Hey Ryan - thanks for the great replies, btw. :)
Ryan Russell wrote:
>
> > So the setup has to be one in which the outside walls are strong and
> >thick, but once inside, there are no walls except those which you choose
> >to build. If you can gain root on the AIX machine, great! Setup a
> >usenet server (have you ever wanted to try that in AIX?) and link news
> >between the servers. Since NONE of the machines have access to the
> >outside world, and the world can't get to them without going through the
> >gateway, it has to be STRONG - otherwise, I'm just giving away shells to
> >whoever wants them.
>
> Ok, you want to give away access to a soft, chewy interior. Nothing wrong with
> that, it sounds like fun. You want to use SSH (I presume) to prevent people
> from sniffing passwords for the accounts you've given away, or hijacking
> connections. I would tend to think that may be overprotecting a bit
> for accounts you give away, but that's OK too.
Basically, I want to look into some sort of protection for those who
are connected to the network. With secure shell, the data being passed
from the gateway to the home system. I don't want any possibility of
replay attacks etc - once inside the gateway, all's fair - but I don't
want anyone worrying about their own systems. With ONLY the telnet
client on the gateway machine, it's going to be difficult to find out
any information - I was considering having a dynamic motd with the
number of connections; perhaps different connection classes.
> One problem I see, that I've seen many times before, is that you're
> relying on users to keep secrets, i.e. their name and password. In this
> case, there's not much incentive for them to keep these secret. They're
> free.
Yes, exactly. But, remember, having an account on here really isn't
useful for ANYTHING! The only fathomable goals here are fun and
learning - which in itself probably sounds pretty lame to a script
kiddie... ;)
I'm trying to decide right now if there should be many accounts on the
gateway - or just one user account (yes, barring all the usual system
accounts). Basically, the banner tells the user to log in as "guest"
with pass "guest" - and the user "guest" has a telnet> prompt. I'd like
to have it that the users can encrypt their connections from the gateway
to each machine, but without giving them a shell on the gateway, it's
difficult. Ideas?
> How much of a problem this gets to be depends on how well you police it,
> and how generous you are with accounts.
I don't want to police it heavily. I also don't want Joe Average User
to be able to log in and start trouble. I think this will happen fairly
quickly - the crowd I'm hoping to attract isn't the CURRENT usenet
majority of "dumb people with smart terminals", but the majority from
six years ago - "smart people with dumb terminals".
> > What I'm HOPING for is a tiny online community of Unix hackers and
> >geeks working together to build a chaotic network of services - if you
> >want to run a MUD on a system, go to town. IRC? Build it. Just want
> >to hack? Go to - nobody's going to arrest you for it. Be gentle, if
> >you gain root and rm -rf, you're destroying a lot of people's work... I
> >realize that there WILL be jerks, but I'm hoping that there'll be some
> >respect between users. If you hack root, add yourself a user with UID
> >and GID 0 and use it instead - otherwise, every machine has a guest
> >account.
>
> You'll get some abuse, you recognize that, though.
Yes, I fully recognize it. I'm even looking forward to it. With any
luck, a bunch of Sun gurus will gather on the 330, and a herd of Irix
gurus on the Indigo - if a war between two machines breaks out, I'll be
overjoyed; this is exactly what should happen. People who've never met
each other fighting battles that don't exist on machines they've never
laid eyes on. REAL hacking. :)
> > So my target audience is Unix freaks - for the first little while (a
> >month or two of setup), it will only be a few users testing EVERYTHING
> >-- but after it is working to my satisfaction, there will be a Slashdot
> >announcement for it. At this point, I no longer will have any real idea
> >who my users are.
>
> And, uhh.... how much bandwidth do you have?
DSL. 1 megabit send, 7 megabit receive. For text only transfers,
that's a lot of connections. :)
> > Having the gateway spawn a single 'telnet' session from an ssh login is
> >a good idea, but probably not the best one. I did consider an OTP
> >scheme, but it's difficult to use it in the way I want to - considered
> >something along the lines of "You get ONE password. Use it once, add a
> >user, no more passwords ( <- this is the hard part. ) After you've been
> >here a while, and proved to be beneficial for the network, you get three
> >more passwords, to give to people that YOU feel would be beneficial.
>
> Not quite following... sounds like you trying to make sure people only
> get one account? If you open it up to the public, you've got no way to
> know that those dozen applications for accounts aren't all me. After all,
> I can generate as many e-mail addresses as I need. And then I can give
> them to the l0zers you've already kicked off before.
See, there's the question. I can't think of ways to keep that safe.
One-time passwords just don't exist (to my knowledge) in this format.
Perhaps a one-time password to the "guest" account; then get in and hang
around, post a message saying WHY you'd like an account, talk to some
folks, play, and convince someone with root to make an account for you?
You're right; it's inherently insecure, and supremely difficult to get
around.
> > SSH on all of the systems is an idea - but it takes away from the
> >initial fun. If someone wants to compile a sniffer on there, go to -
> >but you're going to have to use kermit or similar to get the source onto
> >the machine... no ftp out, etc. :)
>
> I cut and paste source into vi all the time.. There are lots of ways to
> bootstrap any tools you need onto a system using even the most
> limited access. One can write a uudecoder in shell code, etc....
EXACTLY! There truly are; but, in order to do so, you have to both a.)
REALLY know what you're doing - have you ever talked in depth about Unix
to a script-kiddie? and b.) Put some time and effort into it. At that
point, are you going to stick around for a while and play, or
maliciously break stuff for the joy of breaking it? :) People that know
how to MAKE the tools they need are rarely destructive.
> > As far as I can see, the best way to do this is with a low-end pentium
> >system running NetBSD gatewaying the network - ONLY ssh open, with a
> >'network' account. This account spawns 'telnet' as it's shell, on the
> >internal network. This is your access to the network; telnet only -
> >perhaps there's a better way, but I (eventually) expect several thousand
> >users - even if some are only one-time users. I think there's enough
> >advanced Linux geeks who are just itching to play with different flavors
> >of Unix.
>
> Like I mentioned before... my telnet client has a shell command. What does that
> do in your environment? You might want to rip some things out of the telnet
> client.
There, I'm not sure. I will be paring down the client to the point
that it supports only a BARE minimum of features, if that's the method
that is finally implemented. Like I said, I'm open to other ideas, no
matter how different they are to my own. I'm not set on the
telnet/shell thing. :)
> All-in-all, it sounds like fun. I hope the bastards don't get you down.
Thank you kindly. I'll be in touch via private mail when I'm ready to
have people help out pre-testing the network - you seem the type that
would appreciate it.
Cheers,
- Drew.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
