measuring jack themes technologies tooltips linux measuring jack themes technologies tooltip linux limejack claim limejack limejack

Démarrer | Langue  de en fr | Menu | Carte | Recherchez

Vous êtes ici: start » fr » themes » intercom

Communications via unsecure networks

The communications via unsecure network is a part of inter process communication (IPC). Various concepts are discussed on this website.

To illustrate the mechanisms, two programs are used as examples below. The programm client.sh sends a request to the programm server.sh. The server responds to the request. Multiple requests and DDoS defense must be necessary.

The following table gives an overview:

  • TEC : technology : the used combination of utils
  • ENC : weight=1.0 : encryption : any part of secure encryption
  • SCH : weight=1.0 : script changes : Is it possible to change the server or client script on running?
  • INI : weight=0.5 : init : How easy is it to int the construct?
  • EOC : weight=1.0 : end of connection if the respond is sended
  • FRE : weight=1.0 : full respond : construct delivers the full respond
  • MCO : weight=0.8 : multiple connections : Is it possible to connect the server by multiple connections?
  • DDD : weight=1.0 : defence of DoS : Is it possible to defence a DoS attack.

A score is used for evaluation:

  • 0 : no, bad
  • 5 : yes, very good
technology Score ENC SCH INI EOC FRE MCO DDD
TEC: apache+php+bash 5.00 5 5 5 5 5 5 5
TEC: mini_httpd+cgi+bash 4.71 3 5 5 5 5 5 5
TEC: tcpserver+nc+gpg 4.71 3 5 5 5 5 5 5
TEC: tcpserver+nc 4.28 0 5 5 5 5 5 5
TEC: stunnel 4.14 5 5 3 5 5 3 3
TEC: opessl 4.14 5 5 4 5 5 0 5
TEC: ncat 4.00 5 5 5 5 3 5 0
TEC: tinysshd 3.85 5 3 5 3 3 5 3
TEC: mosquitto 3.57 5 0 3 5 5 5 2
TEC: socat 2.71 5 5 4 0 0 0 5

The score calculation:

ERROR : ec001 ERROR : ec001

apache+php+bash

  • ENC : 5
  • SCH : 5
  • INI : 5
  • EOC : 5
  • FRE : 5
  • MCO : 5
  • DDD : 5 : via apache

mini_httpd+cgi+bash

  • ENC : 3 : self asigned
  • SCH : 5
  • INI : 5
  • EOC : 5
  • FRE : 5
  • MCO : 5
  • DDD : 5 : untested

tcpserver+nc+gpg

  • ENC : 3 : own format
  • SCH : 5
  • INI : 5
  • EOC : 5
  • FRE : 5
  • MCO : 5
  • DDD : 5

tcpserver+nc

  • ENC : 0
  • SCH : 5
  • INI : 5
  • EOC : 5
  • FRE : 5
  • MCO : 5
  • DDD : 5

The server starts via:

tcpserver -c 1 -t 1 -l127.0.0.1 -H -R -v 0 12345 ./server

The client starts via:

nc -q 1 127.0.0.1 12345

The blockdiagramm locks like the following set

 ___________           _____________________
|           |         |                     |
| client.sh | <>---<> | tcpserver server.sh |
|___________|         |_____________________|

A client request can be handeld:

respond=`echo 'request' | nc -q1 <host> <port>`

If the program server.sh has been changed, it will be available at the next call from client.sh.

stunnel

  • ENC : 5
  • SCH : 5
  • INI : 3 : permanent installation
  • EOC : 5
  • FRE : 5
  • MCO : 3 : unknown
  • DDD : 3 : unknown

openssl

  • ENC : 5
  • SCH : 5
  • INI : 4 : complex options
  • EOC : 5
  • FRE : 5
  • MCO : 0 : only single connection
  • DDD : 5 : only single connection
openssl s_client -quiet -verify 0 -cert cert.pem -key key.pem -connect localhost:port

ncat

  • ENC : 5
  • SCH : 5
  • INI : 5 : ssl option error
  • EOC : 5
  • FRE : 3 : client should end connection
  • MCO : 5
  • DDD : 0 : client wait endless on maximals connections

tinysshd

The idea is to use a own script instead of a terminal.

  • ENC : 5
  • SCH : 3 : untested
  • INI : 5
  • EOC : 3 : untested
  • FRE : 3 : untested
  • MCO : 5
  • DDD : 3 : untested

mosquitto via MQTT

  • ENC : 5
  • SCH : 0 : because pipe construct
  • INI : 3 : not easy
  • EOC : 5
  • FRE : 5
  • MCO : 5
  • DDD : 2 : tested with a message loop; endless

A server must be installed centrally. Subscribers and publishers connect to this server.

       _______________________                                 _______________________
      |                       |                               |                       |
+---> | sub | client.sh | pub | >---> mosquittio-server >---> | sub | server.sh | pub | >---+
|     |_______________________|                               |_______________________|     |
|                                                                                           |
+-----------------------------------< mosquittio-server <-----------------------------------+

socat

  • ENC : 5
  • SCH : 5
  • INI : 4 : not so easy
  • EOC : 0 : ssl break on long responds
  • FRE : 0 : ssl break on long responds
  • MCO : 0 : only single connection
  • DDD : 5 : only single connection

The tool ncat from the nmap package use ssl as option. A server like tcpserver for multiple connections starts with:

socat -d -d -d -d -T30 -t 30 OPENSSL-LISTEN:12345,reuseaddr,pf=ip4,fork,cert=cert.pem,cafile=cert.crt,compress=auto,keepalive,ignoreeof SYSTEM:./server.sh

The client can be started by …

echo 'hello' | socat -T30 -t 30 - OPENSSL:127.0.0.1:12345,cafile=cert.crt,cert=cert.pem,verify=0,pf=ip4,compress=auto,keepalive,ignoreeof

ERROR : The script server.sh writes every second an anwser line, but the client gets only the first line.

Disclaimer | Impressum | Privacy | Copyleft