> > > > If someone then argues about source IP spoofing, just let him. If > > > > someone in your organisation is able to do it, make him your > > > > network admin. > > > > > > You're right, access to the printer can be given only to certain > > > hosts. So simply using 'lpr file.pdf' on the remote machine > > > doesn't strike you as a bad idea? > > > > Might this be an opportunity to use 'port-knocking' ? > > > > http://www.linuxjournal.com/article/6811 > > > > just a thought, never really tried this before. > > port-knocking is the biggest load of fud (Microsoft products apart) I > have heard about in ages. The term snake-oil comes to mind, as > does "security by obscurity and obfuscation" which we all know is no > security at all. > > I don't care if the originating process knocks on the well known port > with gold plated gloves hand braided from the finest Unobtainium by > seductive alluring Puerto Rican virgins, the receiving machine still > has to open another port short thereafter. This is not a magic port and > is not wrapped in Star Trek's finest stealth cloak, it's a port that > does TCP/IP stuff. > > If the end process listening on the newly opened port is in any way > weak - and this is the only possible reason anyone would ever try the > port knocking workaround - it's just as weak when it's listening on an > obfuscated port number. If it's open, I can find it. If it's weak, I > can get in. Then it's game over, go home, I win. > > I've yet to hear positive things about port knocking from someone who > actually implemented it fully. In truth it's just a major pain in the > arse that makes the admin's life miserable and gives the boss a warm > fuzzy feeling based on hot air. > > End of rant.
Well thank you for that. I had planned on setting up port knocking for ssh and cups but I guess I'm just as well off leaving them listening on 22 and 631? As for printing from lpr to cups across the internet, I should be encrypting that data shouldn't I? Nothing too sensitive but it sounds like a good thing to do. It looks like cups can use ssl but I don't see any mention of it in man lpr. - Grant -- gentoo-user@lists.gentoo.org mailing list
