[ossec-list] Re: Integrity Checks and Diffs?

[David Vasil <dmvasil@xxxxxxxx>]

Marty E. Hillman wrote:
> I suppose one *could* use the forwarded pipe function of ssh to forward
> the mail across a secure pipe to the mail server.  This would keep it
> encrypted within the tunnel.  Just install Cygwin with ssh on the
> Exchange server (assuming a mostly Micro$oft network like mine).  On the
> OSSEC machine,
> 
> 	ssh  user@xxxxxxxxxxxx  -L 25:mailserver.mynetwork.com:25
> 
> This should redirect all port 25 traffic to the corresponding SMTP port
> on the server.  Just email at localhost.
> 
> Setting up Cygwin to tunnel -
> http://pigtail.net/LRP/printsrv/cygwin-sshd.html

This to me sounds worse than giving OSSEC a passphraseless gpg key... In
this scenario you are giving OSSEC the ability to ssh to external
servers without a passphrase, be it through hostbased equivalency or
publickey authentication.

Also, the message is only encrypted until it reaches the end of the
tunnel (unless all MTA hops are using TLS/SSL).  If some password file
gets modified and a diff is sent to you, someone could capture that
diff, and extract authentication tokens for your site.

Additionally, only root can forward privileged ports, so OSSEC would
have to run this as root =(.  There really isnt a graceful solution to
this problem.  The best answer so far seems to be locking down your
OSSEC server, give OSSEC a gpg key which you "somewhat" trust, and hope
your OSSEC system doesnt get broken into.  My favorite answer so far is
"just dont send diffs automatically".

-- 
-dave