He's going to be stuck between usability and security with a two tierd approach? Plus we have not even started to dissect the web SSL/Apache exploits (which is another HUGE subject)! I am waiting for end to end Cell BlackBerry Encryption (outside of Enterprise Servers) and VPN applications for phones! His solution is going to be either their Unlimited Data Pack upgrade [$49.99] with a static IP, or deploy "calculated risk" in leaving open SSH to the WHOLE SWIP assigned ARIN AT&T block on his server to access port 22 via the phone. Server settings per security recommendations: (/etc/ssh/sshd_config): 1) Use Protocol 2 2) Disallow root access [Fools Rush in!] 3) Setup Keys 4) Really complex password [8 characters or greater] 5) Password Aging (bi-monthly) 6) Wrap SSH with SSHIT or SSHUTOUT [http://anp.ath.cx/sshit/] 7) Deploy the two line IPTABLES SSH overflow protection AND control SSH port source and destination if possible (full SWIP'd IP Class A for AT&T) [http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/] 8) Run tripwire and rootkit comparison tools from /etc/cron.monthly. Of course, he could run SSH on another port JUST for his phone [while doing all of the above] (depending on which application he is using on the phone) - some don't allow unique ports other than 22 (and he would have to use SSHUTOUT [since it's one of the few that allow unqiue custom ports]). www.Obnosis.com | http://en.wiktionary.org/wiki/Citations:obnosis | http://www.urbandictionary.com/define.php?term=obnosis (503)754-4452 Catch the January PLUG HackFest! Kristy Westphal, CSO for the Arizona Department of Economic Security will provide a one hour presentation on forensics. > Date: Tue, 25 Nov 2008 17:13:28 -0700 > From: charles.jones@ciscolearning.org > To: plug-discuss@lists.plug.phoenix.az.us > Subject: Re: OT: Free OpenSource JAD/J2EE WAP SSH Client for Phones > > James Finstrom wrote: > > On the original note, locking down to white listed IP addresses... I > > have a blackberry through AT&T over their EDGE network and not through > > BES. I get a new IP every connection. I thought a compromise between > > "wide-open come have your way with me" and "no soup for you" would be > > to allow a subnet. Well come to find out the ip addresses varry all > > theway up to class B subnets. I am stuck at "no soup for you" at this > > point. Does anyone have the AT&T EDGE subnet list :) > > What if you made a simple (SSL) web app, that you login with a username > and password, and it then updates your access list IP :-) Sort of like > smtp-after-pop auth heh. > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss _________________________________________________________________ Color coding for safety: Windows Live Hotmail alerts you to suspicious email. http://windowslive.com/Explore/Hotmail?ocid=TXT_TAGLM_WL_hotmail_acq_safety_112008