all,
Danke für die Antworten!!
* ndisc6 macht irgendwie nicht das, was ich erwarte ndisc6 <adresse> eth0 Soliciting <adresse> (<adresse>) on eth0... Timed out. Timed out. Timed out. No response.
* ndping lässt sich nicht kompilieren (siehe unten) * ip neighbor werde ich morgen testen, das klingt vielversprechend!
Gute Nacht
Gruss Tobias
PS: Sorry für das Durcheinander mit den Threads in der Mailinglist =)
gcc -o ndping ndping.c -Wall -lnet -lpcap ndping.c: In function ‘callback’: ndping.c:65: error: ‘LIBNET_ICMPV6_NS_H’ undeclared (first use in this function) ndping.c:65: error: (Each undeclared identifier is reported only once ndping.c:65: error: for each function it appears in.) ndping.c:66: error: ‘LIBNET_ICMPV6_OPT_TLLA_H’ undeclared (first use in this function) ndping.c:87: error: ‘struct libnet_icmpv6_hdr’ has no member named ‘icmp_target1’ ndping.c:91: error: ‘struct libnet_icmpv6_hdr’ has no member named ‘icmp_target2’ ndping.c:97: error: dereferencing pointer to incomplete type ndping.c:97: error: dereferencing pointer to incomplete type ndping.c:97: error: ‘struct libnet_icmpv6_hdr’ has no member named ‘icmp_rso’ ndping.c:101: error: dereferencing pointer to incomplete type ndping.c:102: error: ‘struct libnet_icmpv6_hdr’ has no member named ‘icmp_rso’ ndping.c: In function ‘ndping’: ndping.c:160: warning: implicit declaration of function ‘libnet_build_icmpv6_ns’ ndping.c:161: error: ‘ICMP6_NEIGHBORSO’ undeclared (first use in this function) ndping.c:182: error: ‘LIBNET_ICMPV6_NS_H’ undeclared (first use in this function) ndping.c:196: error: ‘ETHERTYPE_IPV6’ undeclared (first use in this function) ndping.c:200: warning: pointer targets in passing argument 1 of ‘libnet_build_ethernet’ differ in signedness /usr/include/./libnet/libnet-functions.h:490: note: expected ‘u_int8_t *’ but argument is of type ‘char *’ ndping.c:200: warning: pointer targets in passing argument 2 of ‘libnet_build_ethernet’ differ in signedness /usr/include/./libnet/libnet-functions.h:490: note: expected ‘u_int8_t *’ but argument is of type ‘char *’ make: *** [ndping] Error 1
On 2012-06-04 13:43, Tobias Brunner wrote:
Hi all,
Danke für die Antworten!!
- ndisc6 macht irgendwie nicht das, was ich erwarte
ndisc6 <adresse> eth0 Soliciting <adresse> (<adresse>) on eth0... Timed out. Timed out. Timed out. No response.
$ ndisc6 2001:4f8:3:2e::1 eth0 Soliciting 2001:4f8:3:2e::1 (2001:4f8:3:2e::1) on eth0... Target link-layer address: 00:11:BC:A5:48:00 from 2001:4f8:3:2e::1
Do note that if the address does not exist you get what you showed:
$ ndisc6 2001:4f8:3:2e::2 eth0 Soliciting 2001:4f8:3:2e::2 (2001:4f8:3:2e::2) on eth0... Timed out. Timed out. Timed out. No response.
- ndping lässt sich nicht kompilieren (siehe unten)
- ip neighbor werde ich morgen testen, das klingt vielversprechend!
'ip nei' can be used to look at the current entries, it does not allow for sending a ND solication, but effectively one can also do:
in one shell: tcpdump -i eth0 icmp6 in another: ping6 -i eth0 <address>
should give you the packets too unless it is cached, but then you can remove it with 'ip nei flush ...' to force it to be cached again.
Note that 'ip -4 nei' is effectively showing the ARP tables, while 'ip -6 nei' is for the ND based information.
PS: Sorry für das Durcheinander mit den Threads in der Mailinglist =)
Or the mixing of English and German ;)
gcc -o ndping ndping.c -Wall -lnet -lpcap ndping.c: In function ‘callback’: ndping.c:65: error: ‘LIBNET_ICMPV6_NS_H’ undeclared (first use in this function)
You need to install the libnet headers for that to work.
Greets, Jeroen
Hallo
On Saturday 02 June 2012 14.49:09 Stanislav Sinyagin wrote:
I. SSH auth. forwarding
I use ssh's ProxyCommand option instead, it will use netcat on the jumphost to act as a proxy for an ssh connection. With this method your client's known_hosts file will be used and your ssh-key stays on your client, so you don't have to trust the jumphost.
Just add something like this to your .ssh/config:
Host somehost.example.com anotherhost.example.net *.example.org ProxyCommand ssh jumphost.example.com exec nc -q0 %h %p
Cheers, Adrian
On Sat, 02 Jun 2012 11:50:59 +0200 Silvan Gebhardt gebhardt@openfactory.ch wrote:
The cloud is completely anonymous, that makes the feeling to do something (as a provider) much lower in my opinion. Knowing someone, even the face, is much better. Since I know this point I did not call it "physical security" but "security through obscurity" on purpose. Since such a plug PC makes extraction of data a bit more complex - possible always - I gain time. Time when the box is offline to revoke my keys ;)
Fill the box with thermally conductive epoxy. No way to get at the data anymore unless you take a lot of time to drill a few holes ... but not too deep! ;-)
If you need more security, then there are a few techniques that are able to erase memory as soon as the case is opened or broken. But those require custom devices and are thus a bit more expensive.
Attila Kinali
On Monday 04 June 2012 22.18:31 Attila Kinali wrote: Hi Atila
Fill the box with thermally conductive epoxy. No way to get at the data anymore unless you take a lot of time to drill a few holes ... but not too deep! ;-)
A good idea. If you do so, make sure you use slow setting epxoy resin. The reaction usually is exothermal and can produce quite a bit of heat. And its also coupled by a positive feddback loop. The more resin you have in one place, the hotter it gets when setting. The hoter it gets, the faster it will set. The faster ist sets, the more heat is produced :) Slowly setting resin is also of higer viscosity, which makes it to creep deeper into the gaps and holes and develops higher adhesive and cohesive forces, which, to come to an end, makes it harder to get rid of it.
Or you could use an unstable explosive to fill the housing, of course. But this, in turn, might prove to make it harder to find a place to house your box :D
Sorry for loosing focus. Over and out, Michi