Download Full Next Generation SSH2 Implementation Securing Data in Motion 1st Edition Max Caceres PDF All Chapters

Visit https://ebookultra.com to download the full version and
explore more ebooks
Next Generation SSH2 Implementation Securing Data in
Motion 1st Edition Max Caceres
_____ Click the link below to download _____
https://ebookultra.com/download/next-generation-
ssh2-implementation-securing-data-in-motion-1st-
edition-max-caceres/
Explore and download more ebooks at ebookultra.com

Here are some recommended products that might interest you.
You can download now and explore!
Computational Methods for Next Generation Sequencing Data
Analysis 1st Edition Ion Mandoiu
https://ebookultra.com/download/computational-methods-for-next-
generation-sequencing-data-analysis-1st-edition-ion-mandoiu/
ebookultra.com
Data Driven Learning for the Next Generation Corpora and
DDL for Pre tertiary Learners 1st Edition Peter
Crosthwaite
https://ebookultra.com/download/data-driven-learning-for-the-next-
generation-corpora-and-ddl-for-pre-tertiary-learners-1st-edition-
peter-crosthwaite/
ebookultra.com
Check Point Next Generation Security Administration 1st
Edition Syngress
https://ebookultra.com/download/check-point-next-generation-security-
administration-1st-edition-syngress/
ebookultra.com
Quality of Service Mechanisms in Next Generation
Heterogeneous Networks 1st Edition Abdelhamid Mellouk
https://ebookultra.com/download/quality-of-service-mechanisms-in-next-
generation-heterogeneous-networks-1st-edition-abdelhamid-mellouk/
ebookultra.com

Next Generation IPTV Services and Technologies 1st Edition
Gerard O'Driscoll
https://ebookultra.com/download/next-generation-iptv-services-and-
technologies-1st-edition-gerard-odriscoll/
ebookultra.com
Next Generation Sequencing and Whole Genome Selection in
Aquaculture 1st Edition Zhanjiang (John) Liu
https://ebookultra.com/download/next-generation-sequencing-and-whole-
genome-selection-in-aquaculture-1st-edition-zhanjiang-john-liu/
ebookultra.com
Next Generation Mobile Systems 3G Beyond 1st Edition Etoh
M. (Ed.)
https://ebookultra.com/download/next-generation-mobile-
systems-3g-beyond-1st-edition-etoh-m-ed/
ebookultra.com
Cyber Security for next generation Computing Technologies
1st Edition Inam Ullah Khan
https://ebookultra.com/download/cyber-security-for-next-generation-
computing-technologies-1st-edition-inam-ullah-khan/
ebookultra.com
Next Generation of Human Space Flight Systems 1st Edition
Alfred T. Chesley
https://ebookultra.com/download/next-generation-of-human-space-flight-
systems-1st-edition-alfred-t-chesley/
ebookultra.com

Next Generation SSH2 Implementation Securing Data in
Motion 1st Edition Max Caceres Digital Instant
Download
Author(s): Max Caceres, Aaron E. Earle, Devin Ganger, Wipul Jayawickrama,
Jan Kanclirz Jr., Dane Liu, TimRobichaux, Eric S. Seagren, Brad Smith,
Christopher Stokes
ISBN(s): 9781597492836, 1597492833
Edition: 1st
File Details: PDF, 7.16 MB
Year: 2008
Language: english

Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”)
of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents. The Work is sold AS IS
and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state.
In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental
or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion
or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.
You should always use reasonable care, including backup and other appropriate precautions, when working with
computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and
“Hack Proofing®,” are registered trademarks of Elsevier, Inc.“Syngress:The Definition of a Serious Security Library”™,
“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc.
Brands and product names mentioned in this book are trademarks or service marks of their respective companies.
Unique Passcode
75285725
PUBLISHED BY
Syngress Publishing, Inc.
Elsevier, Inc.
30 Corporate Drive
Burlington, MA 01803
Next Generation SSH2 Implementation: Securing Data in Motion
Copyright © 2009 by Elsevier, Inc.All rights reserved. Printed in the United States of America. Except as permitted
under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any
means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the
exception that the program listings may be entered, stored, and executed in a computer system, but they may not be
reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN 13: 978-1-59749-283-6
Publisher: Laura Colantoni Page Layout and Art: SPI
Acquisitions Editor:Andrew Williams
Copy Editor: Jill Batistick, Judith H. Eby and Michelle Huegel
Developmental Editor: Matthew Cater Indexer: SPI
Technical Editors: Dale Liu, Cover Designer: Michael Kavish
Max Caceres, Justin Peltier Project Manager:Andre Cuello
For information on rights, translations, and bulk sales, contact Matt Pedersen, Senior Sales Manager, Corporate Sales,
at Syngress Publishing; email m.pedersen@elsevier.com.
Library of Congress Cataloging-in-Publication Data
Liu, Dale.
Next generation SSH2 implementation: securing data in motion / Dale Liu.
p. cm.
Includes index.
ISBN 978-1-59749-283-6
1. UNIX Shells. 2. Computer security. 3. Data encryption (Computer science)
4. Computer networks--Security measures. I. Title.
QA76.9.A25L59 2008
005.8--dc22
2008040375

v
Dale Liu, (MCSE Security, CISSP, MCT, IAM/IEM, CCNA) has been working in
the computer and networking field for over 20 years. Dale’s experience ranges from
programming to networking to information security and project management.
He currently teaches networking, routing and security classes, while working in
the field performing security audits and infrastructure design for medium to large
companies. He currently resides in Houston TX with two cats. He enjoys cooking
and beer brewing with his girlfriend and live-in editor Amy.
Dale wrote chapter 1,“Introduction,” chapter 4,“SSH Features,” chapter 6, “SSH Client
Basics,” and chapter 11, “SSH Command Line and Advanced Client Use.” Dale also
technically edited Chapters 1, 2, 3, 5, 6, 7, 8, 9, 12 and 13.
Lead Author and Technical Editor
v

vi
Max Caceres is director of research and development for Matasano
Security, an independent security firm specializing in providing software
and services to help organizations and vendors improve their security
postures. Max has over 14 years of product development and security
research experience, and is one of the security industry’s leading experts
on penetration testing. Before joining Matasano, Max led the team
responsible for creating the first automated penetration testing product
CORE IMPACT and co-invented several now patented technologies
including system call proxying and exploit automation.
Max lives in NewYork City and enjoys spending time with his wife
Gabriela and jumping out of airplanes.
Max wrote chapter 10,“Mac SSH,” and technically edited chapter 11,
“SSH Command Line and Advanced Client Use.”
Dario V. Forte, CISM, CFE, is Adj. Faculty at the University of Milano
at Crema, and Founder of the IRItaly Project at DFlabs. Dario, a former
police detective and founder of DFLabs, has worked in information
security since 1992. He has been involved in numerous international
conferences on information warfare, including the RSA Conference,
Digital Forensic Research Workshops, the Computer Security Institute,
the U.S. Department of Defense Cybercrime Conference, and the
U.S. Department of Homeland Security (NewYork Electronic Crimes
Task Force). He was also the keynote speaker at the Black Hat conference
in LasVegas. Dario also provides security consulting.
Dario graduated in Organizational Sciences at the University of Torino,
with a PGd in Computer Security from Strayer University and an MBA
from the University of Liverpool.
Cristiano Maruti,Thomas Orlandi, and Michele Zambelli, are security
consultants at DFlabs, Italy, and are in the development team of the PTK,
the advanced opensource forensic interface. Graduated in Computer
Contributing Authors

vii
Science at the University of Milano, Cristiano,Thomas and Michele
have written several publications and have contributed to many research
projects worldwide.Their research interests are (but not limited to) Digital
Forensics, Information Security, Log Analysis, and Information Security
Risk Management.
Dario wrote Chapter 7,“The SSH Server Basics,” along with Cristiano
Maruti,Thomas Orlandi, and Michele Zambelli, ofThe IRItaly Project at DFlabs
Devin L. Ganger is a Messaging Architect for 3Sharp, Microsoft Exchange
MVP, Battlestar Galactica fan, Call of Duty 4 addict, writer, speaker, blogger,
husband, father, and geek. He is a lover, not a fighter, despite venturing into
karate for health and fitness. His current plan of record is to retire from
IT “real soon now”, become a dilettante and science fiction novelist and
settle down to the challenging second career of ruling a small country with
an iron fist.
Devin wrote Chapter 08, “SSH onWindows.”
Wipul Jayawickrama is the Managing Director of Infoshield, a company
bringing together the skills, knowledge and expertise in information security
to serve clients across Australia, Fiji, Sri Lanka, and Papua New Guinea.
Wipul is a Certified Information Systems Security Professional (CISSP)
with over 16 years of experience in the IT industry. During this period,
he has held diverse roles in both technical and management capacities.
As a consultant he has worked with government, financial and corporate
clients from a wide range of industry sub sectors.
His specializations include SCADA systems vulnerability assessment
and audits and risk management. His recent engagements include the
establishment of the Sri Lankan National Computer Emergency
Response Team and several Lead Security consultant roles in Critical
Infrastructure Computer NetworkVulnerability Assessments.
Wipul is currently reading a Master’s Degree in Information Security
and Intelligence, and holds several Industry certifications in information
security. He has presented at many national and international conferences
and information security interest group conventions.

viii
He is also a SANS GIAC Certified Systems and Network auditor
(GSNA) and was recently accredited as an International Information
Systems Security Professional Certification Scheme Practitioner (ISSPCS)
status.
He has been published in the Lecture Notes in Computer Science
Series and is also the coauthor of a forthcoming book to be published
by British Standards Institute on Integrated Management Systems for
Information Security and IT Service Management.
Wipul wrote Chapter 3,“An Introduction to Cryptography.”
Jan Kanclirz Jr., (CCIE #12136-Security, CCSP, CCNP, CCIP, CCNA,
CCDA, INFOSEC Professional, Cisco WLAN Support/Design Specialist)
is currently a Senior Network Information Security Architect at MSN
Communications. Jan specializes in multi vendor designs and post-sale
implementations for several technologies such asVPNs, IPS/IDS, LAN/
WAN, firewalls, content networking, wireless andVoIP. Beyond network
designs and engineering, Jan’s background includes extensive experience
with open source applications and Linux. Jan has contributed to several
Syngress book titles on topics such as:Wireless,VoIP, Security, Operating
Systems and other technologies.When Jan isn’t working or writing books
he enjoys working on his security portal and exploring outside adventures
in Colorado.
Jan wrote Chapter 13, “SSH Port Forwarding.”
Justin A. Peltier is a Senior Security Consultant with extensive experience
in firewall and security technologies. Mr. Peltier currently holds ten certi-
fications in an array of technology and security products and is the author
or co-author of several security books, including “Information Security
Fundamentals” and “HowTo Manage a NetworkVulnerability Assessment”
and is currently working on “SecurityTesting: Practices, Guidelines and
Examinations”.
Mr. Peltier has been involved in implementing, supporting and
developing security solutions and has taught courses on many facets of
IT security including,Vulnerability Assessment and CISSP preparation.

ix
He has also directed the security practice development and trained at
the corporate level with companies like Suntel Services and Netigy.
Justin has taught classes for a variety of training institutes and companies
all across the United States, Europe and Asia.
Justin technically edited Chapter 4, “SSH Features,“ and Chapter 10,
“Mac SSH.”
Tim Robichaux is a consultant with over 10 years of experience in
Linux and Microsoft Windows integration. Currently working as a Unified
Communications Consultant, he continues to provide technical expertise
in the field of system integration and administration. He has his MCSE
and CCNA and is a former United States Marine.Tim currently lives in
the Seattle area with his wife Julie, and three cats.
Tim wrote Chapter 9,“Linux SSH.”
Eric S. Seagren (CISA, CISSP-ISSAP, SCNP, CCNA, CNE-4, MCP+I,
MCSE-NT) has twelve years of experience in the computer industry,
with eight years spent in the financial services industry working for a
fortune 100 company. Eric started his computer career working on Novell
servers and performing general network troubleshooting for a small
Houston-based company.While working in the financial services industry,
his position and responsibilities advanced steadily. His duties have included
server administration, disaster recovery responsibilities, business continuity
coordinator,Y2K remediation, network vulnerability assessment, and
risk management responsibilities. He has spent the last few years as an
IT architect and risk analyst, designing and evaluating secure, scalable,
and redundant networks.
Eric has worked on several books as a contributing author or technical
editor.These include; Netcat Power Tools (Syngress), How to Cheat at
Configuring Open Source Security Tools (Syngress), SecureYour Network
for Free (Syngress), Designing and Building Enterprise DMZ’s (Syngress),
Firewall Fundamentals (Cisco Press), Configuring Checkpoint NGX
(Syngress), Hacking Exposed: Cisco Networks (McGraw-Hill), Hardening

x
Network Security (McGraw-Hill), and Hardening Network Infrastructure
(McGraw-Hill). He has also received a CTM from Toastmasters of America.
Eric wrote Chapter 12,“SSH Server Advanced Use.”
Brad Smith, RN,ASCIE, MCNPS, CISSP, NSA-IAM, Director and
Principal Owner of Computer Institute of the Rockies, began working
with computer technology in 1972. His Computer the Computer Institute
of the Rockies was named the 2005 Microsoft Small Business Partner of
theYear. Brad was the first Registered Nurse (RN) / Microsoft Certified
Professional (MCP), and is currently the only RN / Certified Information
Security Systems Professional (CISSP) in the country. Brad maintains
a private practice as an informatics nurse, specializing in information
security.
From years of nursing practice and with a degree in Clinical Psychology,
Brad has an indelible ability to use and understand persuasion techniques
and the practice of influence. Brad is a frequent presenter, trainer and lecturer
on Neuro-Linguistic Programming, informatics and security topics at
a variety of national conferences, including Computer Security Institute,
DEFCON, HIMSS and INFOSEC.
Brad wrote Chapter 5,“SSH Shortcomings.”
Christopher Stokes currently works as a network engineer with the
Hewlett-Packard Corporation.As an engineer, he has been involved in
building many large scale dmz’s and security zones. His IT and security
experience spans over 14 years with many high profile companies and
engineering firms. He has extensive knowledge in the areas of OS hardening,
sniffer analysis, firewall technology and vulnerability assessment. In his spare
time, he performs research into Internet threats such as viruses, spyware,
botnets, application exploits and attack techniques. He has presented the
results of his research to many local and federal law enforcement agencies.
His interest in security has been driven by the addiction to understand
the latest techniques used by hackers. Chris currently holds the following
certifications: CCNA, CEH, CNX, NCA, CST, NANS,A+ and Network +.
Christopher wrote Chapter 2,“OSI Model andThen Some.”

I would like to dedicate this book first to the Staff, Publisher and Editors at Syngress:
Laura Colantoni, Publisher
■
■
Matt Cater, Developmental Editor
■
■
Gary Byrne, Developmental Editor
■
■
And to all of the other contributing authors, editors and copy editors, without these people this
project could not have succeeded!
To Tommy and the entire staff of the Bull and the Bear Tavern and Eatery, in Houston Texas!
Especially Table #1 where a lot of the book was created and edited, you really have a great place
to work!
And finally and most importantly to Amy Mitamura, my Muse, Inspiration, Support and in house
Editor, your continued support and understanding were vital for this process to come to completion!
I thank you all!
—Dale Liu
Acknowledgments
xxi

1
˛ Summary
˛ Solutions Fast Track
˛ Frequently Asked Questions
Solutions in this chapter:
Why Is There a Need to Use SSH?
■
■
What SSH Does and Does Not Do
■
■
Comparison Between SSH and SSHv2
■
■
What Are SCP and SFTP?
■
■
SSH and the C-I-A Triad
■
■
Chapter 1
Introduction

2 Chapter 1 • Introduction
Introduction
The purpose of this book is to explore the needs and functions of Secure Shell (SSH).We will
endeavor to explain the history of the networks we use today and how they developed and expanded
to a point where tighter security became increasingly more important.
We will look at how the OSI (Open Systems Interconnect) model and SSH relate to each other
and also how to use the OSI model for troubleshooting network connectivity.Then we will look at
the role of cryptography and the various methods of encryption from which we can draw. Once we
understand the cryptography, we will then look at the actual SSH standards and how this protocol
can aid in the secure transmission of controls and commands across the network.Then the various
SSH platforms will be discussed and documented.The later chapters will round out the book with
topics on port forwarding.
So let us embark on our journey with a brief history and introduction to SSH; all aboard!
Why Is There a Need To Use SSH?
In the beginning there were main frame computers.These large computers allowed programmers to
input large mathematical formulas that would take hours or days to solve by hand.These computers
could take the same formula and datum and solve it in seconds or minutes.As these computers
became more flexible and could handle not only mathematical datum but also text and numerical
information, people began to use them to manage more and more business and research data.
Computers became more than just a tool for college and government organizations, as they started
to be able to manage business data.As they became smaller and more powerful, tools to input and
store data came into being and costs became more reasonable.
More customers were in the business world.These computers stored massive amounts of data and
people could access these machines in a controlled environment.The topology of the network was
called the Centralized Data Model; in this model all the data was stored on one central computer and
access was through “dumb” terminals.The terminals themselves had no computer processing power
or storage.This protected the data from loss, damage, theft, and spying. In this model encryption was
not necessary as the data was never vulnerable to the outside world. People could see only what the
administrators allowed through the “green screen,” or dumb terminal.
As computers became more powerful and a need to share data across diverse and distant locations
became more prevalent, wide area connections were established.At first these connections were done
over analog phone lines using modem (Modulator/Demodulator) technology.There were two types
of modems, synchronous and asynchronous. Synchronous modems used a special timing bit in the
stream to keep the communications channel operating smoothly. In asynchronous modems, instead
of a constant timing bit, the technology used a start and stop bit for each part of the transmission,
ensuring each piece of data was received consistently.These analog connections were point to point
and it was not easy for people to “listen in” on these connections.
As communications technology progressed and a shared, or interconnected, network of networks
developed and more and more “private” data was being transmitted over these open links, the need
for encrypted transmission become necessary. In addition, with the wide areas of transmission,
personal computers also brought about internal or Local Area Networks (LANs).These internal
networks allowed computers to transmit and receive data from other computers and servers within

Introduction • Chapter 1 3
the building.The data traffic of these devices became subject to eavesdropping by other individuals
inside the network.The eavesdropping, also known as packet capturing, allowed internal people to
view data they might not otherwise had the privilege of viewing.These two scenarios increased the
need for data encryption.
For each type of remote connection, there are options on how to secure it. In this book we
will focus on remote login/control from a client to a server. In the early days, we had two options.
The first was remote login, or RLOGIN (TCP port 513); it allowed us to open a session on a UNIX
server and issue commands.The second option was telnet (TCP port 23); both of these protocols
use a clear text channel to send and receive information.Any user with a packet capture program like
Wireshark™ will be able to see the entire session, including usernames and passwords.As networks
became more vulnerable to these types of attacks and data leakage, we needed to protect the sessions.
For this connectivity issue, SSH is the answer.
SSH employs strong industry recognized encryption methods to protect your data from exposure.
It makes no difference if you are using SSH across your local area network or the Internet from
Are You Owned?
Data Loss, an Inside Job
Survey after survey shows that data loss and data exposure are most likely done by
people inside the organization. Check out some of the statistics:
61% of respondents think data leakage is an insider’s job. 23% believe
■
■
those leaks are malicious.
McAfee and Datamonitor’s Data Loss Survey, 2007 (requires registration)
85% of organizations surveyed reported that they have had a data breach
■
■
event.
Scott and Scott LLP and Ponemon Institute LLC, May 15th, 2007
One third of companies surveyed said a major security breach could put
■
■
them out of business.
McAfee and Datamonitor’s Data Loss Survey, 2007 (requires registration)
More than 90% of the breaches were in digital form.
■
■
2006 Annual Study: The Cost of Data Breach. Ponemon Institute, LLC, 2007

These statistics can be found at: http://www.absolute.com/resources/
computer-theft-statistics-details.asp

a remote location; your data will be secured in these encrypted channels.This software replaces telnet
and rlogin as your connectivity method and offers protection to your data. Continued use of rlogin
and telnet could be considered a violation of your organization’s security police and in some cases a
violation of law; Sarbanes Oxley, for example, mandates that all communications containing financial
data must be encrypted. If you are using telnet to create a remote session to a UNIX computer that
contains your financial application, you are not in compliance with Sarbanes Oxley.
Is SSH a complete encryption solution for all your network needs? No! SSH is a method of connecting
to a remote system and creating a console session for the issuing and executing of commands in an
encrypted channel. It is not a remote access method for connecting to a LAN over a wide area
connection; it is not a protocol that will encrypt your e-mail over the Internet. It provides for the
ability to do the functions of rlogin and telnet with the added protection of encryption.
If you were to connect to a remote network (LAN) from a remote location, you would need
Virtual Private Network (VPN) technology; to protect your e-mail with encryption, you would need
PKI (Public Key Infrastructure), also known as digital signatures. Each type of data and connectivity
will have its own type of encryption and protection. If you do not employ some method of protection,
you will increase the risk to data exposure and loss.
It is important to know the limitations of any type of security solution. SSH’s major purpose is
to establish encrypted shell sessions between your client machine and a server of some sort (that server
could be an actual Linux, UNIX or Windows server, or it could be a router, firewall or switch).
Notes from the Underground…
Types of Attacks
Throughout this book you will be introduced to a number of data attacks; these
include man-in-the-middle, replay, packet capture, spoofing, and data manipulation.
Each of these attacks can be stopped by adding encryption. This protects your data
from view and manipulation, but only if the encryption is strong and implemented
properly!

It also gives you the ability to securely copy files from machine to machine. It does not, however,
protect data sent outside the encrypted channel.You can use some aspects of SSH to create encrypted
tunnels between your e-mail server and a spam filtering system. Once you get past the spam filtering
system, you are back to clear text data!
The major differences between the original SSH and the second version are the added encryption
and security features.According to the US Computer Emergency Response Team (US-CERT), there
are, at the time of this writing, at least 50 known vulnerabilities with SSH in their database. Over
time any protection standard will be weakened by attacks. It was not long ago that the 3DES block
encryption standard was unbreakable; now it cannot be used on federal and military networks because
it has been breached.
SSHVersion 1 was developed by TatuYlönen in 1995, which was the year the Internet was first
opened to the general public. It was a response to attacks that he detected to his data sessions.Ylönen
was a researcher at the Helsinki University of Technology; he gathered a group of researchers to come
up with a protocol that would replace the unsecure methods, such as telnet and rlogin, of connecting
to shell sessions and stop the exposure of usernames and passwords in clear text. In July of 1995 he
released his first version, now known as SSH-1, and by December 1995, the user base of SSH-1 had
grown to over 20,000. In 1996 a revised SSH was release byYlönen; this was called SSH-2 and had
increased security by adding stronger hashing algorithms created by Whitfield Diffie and Martin
Hellman.These algorithms not only strengthened the protocol, but also, by incorporating industry
recognized technologies, made the protocol more compatible across divergent technologies. In 2006
the SSH-2 protocol became a proposed industry standard by having been submitted as an RFC
(Request For Comment) with the Internet Engineering Task Force (IETF). See Chapter 4 for
references to the RFC’s documenting SSH-2 or SSHv2.
The volunteers at the OpenBSD Foundation, a Canadian not-for-profit Corporation who do
not fall under US encryption laws, took the open source standards created and created OpenSSH,
which was derived from code originally released as OSSH.This has become one of the most popular
releases of SSH in use today due to its open source license. Figure 1.1 shows the current website of
the OpenSSH foundation.
Note
The URL for the US – Computer Emergency Response Team is http://www.kb.cert.org.
You can search for SSH Vulnerabilities there.

Encryption Standards
If you are talkingVPN, SSH, digital signatures, and PGP (Pretty Good Privacy), you are talking about
encryption and hashing algorithms. In this book we will talk primarily about the algorithms that
pertain to SSH. However, most of the technologies and algorithms we discuss will be similar, if not
the same as, protocols used in other secure protocols.
Some of the protocols we will discuss in future chapters are as follows:
3DES (Triple Data Encryption Standard)
ARCFOUR (Alleged RC4)
Twofish symmetric
Serpent
Blowfish
AES, the Advanced Encryption Standard
Figure 1.1 OpenSSH Homepage

These protocols are industry standard protocols that are currently included in the SSH protocol
and in other associated commands such as SCP and SFTP.As other protocols are accepted by the
industry at large, they will be added to the SSH standards. See Chapter 4 for more information on
these protocols.
What Is SCP and SFTP?
SCP (Secure Copy) is a command defined by the IETF in cooperation with SFTP (Secure File
Transport Protocol). SFTP has in the past been confused with Simple File Transport Protocol as both
have been referenced by the SFTP acronym.These two utilities allow us to move files and data from
one machine to another in an encrypted manner. SCP allows files from one directory on the source
machine to be copied to a directory on the remote machine in a scripted, or batch file, structure.
See the chapter on command line and advanced SSH for the options and functions of this command.
IETF RFC (Request for Comment) describes these protocols.
Both SCP and SFTP operate on TCP Port 22, like SSH itself. However SFTP is not just FTP
(File Transport Protocol) over SSH; it is a totally new program developed from the ground up.
Table 1.1 compares FTP, SCP and SFTP.
Note
For more historical information on cryptography, check out this URL from Wikipedia:
http://en.wikipedia.org/wiki/Cryptography
Note
The Command Line Manual Pages for SFTP and SCP (OpenSSH Standard) can be
located at these locations:
http://www.openbsd.org/cgi-bin/man.cgi?query=sftpsektion=1 and
http://www.openbsd.org/cgi-bin/man.cgi?query=scpsektion=1

The C-I-A triad (Figure 1.2) is a balance between confidentiality, integrity, and availability.
If any of these are compromised, the data we are trying to protect can be affected in a negative
and costly way. Let’s take a look at each of these three parts, how the effect the data, and how we
protect them.
Figure 1.2 C-I-A (Confidentiality, Integrity and Availability)
Table 1.1 Comparison of FTP, SCP, and SFTP
FTP (File Transport
Protocol) SCP (Secure Copy)
SFTP (Secure File Transfer
Protocol)
Utilizes Ports 20 and
21 TCP
Utilizes port 22 TCP (SSH) Utilizes port 22 TCP (SSH)
Clear text interactive file
transfer
Encrypted point-to-point
file transfer
Encrypted interactive file
transfer
High speed/low security Medium speed/high
security
Low speed/high security
64 bit file space (large
files over 4GB)
64 bit file space (large
files over 4GB)
32bit file space (files less
than 4GB)
Not easily used in batch
files
Easily used in batch files Not easily used in batch
files
No hashing Diffie-Hellman hashing Diffie-Hellman hashing
No industry encryption
support
DES, RC4 or AES, 3DES,
ARCFOR (and other
industry recommended
standards)
DES, RC4 or AES, 3DES,
ARCFOR (and other
industry recommended
standards)
Supports anonymous
support
Requires Key Pair (PKI) Requires Key Pair (PKI)
Not supported in
OpenSSH
OpenSSH support OpenSSH support

Confidentiality is keeping the data secret from people who have no “need to know.”The data
is the property of your company and only those people in the organization that have to use,
update, modify, or analyze the data should be allowed to have access to the data. However, there
are people out there both inside and outside the company that want to know your information.
These people could be disgruntled internal employees, competitors, teenagers with too much time
on their hands, or just people who stumble onto the information due to inadequate protection
processes and controls.To protect the confidentiality of your data, you incorporate different layers
of protection, and you put the people and the data behind a firewall so that only people inside
the firewall can see the resource.You apply ACL’s (Access Control Lists) that give only the rights
needed to the individuals to see the data. Some might need read only access, some might need
write only (order entry takers), and some might need read and write access.You employ complex
passwords so that people who are not authorized can not easily gain access, and lastly, and most
importantly, you apply encryption.
Encryption keeps people who have no other access to the network than a simple connection
from eavesdropping on the line and capturing the data.This protection uses complex algorithms to
mask the data on the sending side and the same algorithm on the receiving side.There are two
categories of encryption. In symmetric key encryption, the key used to encrypt the data is the same
one used to decrypt the data. In asymmetric key encryption, a key pair is generated; one key is public
and one key is private. If the public key is used to encrypt the data, then only the private key can
decrypt the data. If on the other hand the private key is used, then only the public key can decrypt
the file.To ensure true protection, a sender would first encrypt the document with his or her private
key and the receiver’s public key; this would ensure total data protection as the two keys required to
open the document would be the receiver’s private key (that only he or she would have) and the
sender’s public key (that many may have). It is the fact that both keys (one held by many and one
held by one) make this the best security option. SSH (Secure Shell) uses the dual-key PKI solution
for building the encrypted tunnel.This facilitates the security of sending sensitive data of an unsecure
LAN or WAN topology.
Integrity of data is another critical part of the C-I-A triad. If you cannot rely on the correctness
of your data, what value can you place in the data? If you cannot ensure that the transactions
between you and your system are accurate, this will lead to questions that could jeopardize the
reputation of your organization. Once reputation is lost, most people will find other places to do
their business.To insure the integrity of data, you have to make sure that people cannot capture
and modify the data stream.The common attacks used to attack these records are called man-in-
the-middle attacks. In such an attack, the hacker hijacks the data stream. Recording the data stream,
the hacker will modify something in the data and then allow it to continue on the journey.This
attack can work against a server (modifying data before it gets to the server) or against a client
(modifying return data coming from the server before it reaches the client). Each part of this triad
will utilize many layers of protection. Integrity can be protected by validating the data, checking
that nothing in the stream has been compromised, and having routines that normalize the data as
it is incorporated into the system.These steps will help protect the integrity; however, encryption
will keep most attackers at bay.As you will see in future chapters, there are some weaknesses in
SSH that can expose your data to a man-in-the-middle-attack. It is safer to have this layer of
protection than not!
Availability, the ability to see the data when and as needed, rounds out this balanced triangle.
If you are prevented from accessing the data, no matter how accurate and secure it is, it is useless to

the organization. Protecting availability means stopping denial-of-service (DOS) attacks. Connections
to the server should be used only by authenticated users to access appropriate data. If these
connections are used by attackers to keep people from using them for legitimate business, then
availability is compromised. By using PKI encryption methodologies and two-factor authentication,
you can prevent some of these issues.Again as we discussed in each section, multiple layers of protection
are needed. SSH, while a strong protocol, is not the answer to all of these issues alone. It is a viable
part of your solution; however, it is only a part.

Summary
In this chapter we investigated the history of data transmissions and how we went from the centralized
data topology to distributed topology.We went from private connections to sending private data over
public access links via the Internet.We have seen the times change from where our data was saved
internally to a point where data theft is more often than not an inside job.We now have to worry
about every aspect of our internal LAN networks just as much as we had to worry about our WAN
connections. SSH is an answer to this question:Why don’t I use rlogin, rsh, rcp, FTP, and telnet?
Because! If you use them you are exposing your sensitive data to prying eyes.Through the growth of
the Internet
and the technologies that have been developed around them, data is more vulnerable today than at
any point in the past. Laws and legislations have been passed, and more are proposed that require
certain types of traffic (legal, financial, and health) to be securely encrypted whenever they cross
unsecure networks. SSH, and its suite of utilities, will replace rlogin, rsh, rcp, and ftp and can create
tunnels where unsecure data like e-mail and web traffic can be used to protect this unsecure data
inside our infrastructure.
You saw the C-I-A triad – Confidentiality, Integrity, and Availability – and how SSH can protect
these aspects.We have seen that SSH is not a total answer to your security solution. Layers of defense
must be in place, overlapping in some areas to provide a strong security profile. In addition, SSH is
not a replacement forVPN or firewalls, as these technologies have functions that apply in other areas
of security.
Solutions Fast Track
Why Is There a Need To Use SSH?
Data is no longer centralized in a secure environment.
˛
˛
Communications channels are not point-to-point or private.
˛
˛
Data travels over unsecure public communications channels.
˛
˛
SSH encrypts data between a secure client and secure server, thereby replacing rlogin
˛
˛
and telnet.
SSH encrypts file transfers using SCP or SFTP in place of rcp or ftp.
˛
˛
SSH does not replaceVPN connectivity.
˛
˛
Hackers have found vulnerabilities in the original SSH that have been addressed in SSHv2.
˛
˛
SSHv2 added stronger encryption technologies, including 3DES and AES
˛
˛

SSHv2, from the OpenSSH foundation, has become the industry leading version due to its
˛
˛
open source and open license. Other versions are commercially available and expensive.
What Are SCP and SFTP?
SCP: Secure Copy lets you send files from a client machine to a remote server, replacing
˛
˛
rcp and allowing command line (or a scriptable) options for moving files without establishing
a session.
SFTP: Secure File Transfer Protocol lets you establish a secure session to move files and
˛
˛
execute commands within that session that cannot be eavesdropped on by packet capture
protocols.
These protocols help ensure data integrity and confidentiality.
˛
˛
Confidentiality: Keeping the data from people who should not see it.
˛
˛
Integrity: Ensuring the data is correct.
˛
˛
Availability: Ensuring that people who need to access it can when they need to.
˛
˛
Ensuring the C-I-A triad is balanced will keep your company from losing the most
˛
˛
important asset you have: your reputation.

Frequently Asked Questions
Q: Why shouldn’t we use Telnet, Rlogin, RCP and FTP?
A: These protocols send sensitive information in clear text, which is vulnerable to packet capture.
Q: What is the best alternative to these protocols?
A: SSH replaces Telnet and Rlogin, SCP replaces RCP, and SFTP replaces FTP.
Q: Can firewalls block my traffic?
A: Yes,TCP port 22 must be open for these protocols to work.
Q: What are the major differences between SSHv1 and SSHv2?
A: SSH v1 has major vulnerabilities that have been addressed by SSHv2.
Q: Where can I find a good open source version of SSH?
A: OpenSSH is the most popular open source and is available at http://www.openssh.org.
Q: Can I run an SSH client on Windows?
A: Yes, the best GUI/Command line client for Windows is PuTTY.
Q: Can I protect other protocols using SSH?
A: Yes, with port forwarding in SSH, you can create tunnels for SMTP (email), POP3 (email), and
HTTP (Web) traffic. Remember that only the traffic in the tunnel is encrypted.After it leaves
the other server to the Internet, it will be clear text again.

15
˛ Summary
˛ Solutions Fast Track
˛ Frequently Asked Questions
Solutions in this chapter:
50,000 Foot View of the OSI Model
■
■
Using the OSI Model to Troubleshoot
■
■
Applying the OSI Model to Forensics
■
■
Chapter 2
OSI Model
and Then Some

16 Chapter 2 • OSI Model and Then Some
Introduction
As the title states, this is the OSI model chapter. If you’ve been in the technical field and read any
technical books, you’ve probably noticed this topic is in many of them. Let me stop you now before
you skip over this chapter.This chapter will be different from the typical certification/technical books
that are out there. I’ll be honest; I personally hate reading the OSI model chapters in the books I
have read. It’s the first chapter that I want to skip over, so I’m designing this chapter to show you
there is an interesting side to the model. I’ve created this chapter so that it can be applied in the real
world. Keep in mind that in order to get to the troubleshooting and forensics section, you still need
to understand the basic functionality of the OSI model, so bear with me and I’ll show you a side
of the OSI model you’ve never seen before.The OSI portion of this chapter is short in comparison
to the other topics.The majority of the chapter is on how to apply the OSI model to real-world
scenarios.
50,000 Foot View of the OSI Model
The Open System Interconnection (OSI) model was created by International Standards Organization
(ISO) in the late 1970’s and early 1980’s.This model consists of seven layers that separate the tasks,
services, and protocols into various layers of the stack.The word stack is used to define the layers that
are set upon each other.The higher you go in the stack, the closer you are to the application.The
opposite also is true; as you travel down the stack, you’re getting closer to the layers that deal with
specific network functionality.The layers are usually stated from top down due to how applications
communicate: application, presentation, session, transport, network, data link, and physical.
OSI is nothing more than a reference model to help guide the development of new protocols
and applications.You will not find it running on the network like TCP/IP or IPX/SPX. Originally
it was developed as a protocol stack with the intentions that it would become widely used. It was
designed to be vendor neutral and cross-compatible between operating systems. OSI never did take
off as a protocol but in time became a model used to help describe what should occur at each layer.
The model allows programmers to focus on how their program will talk to the network portion of
the stack.This saves the programmer work, and it keeps the industry from having a whole bunch
proprietary network protocols that are based strictly on a certain application.As long as vendors base
their applications on the OSI model, existing protocol stacks can be used and software integration
will be possible with other vendors.
The OSI model is broken down using more layers than other protocols such as TCP/IP or
IPX/SPX. It has more layers, which allows for a better definition of what should happen at each
level. Each of the protocol stacks has some similarities in each of the layers. Some protocol stacks have
layers that are combined differently than others, but overall they can be mapped back to the OSI
model. For instance, the upper three layers of the OSI model are equally comparable to the first
application layer in the TCP/IP stack. (The use of the words protocol stack and protocol suite will be
used interchangeably throughout the chapter. Both are referring to the alignment of protocols in a
vertical manner.) There will be many references to the TCP/IP protocol stack in comparison to the
OSI model so that real world examples of how it’s used today can be shown.The TCP/IP protocol

OSI Model and Then Some • Chapter 2 17
suite provides the purpose of allowing one networked system to talk to another. Each layer in the
stack receives help from the layer below it and provides help to the layer above it.The Internet layer
would receive the segment from the transport layer and then place a header onto it to include the
source and destination IP address along with source and destination port numbers. Once the header is
combined with the existing segment, it sends the combined information off as a packet to the
Network Interface Layer, which then adds another header to create a frame.The process of

encapsulation is repeated throughout most of the transition from layer 7 to layer 1, as shown in
Table 2.1.When the remote side receives the frame, the reverse process is done in order to strip away
the layers until only the data is left.
Note
Each layer in the stack has many protocols that operate at each of the levels. TCP/IP
would use different protocols at various levels of the stack than the IPX/SPX protocol
would. Don’t be confused when you see that each level has many protocols that can
operate there. Not all of them operate at the same time nor do they belong to the
same protocol stack. It really depends on what protocol stack is being used at
the time.
Before we get too far, let’s define exactly what a protocol is.A protocol is nothing more a set
of rules and guidelines.The word protocol, as applied to networking, defines how data should be
structured so that it can be sent across the network.When you add the protocols from each of the
layers together, you end up with a protocol stack.
This section of the chapter will give you ideas of what processes occur at each layer of the stack.
Once the foundation is covered, (Table 2.2), then there will be two scenarios on how to apply the
OSI model.
Table 2.1 This Example Shows the Mapping
of Layers Between the OSI Model and the TCP/IP Protocol Stack

The word encapsulation is a term we need to discuss before walking through the layers of the OSI
model. Encapsulation provides the ability to package extra information with the original data in order
to tell the network where to send it. For instance, you cannot place data from the application layer
onto the network and expect it to get to the destination.You have to tell the operating system to send
the data to the computer that contains an IP address of X and a MAC address of Y. Encapsulations
(Figure 2.1) allows you to add this additional information in order to guide the data.The computer
sending the data will take the data and encapsulate it at each of the layers as it travels down the stack.
When the destination host receives the information, it will do the reverse process by stripping away
each of encapsulated layers until only the data is left. Each of the layers in the stack knows only how
to strip away the encapsulated header and footer that relates to the sending host’s protocol stack.An
example would be that the network layer on the sending host side encapsulates the information while
only the network layer on the receiving host can reverse the process of that same layer.
DATA
Layer 6
Layer 5
Layer 4
Layer 3
Layer 2
Layer 1
Application
7
6
5
4
3
2
1
Presentation
Session
Transport
Network
Data Link
Physical
Figure 2.1 Encapsulation Process at Each Layer of the Protocol Stack
Application Layer (7)
Communication between two networked devices starts at the application layer.This layer is
sometimes confused by people who think that the “application layer” refers to the applications with
Table 2.2 Flow of Data Through the Protocol Stack from Host A to Host B
LAYER
7
6
5
4
3
2
1
HOST A HOST B
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application
Presentation
Session
Transport
Network
Data Link
Physical

which the user interfaces.This is actually not true.The application layer refers to the protocols that
operate at this layer.Thus, if a program needs to send data across the network to another computer,
it will pass the data down to the application layer with instructions on what to do with it.A web
browser for instance, does not operate at the application layer but the Hypertext Transfer Protocol
(HTTP) does.The web browser uses the HTTP protocol in order to communicate.An API (application
program interface) (Figure 2.2) is found between the Web browser and the HTTP protocol.The API
is responsible for talking to the application layer protocols.
The following is a small list of protocols that operate at the application layer.The easiest way to
think of this is to picture what you type into the URL string for your web browser. For instance, if
you want to go to Google, you would type “http://www.google.com,” which would use the HTTP
protocol to access the web server at Google.Whatever URL you choose, it’s going to start with
HTTP, FTP, or something of that nature.These references are telling the web browser with which
protocol to communicate.
HTTP: Hypertext Transfer Protocol
■
■
SMTP: Simple Mail Transfer Protocol
■
■
POP3: Post Office Protocol version 3
■
■
IMAP: Internet Message Access Protocol
■
■
FTP: File Transfer Protocol
■
■
TFTP:Trivial File Transfer Protocol
■
■
Presentation Layer (6)
The presentation layer receives the data from the application layer and translates it into a format and
syntax that’s readable by other computers. In order for the other systems to recognize this data, it’s
converted into a generic format that is not application specific.This layer doesn’t care what the actual
data is. It’s merely a translation stage for data formats.Thus, as the application passes the data down
Figure 2.2 How the User Interfaces with the Protocol Stack

the stack, it’s translated from what the application understands to a generic format.The system that
ends up receiving this data does the reverse process by translating the generic data format into a
format understood by that computer.Various operating system and applications may expect the data
to be presented a certain way.The presentation layer provides the ability to translate the data to
suit the applications needs. Some of the format types found in this layer are as follows:ASCII,
EBCDIC, JPEG, MPEG,TIFF, Binary, and so on.This layer is also able to provide encryption and
compression if the application layer asks it to do so.
Session Layer (5)
The session layer is responsible for managing the conversations between the local and remote

applications from start to end.This includes starting the session, making sure it stays established,
and then closing the connection when finished.There can be one or more sessions occurring at
the same time between two network-connected hosts.The session layer is the layer responsible for
keeping track of each of these sessions so that there is no confusion between the various conversa-
tions that may be occurring at the same time.A web server may have thousands of sessions occur-
ring due to people browsing its Web site. It’s up to this layer to manage every one of those
sessions.This layer may be better understood if we describe the communication modes that can
occur here:
1. Simplex: Communications flows in one direction
2. Half-duplex: Communication in both directions but only one side can speak at a time
3. Full-duplex: Communication in both directions and both sides can speak at the same time
Transport Layer (4)
The transport layer takes the data from the session layer and splits it up into smaller pieces of

information that are the right size for network transmission. Before sending the data out, this layer
makes a checklist of how to ensure that the other side has received all the data and that it is not
damaged in any way. It does this by doing a handshaking process prior to sending the data.That
handshaking process determines the amount of data to be sent, how to judge if some of the data
was lost in the transmission, and how to verify the data was not corrupted.The process that’s

performed in this layer is often confused with the session layer.The difference between them is that
the transport layer is building sessions between the end devices whereas the session layer is building
sessions between the applications.There are three protocols that work at this layer:TCP (Transmission
Control Protocol), UDP (User Datagram Protocol), and SPX (Sequenced Packet Exchange).
TCP is a connection-oriented protocol, which means it will set up a reliable connection between
hosts before sending any data.There are actually three phases used by TCP: connection setup, data
transfer, and connection tear-down. In the connection setup phase, transmission parameters are
negotiated between the end points.TCP uses the SYN, SYN/ACK, and ACK flags to let both sides
participate in the negotiation of how much data should be sent at a time, along with flow control
and how to detecting errors while recovering from them. Once the agreement is made between the

hosts, the data can be sent. If one of the hosts detects a problem with the received traffic, it will
request the segment to be retransmitted.This ensures that the data is error free and completely
received by the destination.TCP uses acknowledgements (ACK) in order to tell the sending

computer that it has received the expected amount of data and that the integrity of it is good.Any
data not acknowledged is re-sent to the destination as it is assumed lost. Finally when the conversa-
tion is done, the transport layer closes the conversation between hosts by sending an ACK/FIN
(acknowledged finish) packet.The opposite end responds back with an ACK (acknowledgement)
that it received the ACK/FIN. Once both sides agree to end the session through the use of
acknowledgements, the conversation can close.
A connectionless protocol such as UDP doesn’t have the three-phase approach like TCP.
It just sends the data as soon as it’s ready and assumes the end point receives it all. UDP expects
the application to put the data back together instead of the protocol used in this layer.
Network Layer (3)
It is the network layer’s responsibility to discover the layout of the network.This layer determines if
communication will stay on the same network or will be routed.The network layer does not
guarantee
that data will get to the destination. It relies on the transport layer for that functionality.The network
layer is able to determine if the source and destination hosts are on the same network by inspecting the
IP address and subnet mask set to each. If the hosts happen to be on different network, then routing is
needed for them to communicate, and this layer can perform that function.Thus, to generalize this
statement, the network layer allows one logical address to communicate with another logical address,
whether they are on the same or different networks.The term logical address is referring to an IP address
that you would assign to a computer or network connection device. Each host on the network must
have a unique IP address.A few of the more commonly known protocols that operate at this layer are
IP (Internet Protocol), ICMP (Internet Control Message Protocol), and IPX (Internetwork Packet
Exchange). Protocols in this layer work in conjunction with protocols in the transport layer. For
instance,TCP at the transport layer works with IP at the network layer, thereby creating TCP/IP.
Figure 2.3 is an example of communication between two network hosts on different networks.
The point of this diagram is to show how the data will travel in order to get from one host to
another. On HOST A, the data is encapsulated as it’s passed down the protocol stack.At the physical
layer, it’s converted into voltage, frequency, or light so that it can be sent across the network. It may
need to pass through several networks before arriving at a router that contains an interface in the
same network as the destination host. Notice that not all network devices will use the entire protocol
stack to communicate.A router operates at the network layer and is able to guide the traffic to the
correct location based on the IP addresses. It doesn’t care about the application itself; it cares only to
get the packet to the end host. Once the data gets to the router that has an interface located in the
same network as the destination host, it then will cross the IP address to the MAC address and
forward it to the switch. From there the switch directs the traffic based on MAC address to the
correct network port where the device is connected. HOST B receives the information and per-
forms the opposite procedure of HOST A. It strips each of the encapsulated layers off as it goes up
the stack until it has only the data left.

Data Link Layer (2)
The data link layer takes the packet from the network layer and breaks it into frames.The header in
this layer provides the source and destination MAC addresses. It is the data link layer that will convert
the data into binary digits such as 1 and 0 and then prepare them for the physical layer.This layer
has to be aware of what type of network interface card (NIC) is being used in order to prepare the
packet in a certain way.A frame prepared for Ethernet format would not be understood by a network
set up with Token Ring.Thus, this layer takes the network interface into consideration before con-
verting the packet. Cyclic redundancy Checking (CRC) is another feature found in the data link
layer that provides the ability to detect if a received frame was damaged.This checking feature is
normally done by the LAN switch or WAN frame relay switch.
Layer 2 devices that operate at this level are switches and bridges.They work by guiding the
traffic to a destination based on the MAC address.The MAC address is a unique series of numbers
and letter used to identify a certain network card.They are sometimes referred to as the physical
address because this address is hard coded into the network card.A switch can direct traffic to the
correct computer only if it’s aware of what port the computer’s network card is attached.This is
done by the computer presenting the MAC address from its network card to the switch when it first
comes online.
There are a variety of protocols that work at this layer. Some are used by hosts and others by
network devices such as switches. STP (Spanning tree protocol) and RSTP (Rapid spanning tree
protocol) are examples of protocols used by switches in this layer.They provide the ability to make sure
there is only one layer 2 path to get to a destination. PPP (Point-to-point protocol) and L2TP (Layer 2
Tunneling protocol) are used by hosts. PPP provides the ability for a host to make a connection with a
remote side using a modem. L2TP allows a host to connect to a remote side using a secure connection.
Physical Layer (1)
The last layer in the protocol stack is the physical layer, which converts the binary information
presented from the data link into electrical signaling.This layer also takes into consideration the net-
work interface card for the reason that it needs to know what kind of signaling to send through the
media.An example would be the difference between a network card using a fiber interface and
one using an unshielded twisted pair (UTP) interface. Each presents the information differently to
Figure 2.3 Routers Are Network Devices
that Do Not Use the Entire Protocol Stack

the media. Network cards with fiber interfaces require the binary information to be converted to
light patterns, whereas UTP cabling uses voltage and frequency variations to communicate.
The physical layer also provides physical layer features to determine the speed (i.e., 10, 100, or 1000
MBs at which to transmit the data, along with what to do in case line noise or cross-talk occurs.
For the purpose of this section, the TCP/IP protocol stack will be the primary focus as it is what
the Internet is based off of. It then will be compared to the OSI model to give you an idea of where
sections of this chapter fit.The following few paragraphs are based on an actual problem, but applied
to a fake company.The method used to troubleshoot this scenario can be used to fix many connec-
tivity problems.They are based off of testing devices and services that operate at each layer of the
TCP/IP Stack.
Scenario: E-tronix Inc., is a company that uses its Web site to sell electronics over the Internet.
Recently the internal Web site that is used to fulfill the orders is not accessible by the company’s staff.
The goal of this section will be to troubleshoot why the Web site cannot be accessed.A chart will
follow at the end of the story that shows the troubleshooting steps and how they relate to the
various levels of the OSI model versus the TCP/IP protocol stack.
Your name is John Smith, and you work as an IT professional for E-tronix.Your responsibility
is to provide technical support and troubleshooting whenever the business needs it.The date is
currently June 17, 2008, and it’s the early morning.You’ve just fallen asleep when your cell phone
rings.The phone has caught you off guard and startled you.The first thing that that goes through
your mind is to make the phone pay for disturbing your rest, but instead you decide to look at
the phone number that’s on the display.You’re quite familiar with the number displayed as it’s the
E-tronix support desk.
The following conversation occurs on the phone call:
Ring…
John: Hello this is John.
Helpdesk: Hi John, this is Brian from the help desk.We currently are not able to
access the internal Web site in order to satisfy the orders placed from the Internet.
Please look into the situation right away.
John:Alright Brian, I’ll look into it.
Helpdesk:Thanks John, bye.
You yank the covers off in the bed and hobble down the hallway to the home office where
your laptop is located. For times like these, you’ve purposely left the laptop running and remotely
connected into the company’s network.The first step you perform is testing access to the Web site by
opening the web browsers and typing the URL into the address bar.As expected, nothing occurs.
The browser indicates that the page cannot be displayed. Just to cover all areas, you decide to
start from square one and walk through everything that needs to occur in order for you to access
the Web site.The following is a walkthrough of the commands you performed in order to review the
problem.

Step 1. Make sure DNS resolves the Web site name properly.You’re looking for the name orders.
etronixinc.com to resolve to an IP address. Figure 2.4 is the output of the nslookup command that
you ran from the command prompt on your laptop.
DNS seems to be working properly as it responded with the IP-address related orders.You decide
to move on to checking the network connectivity.
Step 2. Check to see if the HTTP service is running on the server by telneting to the server on
port 80, as shown in Figure 2.5.This test allows you to verify if the problem is related to the service
or the actual web content.
The connection to the HTTP service on TCP port 80 failed.This tells us two things: either the
web service is down or the server has a network connectivity problem.
Next we need to test if the server will respond to pings, which will prove if there is network
connectivity.
Step 3. Make sure that the server responds to basic network-testing commands like ping.
The ping command is able to test connectivity by sending a series of ICMP echo packets to the
destination host. If the destination host receives them, it will respond back with an ICMP echo-reply.
The results of the ping test will tell you if packets were received or lost, as shown in Figure 2.6.
Note
In testing scenarios like these, you need to be aware if there is a firewall that may
be blocking traffic. The firewall has configurations that either allow or deny traffic
based on source address, destination address, and port. Pay attention to the response
messages from the telnet command. They give you hints to whether the problem is
firewall or service-related. Messages will vary between Linux and Windows Operating
systems. A couple of examples are shown below:
telnet: Unable to connect to remote host: Connection timed out
telnet: Unable to connect to remote host: Connection refused
Figure 2.5 Telnet Can Be Used to Test TCP-Based Ports for Connectivity
C:Documents and Settingsjsmithtelnet 192.168.1.10 80
Connecting To 192.168.1.10...
Could not open connection to the host, on port 80: Connect failed
Figure 2.4 Nslookup Is Used as a DNS Verification Test
C:Documents and Settingsjsmithnslookup orders.etronixinc.com
Server: ns1.etronicinc.com
Address: 192.168.1.200
Name: Orders.etronixinc.com
Address: 192.168.1.10

This test proved that the IP communication found in layer 3 of the TCP/IP stack is not working
because our pings failed. In order for layer 3 to work, layers 2 and 1 need to be working also.Thus,
the next test will be on layer 2.
Step 4. Prove that the switch can see the MAC address of the server.This will tell us that layer 2
is functioning.Traffic cannot make it to the server if the switch cannot find the server’s MAC
address. E-tronix happens to use managed Cisco switches that give the support technicians
the ability to log in to them and do troubleshooting.We start by locating the port to which the
server is connected. It shows us that that the server is connected on Fast Ethernet Port 0/9 using a
speed of 100 and a duplex setting of full.That doesn’t fully tell us that the connection is working,
so we need to go one step further by seeing if the switch has seen a MAC from the server on Fast
Ethernet port 0/9. In this case, it has not, as there was no response to the second command.
See Figure 2.7 for to see what a non working MAC reply would be and Figure 2.8 for a working
MAC on the port.
No MAC address was seen by the switch on the port, so layer 2 connectivity is not working
correctly.
Figure 2.6 Ping Will Respond Even if the Application is Down
C:Documents and Settingsjsmithping 192.168.1.10
Pinging 192.168.1.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.1.10:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Figure 2.7 Data Cannot Get to Its Destination
if the Mac Is Not Visible on the Network
Switch#Sho int status | include orders
Fa0/9 orders webserver connected 7 A-Full A-100 100BaseTX/FX
Switch#Sho mac-address-table int fa0/9
no mac displayed
Figure 2.8 Sample of How a Working Connection Would Show Up on a Switch
Switch#Sho mac-address-table int fa0/2
Non-static Address Table:
Destination Address Address type VLAN Destination Port
------------------- ------------ ---- --------------------
00e0.8105.2682 Dynamic 7 FastEthernet0/2

In Step 4, we proved that layer 2 is not working because the switch is not able to see the MAC
address of the server.We have only layer 1 left to check, and that deals with the physical connectivity.
This leaves only a few possibilities: the server’s network card, the patch panels, the cable or switch
port. Unfortunately, to check each of these, this will take time.
Step 5. We arrive at work and walk into the server room where the web server is located.While
looking at the network card in the server, we see that it does not have a link, which is odd because
the switch showed a link.We remember seeing an issue just like this.The problem was due to a cable
issue where the receive (rx) strand was damaged. Because it’s now 2 a.m., the last thing we feel like
doing is changing out the cable. It occurs to you that the physical layer problem may be as simple as a
loose cable.You go to the server, patch panel and switch and reseat the cable ends.You find that at the
patch panel there was a loose Ethernet connection and that reseating it solved the problem.
Validation and summary: Two steps are needed to validate that the server is online and
functioning.We need to prove that the server has network connectivity and that the web service is
running. False indications might occur if you test the web service only at the application level.You
might think that the server is down if you cannot connect to the service, but in reality, it might only
be the web service that’s not started.Thus, by using ping, you test the lower and mid layers of the
stack; while using telnet to test the service, you check the mid and upper layers.The following tests
were performed to validate that the server was back online.The second line of each command
was added to include DNS in the test.
Ping 192.168.1.10
Ping orders.etronixinc.com
telnet 192.168.1.10 80
telnet orders.etronixinc.com 80
The ping showed us replies back from the destination, and the telnet showed HTTP information.
Thus, the test of the web server passed. Let’s review what steps occurred and where they fall in the
protocol stack.Table 2.3 shows the mapping of steps to the TCP/IP stack and the OSI model.

There’s one last test worth mentioning, and it works well in situations where there is a host
firewall that’s blocking ICMP packets.This particular test works only with hosts found in the same
network.The test will tell you if a device is online even if host firewall is blocking ICMP.This test
uses a combination of ping and checking the arp table on the tester’s computer. For the purpose of
this test, we have two IP addresses: the IP (192.168.1.10) is on a server with a local firewall turned
on and the other IP (192.168.1.9) is not associated to any connected device. Essentially 192.168.1.9
is used to simulate a device that has a network connectivity problem. Open three DOS windows by
clicking START | RUN | type cmd. In one window, ping 192.168.1.9; in the second window, ping
192.168.1.10; and in the third window, type “arp –a”. Let the ping attempts fail twice before running
arp –a in the last window.You’ll need to perform the arp –a before the pings end. Output for the
pings are shown in Figures 2.9 and 2.10 respectively.
Table 2.3 Troubleshooting Steps and How They Map Back to the OSI Model
Layer #
OSI Model
Description TCP/IP Stack Troubleshooting Steps
7 Application Application Test connectivity using
telnet to the TCP service.
6 Presentation Application Is the data being presented
correctly to the server?
5 Session Application Use sniffer to see if sessions
start, stay connected and
end properly.
4 Transport Transport Use a sniffer to inspect the
TCP 3 way handshake?
3 Network Internet Is the IP address of the
network device pingable
by the router, firewall or
others? Use traceroute to
see if you can reach the
destination device?
2 Data Link Network
Interface
Does the switch see the
MAC address of the
connected device? Use
“arp –a” to see if the
computer sees any other
MAC addresses?
1 Physical Network
Interface
Check cables, network cards
and lights.

Notice in the output that there is a valid entry for the server and an invalid entry for the
non-existent device.These commands were run from John’s laptop within the same network.
As I mentioned, this test works only with hosts in the same network. If you had a scenario where
the hosts were on different networks, you could do a similar test but you would need to do the ping
and arp test from the router or firewall that had an interface in the same zone as the end devices,
as shown in Figure 2.11.
Q: So why does this work if ping is failing?
A:The reason this is working is because John’s laptop does an arp broadcast asking who has
the IP prior to pinging it.The server is able to respond back but the non-existent device cannot.
Therefore, John’s laptop fills in the non-existent entry with all 0’s.The firewall on the server is
filtering layer 3 but not layer 2.
Figure 2.9 Sample Ping to a Non-Existent Device
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Figure 2.10 Ping Command Run Against the Server with the Firewall Activated
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Figure 2.11 arp Command Used to Show the
Difference Between an Invalid and Valid arp Response
C:Documents and Settingsjsmitharp -a
Interface: 192.168.1.200 --- 0x3
Internet Address Physical Address Type
192.168.1.1 00-02-b3-9d-d9=1a dynamic
192.168.1.9 00-00-00-00-00-00 invalid
192.168.1.10 00-0c-29-00-6a-fc dynamic

Applying the OSI Model to Forensics
The following pages contain a real scenario captured from an infected Windows XP computer
that was running IIS with web services enabled.The scenario has been slightly changed to fit into
story form. I will run through the scenario and then tell you how it applies to TCP/IP stack, which
will be mapped back to the OSI model.
Ring, Ring…..
Bill: Hello, this is Bill from Security.
Helpdesk: Hi Bill.This is Nancy from the Helpdesk. I need your assistance in
figuring out a problem that many users are having. Just shortly after 9 a.m., the
helpdesk started receiving calls from several users, which were complaining of slow
responses back from the web server.Along the same time, we started receiving alert
notices from the intrusion detection system of possible virus activity from the same
server. Prior to calling you, we worked with an administrator from the server team
to confirm that the server’s antivirus and Microsoft patches were up to date. Can
you go check out the web server and see what’s going on? If you find a virus,
please gather a sample of the executable so that we can send it off to the antivirus
vendor.This will allow them to create a new definition to detect and correct this
strain of virus.
Bill: No problem Nancy, I’ll gather my tool kit and go over there right now.
Bill walks over to the server room and heads back to where the server is located. He starts to log
in and notices that even the login process is really slow. He has two suspicions: the first is that there
is a connectivity problem with the domain controller that provides the authentication and the second
is that some process is using up all the process power on the server.The server eventually logs him
in, so he disregards his first thought. He starts by opening a command prompt window on the web
server and types “netstat –ano”. The results he sees are kind of disturbing.The output of netstat
normally is contained within a few screens, but now it is showing 20+ screens worth of information.
The screen shot on the next page is what he saw. Based on this output he was able to make the
following determinations, as shown in Figure 2.12:
TCP 6667 is used for IRC
■
■
The web server was scanning for other web servers on TCP 80.This is typical behavior
■
■
of a virus trying to spread.
There was an unknown process connecting to another server on TCP 65520.
■
■
Each of the sessions using tcp ports 80, 6667, and 65520 had an associated PID (Process ID).
■
■
This allowed him to relate the network traffic with a service running on the web server.

Note
The following Web sites can be used to find out the uses of different TCP and UDP
ports. The first Web site shows ports for normal services; the second shows ports for
malicious services.
■
■ http://www.iana.org/assignments/port-numbers
■
■ http://www.neohapsis.com/neolabs/neo-ports/
Figure 2.12 Output of the netstat –ano Command Done on the Web Server
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:7 0.0.0.0:0 LISTENING 1648
TCP 0.0.0.0:9 0.0.0.0:0 LISTENING 1648
TCP 0.0.0.0:13 0.0.0.0:0 LISTENING 1648
TCP 0.0.0.0:17 0.0.0.0:0 LISTENING 1648
TCP 0.0.0.0:19 0.0.0.0:0 LISTENING 1648
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 1572
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 784
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 1572
TCP 0.0.0.0:1027 0.0.0.0:0 LISTENING 832
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING 1400
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING 1572
TCP 0.0.0.0:1033 0.0.0.0:0 LISTENING 1764
TCP 0.0.0.0:1043 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:1129 0.0.0.0:0 LISTENING 552
TCP 0.0.0.0:1130 0.0.0.0:0 LISTENING 2120
TCP 0.0.0.0:1131 0.0.0.0:0 LISTENING 1196
TCP 0.0.0.0:1801 0.0.0.0:0 LISTENING 1764
TCP 0.0.0.0:2103 0.0.0.0:0 LISTENING 1764
TCP 0.0.0.0:2105 0.0.0.0:0 LISTENING 1764
TCP 0.0.0.0:2107 0.0.0.0:0 LISTENING 1764
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING 1048
TCP 68.60.175.83:1129 63.138.101.136.6667 ESTABLISHED 552
TCP 68.60.175.83:1130 210.202.247.102:65520 ESTABLISHED 1148
TCP 68.60.175.83:2201 68.60.3.150:80 SYN_SENT 2120
TCP 68.60.175.83:2202 68.60.179.215:80 SYN_SENT 2120
TCP 68.60.175.83:2203 68.60.197.53:80 SYN_SENT 2120
TCP 68.60.175.83:2204 68.60.235.215:80 SYN_SENT 2120
TCP 68.60.175.83:2205 68.60.110.73:80 SYN_SENT 2120
TCP 68.60.175.83:2206 68.60.254.143:80 SYN_SENT 2120
edited... the above syn scan for tcp 80 occurs for many pages
UDP 0.0.0.0:7 *:* 1648
UDP 0.0.0.0:9 *:* 1648
UDP 0.0.0.0:13 *:* 1648
UDP 0.0.0.0:17 *:* 1648
UDP 0.0.0.0:19 *:* 1648
UDP 0.0.0.0:500 *:* 616
UDP 0.0.0.0:1030 *:* 1016
UDP 0.0.0.0:1032 *:* 1764
UDP 0.0.0.0:1034 *:* 1016
UDP 0.0.0.0:3456 *:* 1572
UDP 0.0.0.0:3527 *:* 1764
UDP 68.60.175.83:123 *:* 832
UDP 68.60.175.83:1900 *:* 1048
UDP 127.0.0.1:123 *:* 832
UDP 127.0.0.1:1900 *:* 1048

Bill is running through the situation in his head and determines that he needs to relate network
traffic back to files and services running on the web server. He decides on the following tools and
procedure to observe network traffic, memory, and hard drive content:
1. Wireshark™
Sniffer to capture the network traffic.
2. Netstat for relating network traffic to Process ID’s (PID).
3. Process Explorer to relate PID to service names and executables.This also shows if there
are any sub-processes being spawned under a root service.
4. Windows search tool with advanced options set to search system folders, hidden files and
folders, and to search subfolders.
5. Winhex to inspect what’s running in memory.
Figure 2.13 shows a sample sniffer capture that was taken on the web server.This capture allows
us to verify that the traffic we saw occurring within the output of the netstat command is really
occurring on the network.We need to run the sniffer because netstat takes only one-second snap-
shots of network traffic.That will not provide you with enough data to determine all the connections
that may have occurred.The sniffer allows us to continue capturing all traffic until we decide to stop
it.We want to know we’ve captured enough information to tell us what were dealing with. So far,
we’re able to determine that the IRC session on TCP 6667 is not an encrypted session because the
contents shown on line 141 are readable in the hex decode window.The content in this case happens
to be the nickname used on the IRC channel.We also see that the web server that contains
68.60.175.83 is looking for other web servers running on port 80 to exploit.The [SYN] packet is the
first packet used in a TCP three-way handshake. If we saw a [SYN,ACK] response back, we would
know that the remote IP had the web service running on it. If it was not running a web service, we
would most likely see a reset [RST] back. Once the infected server has identified another destination
IP running a web service, it would then do a banner check to identify the version of the web service.
If it matched the vulnerable version for which this virus was looking, it would then be exploited and
then the process would be repeated from the newly infected computer.The last suspicious packet we
see on this screen is evidence that another computer is trying to see if TCP 3389 is open on the web
server.This port is used for the remote desktop service, which allows someone to log in to the server
and take control.This is bad news because from the appearance of this capture, it doesn’t look like we
have an Internet firewall that’s blocking any traffic.

We can move on to analyzing processes with Process Explorer (Figure 2.14) because we have a
sample of netstat taken already.We’re going to use the PID columns in the Netstat capture to relate to
the PID column in Process Explorer.We will be able to identify the process using that PID.There
were three suspicious PIDs with values of 552, 1148, and 2120; shown in Figure 2.12 in the netstat
capture that we want to look at. By analyzing the screen shot in Figure 2.14 we’re able to cross PID
552 to process winlogin.exe, 1148 to maxd641.exe, and 2120 to qwlgkyd.exe.Any root process or
sub-process to a suspicious PID should be considered not trustable and be investigated. It’s obvious
that the last few lines in this screen shot have something going on, but what about 552? Winlogon.
exe is a valid Microsoft service and should not be trying to use IRC as shown in the netstat capture.
This service must have been replaced with a trojaned process. In a normal investigation, you would
look into each of the suspicious processes, but for the purpose of this demonstration, we are going to
follow only a portion of it.
Figure 2.13 Sample Sniffer Capture Using
Wireshark™
to Show Evidence of Network Traffic

At this point, we have a pretty good idea of the files we need to look for based on the processes
we saw in Process Explorer.The Windows search tool works decently if you have it set to search in
system folders and also look for hidden files. If for some reason your search does not find the files
your looking for, try using a tool that finds alternate data streams.We configured the search tool and
let it loose looking for maxd641.exe. It found the file in c:windowssystem32 with a modified date
of 1/24/2007 11:03 PM. Oddly enough, there are several other files with the same exact time and
date that also showed up in the Process Explorer window. Based on seeing the similar times between
the files, we decide also to search for other files that were modified around the same time.This turns
up another handful of files. One of those files was explorer.exe, which was not identified as being an
issue, as shown in Figure 2.15. Now it’s a suspect that needs to be checked.
Figure 2.14 Process Explorer Gives You the
Ability to See a Malicious Sub-Process Running Under a Parent Process

The system32 folder was sorted by date and time in order to see all the files modified around
11:03 p.m.All the files with the common date and timestamps, along with the ones identified in
Processes Explorer, are zipped to be shipped to the antivirus vendor. For curiosity’s sake, we’ll look
in memory for Explorer to see if anything odd is happening, as shown in Figure 2.16. Sometimes it’s
helpful to dump the contents of memory to gain further insight on the problem.As suspected,
Explorer has been tampered with. Based on what is seen in Figure 2.16, Explorer was probably
injected with a keylogger to watch for people logging into any of the banks listed.The keylogger
would record any information typed while on the bank’s Web site.
Figure 2.15 Visual Observation of Files Should
Not Be Overlooked as It Might Uncover More Evidence

There’s much more we could look into, but we’re going to stop here and review how this
applies to the OSI model and TCP/IP stack, as shown in Table 2.4.There were some steps performed
that don’t fit into the comparison chart.They were shown only to demonstrate the full process. Keep
in mind that the TCP/IP stack and OSI model deal only with how to get the data to the application.
Once we get past the protocol stack, were dealing with the actual applications, memory, and disk
space.
Figure 2.16 Winhex Is Showing the Section
of Memory Utilized by the Explorer Process

You might be wondering how this story can relate to you.Ask yourself these questions:
1. Has your computer ever run slowly, and you couldn’t figure out why?
2. Do I trust that my antivirus checker will catch all viruses?
3. Am I sure there is nothing malicious on my computer right now?
4. Do you know who your computer is talking to and what it is sharing with others?
If any of these questions make you feel uneasy; use the steps in this story to find what is

occurring on your computer.Antivirus checkers will not find everything out there. Be proactive
and check for yourself what is occurring.A good practice I tell my friends is to take a couple of
baseline screen shots of how their computers are running from a clean build when they are not
exposed to the Internet.Those screen shots should consist of Task Manager (Application, Processes,
and Performance tabs), netstat –ano, and Process Explorer.Also the baseline should include a sniffer
capture of the network traffic to see what normal traffic from that computer looks like.Then
when a situation arises, compare the current status with baselines results to see what is different.
Table 2.4 Investigation Steps Mapped Back to OSI Model
Layer OSI TCP/IP Investigation Steps
7 Application Application Identify what
protocols are being
used for
communication
6 Presentation
5 Session
4 Transport Transport 3-way handshake for
connection to TCP
services on remote
devices
3 Network Internet Look at netstat and
sniffer output for
virus propagation
2 Data Link Network Look at arp table on
infected server for
large list of contacted
devices
1 Physical Interface

Summary
If you’re in the IT field it is essential to know the OSI model. It provides you with the guidelines
about what to look for at each layer. Many people consider the model as information that was only
intended for a test, but fail to realize that it can be applied to real-world scenarios. It’s impossible for
an administrator to troubleshoot if he or she does not understand the fundamentals of the network
stack.The data doesn’t just magically get from one computer to another.There is a process that
occurs between both sides that allows them to talk.That process is determined by the protocol stack.
Understand the protocol stack and you’ll be able to grasp concept of network connectivity.
Solutions Fast Track
50,000 FootView of the OSI Model
The OSI model is not a protocol. It is only a reference model.
˛
˛
The higher you go in the stack, the closer you are to the application. Conversely, as you
˛
˛
travel down the stack, you’re getting closer to the layers that deal with specific network
functionality.
The application layer is handed the data with instructions of what to do with it.
˛
˛
The presentation layer converts the format and syntax of the data. It also encrypts and
˛
˛
compresses it.
The session layer manages conversations between applications.
˛
˛
The transport layer builds session between end devices and ensures that data is received.
˛
˛
The network layer provides a path between end devices.
˛
˛
The data link layer converts packets from the network layer into frames.
˛
˛
The physical layer converts bits to voltage, frequency, or light before sending these bits
˛
˛
across the media.
Understand what hardware and protocols work at each layer of the model.This will help
˛
˛
you determine if you have a network issue or application issue.
Have a set of tools that make it possible for you to test each of the layers.
˛
˛
When troubleshooting, start at the top of the stack and work down until you come across
˛
˛
the problem. Sometimes you can cheat and start in the middle if you have an idea of what
might be occurring.
Verify that the information being supplied to you is accurate.Test the scenario yourself and
˛
˛
see if you get the same results as listed in the problem call.

Discovering Diverse Content Through
Random Scribd Documents

Elment. Ott hagyott engem a ház ajtajában és rohant le a
hegyoldalon. Kínos ijedtséggel néztem utána. Vajjon van-e ennek a
beteg öregasszonynak valakije a szobában, aki ápolja?
Nem tudtam elmenni. Hallgatóztam. A szoba egyre árasztotta a
jajszót. Mondom, mintha ez a sirás élt volna, úgy röpködött
makacsul, sötéten körülöttem. A jajgatás tompult és erősbödött;
egyszerre olyan kétségbeesett sikoltozásra vált, hogy éreztem, mint
sápadok el a rémülettől; azután tompa nyögésre vált ismét. Nem
tudtam elmenni. A rettenetes jajszó a maga ismeretlen félelmével,
nem értett gyötrelmével odatáncolt az ajtóhoz. De hogy tud valaki
ennyit jajgatni! Kínlódtam és mégsem birtam elmenni. Nincs benn
senki a szobában, az bizonyos. Becstelenség volna elhagyni egy
haldoklót.
De nem mertem mozdulni sem. Féltem. Féltem, határozottan
féltem. Olyan érthetetlen, idegen és különös volt ez a borzalmas
jajgatás, hogy a hideg futott végig a hátamon és remegni kezdett a
térdem.
Egy idegen, nagy erő sejtelme áradt ki a bezárt ajtó mögül. Mi
van ott? Mit lát az a haldokló asszony? Mitől reszket? A félelem
hidege remegve rázott. Nem birtam tovább. Valamit tennem kell, de
itt állni az ajtóban lehetetlen.
Szívesen elmentem volna már, de szégyenkeztem a gyávaságom
miatt. A félelemtől dobogó szívvel, kiszáradt torokkal, elhatározottan,
gyorsan, remegve kinyitottam az ajtót.
A parasztosan gyér világítású szoba fenekén ott volt az ágy. Az
ágyban a haldokló. Ráncos arcán láz tüzelt és két öreg, bágyadt
szeme kitágulva csillogott.
Már nem volt tiszta eszméleten. És talán félelme, reszketése,
vágyakozása, deliriuma csalta meg, de mikor hirtelen beléptem,
jajgatása elhallgatott, kínzott arca elsimult, két öreg száraz karját
felém tárta és a kimondhatatlan megenyhülés hangján dadogta:

– Tisztelendő úr…
A félelmem már eltünt, de a szívem most egy nagyot dobbant. Ez
a haldokló öreg asszony papnak néz. Mit tegyek?
Átvillant az elmémen: nem szabad csalással vállalnom ezt a
szerepet. Villámgyorsan azt válaszoltam magamnak, hogy egy
gyötrődő lelket szabadítok meg vele. Erre új kétség válaszolt, de
mielőtt még dönthettem volna, ott álltam az ágy mellett és két forró,
ráncos kéz ragadta meg a kezemet és egy lázas ajak dadogta:
– Gyónom a mindenható istennek és neked, lelki atyám…
… Hiába volt a kétségem, a habozásom. A haldokló öreg asszony
ajaka megnyilt és forró zuhogással áradt ki belőle a vallomás.
Huszonöt év minden igazi és képzelt vétke. Hogy katholikus
vallását nem tartotta elegendő tiszteletben. Hogy annyi sok esztendő
óta nem gyónt. Nem hallgatott misét. Hogy egyszer csalt. Hogy
egyszer Istent káromolta. Hogy egyszer rossz volt a szegényhez.
Hogy régen bűnös gondolatai voltak és hogy egyszer, egyszer – az
ura nem volt itthon – megfeledkezett hitvesi eskűjéről… Huszonöt év
minden bűne jól emlékezetben tartva, sorrendben, sötéten és
ijesztően, nevetségesen és siralmasan vonult fel előttem. Feltárult
egy keserves munkával teli élet, amelyet méreggel itat meg az, hogy
hordozója nem gyónhatott soha, amelynek végét a pokol félelme
tette kínossá és ijedelmessé és amely most ime mégis bocsánatot
kap és a megtisztulás reményét.
Kábultan, riadtan, megzavarva ültem az ágy mellett. Nem, nem
szabad ennek az öreg asszonynak azt mondanom, hogy nem vagyok
pap, hogy a gyónása nem ér semmit, hogy elkárhozik.
Összeszedtem minden erőmet és nyugalmamat. Nem tudtam,
milyen a gyónás szertartása, és féltem tőle, hogy hibát követek el.
De mikor az asszony lázas forró vallomása elhallgatott, mély
szánalommal és megindultsággal beszélni kezdtem.

Beszéltem az Ur végtelen jóságáról, a bocsánatról, amelyet a
bűnbánó bizonyosan megkap, a lélek halhatatlanságáról, az
üdvözülésről, amely arra vár, aki meggyónta a bűneit és tiszta
lélekkel lépi át a túlvilág küszöbét és végül – úgy, amint leirásokból,
hallomásból, hírből tudtam – én, a zsidó, a hitetlen, az atheista,
elmormogtam a feloldozás latin szavait:
– Ego te absolvo… in nomine… Amen.
A haldokló asszony öreg kezei görcsösen szorították a kezemet.
Az arca egészen elsimult. Szemében a láz halványodni kezdett,
cserepes, szegény ajka körül egy végtelenül boldog, enyhe mosoly
jelent meg.
A kezemet csak durván tudtam volna kiszabadítani, és ezt nem
akartam. És én az én tépett, érzékeny, reszkető idegeimmel ott
állottam a haldokló asszony ágya mellett és néztem a haldoklását.
Még egy óráig tartott. A feje nyugtalanul forgott, de mikor a szeme
felém fordult, az ajka körül mindig megjelent a megkönnyebülés
mosolya. Néha szóltam hozzá, akkor még jobban mosolygott. És
mire az egész véget ért, öreg, elkínzott, ráncos arca derült,
megnyugodott és tiszta volt.
Akkor eljöttem. Azóta más ember vagyok. Hinni nem tudok, mert
hinni nehéz; de nem tudok tagadni sem.

Ibolya és Ágnes.
A télikert tele volt. Cigányzene szólt és a lányok suhogva jártak
fel-alá, leültek egy-egy asztalhoz, ittak, cigarettáztak. Ibolyát fiatal
emberek fogták körül és a lány a muzsika ütemére valami néger-
táncot utánozott. Azután fáradtan vetette le magát egy székre.
– Az isten szerelmére, kiáltott valaki a társaságból, adjanak neki
inni, mert mindjárt meghal.
– Sherryt – súgta Ibolya elhaló hangon.
A pincér hozta az italt. Azután még egy pohárral. Azután egy
harmadikkal. A lánynak bolond jókedve volt. Fütyült és a lába egyre
táncra állt.
Egy pincér jött és a fülébe sugta:
– Egy úr kéreti.
Ibolya átment a télikerten és odaült az idegen ember asztalához.
– Szervusz, – mondta neki barátságosan.
– Szervusz, – válaszolt a másik és tölteni akart neki.
– Hozass előbb egy kis rákot, mondta Ibolya.

Azután beszélgettek. Ibolya felette okos és művelt nőnek
bizonyult a beszélgetés során és egy negyedóra mulva az idegen ezt
kérdezte tőle:
– A te neved, úgy-e, Konc Ibolya?
– Igen, mondta Ibolya.
– Tizenkilenc éves vagy.
– Igen, mondta bámulva Ibolya.
– Borsod-Zsadányban születtél?
– Igen.
– Három éve, hogy árván maradtál és két éve, hogy idekerültél a
Francia Mulatóba.
– Igen. Felléptem egy balettben.
– Az apádat Konc Boldizsárnak hítták.
– Igen.
– Az anyád neve Wirt Mária.
– Igen.
Ibolya félni kezdett.
– Talán detektiv maga, szólt idegenkedve.
A másik nevetett.
– Nem. Nem vagyok detektiv. Ügyvéd vagyok. A Konc Gáspár
ügyvédje.
A lány kérdő pillantással nézett rá.
– Konc Gáspár ügyvédje vagyok. Tudod, ki az a Konc Gáspár?
Rokonod. Az apád unokatestvére.

A lány vállat vont.
– Ibolya, – mondta az ügyvéd – látom, hogy te okos lány vagy.
Hallgasd meg hát azt, amit elmondok és gondold meg jól a dolgot.
Konc Gáspárnak két évvel ezelőtt meghalt az egyetlen lánya. Annyi
idős lehetett, mint te most. Most nincs senkije. Se neki, se a
feleségének. Egyetlen rokona te vagy. Lányának fogadna. Odavenne
magához. Három hete, hogy kerestet téged. Ma jártam a lakásodon
és azt mondották, hogy itt talállak meg. Eljöttem ide. Most gondold
meg a dolgot: úgy élhetsz, mintha a lánya volnál. Gazdag leszel. A
sörgyáron kívül négy háza van a nagybátyádnak. Csak egy feltétel
van: a Francia Mulatónak, a táncolásoknak, a heje-hujának vége
legyen. Úri leánynak kell lenned. A nagynénéd nem is tudja, hogy itt
voltál. Gondold meg jól a dolgot: nem kell valami nagy áldozatot
hoznod; ez az élet talán mulatságos, de a vége nem az. Úgy meg
négy milliónak leszel az örököse.
Ibolya hallgatott. Gondolkozva nézett maga elé.
– Tartanak kocsit? – kérdezte azután.
– Kettőt is, mondta mosolyogva az ügyvéd.
– Akkor jó, mondta Ibolya.
Az ügyvéd figyelmeztetve szólott még:
– Ibolya. Megtartani a fogadást.
A leány komolyan bólintott a fejével.
– Akkor, nagyságos kisasszonyom, induljunk. Én most haza
kisérem és holnap reggel elviszem Konc Gáspárhoz.
Elindultak. A leány komolyan, határozottan szegte fel a fejét és
hideg arccal ment át a télikerten. Nem nézett se jobbra, se balra és
nem fordult vissza.
Másnap délelőtt kocsival jött érte az ügyvéd és elvitte Koncékhoz.
Az öreg ember megsimogatta a haját; az öreg asszony sírva fakadt,

amikor meglátta.
– Hogy hasonlít Ágneshez, szólt reszkető hangon.
– Családi hasonlatosság, mondta Konc. A nagyanyjára hasonlít,
az én anyámra.
Neki is könnyek csillogtak a szemében. Nagyon szép, nagyon
nemes és nagyon megható dolog volt az Ibolya bevonulása a
családba.
– Ágnesnek fogunk nevezni, mondták neki és Ibolya is meghatva
bólintott a fejével.
Bevezették a szobájába, egy puha, selymes, bársonyos, illatos
lányszobába. A lakáson végig kellett menni és kilenc nagy szoba
következett egymás után. Délben inas szolgált fel és délután kocsin
indultak el különböző dolgokat vásárolni.
Ibolyán ekkorra már különböző változások történtek.
A haját simára kellett fésülnie, csak egy kis szalagot kötött bele;
a kalapja kevésbbé merész formájú volt és Ibolya a puha kocsiban,
amelynek két lova simán és méltóságosan ügetett végig az utcán,
olyan volt és ugy érezte magát, mint a féltett, óvott, dédelgetett,
bársonyos uri leányok. Ibolyából Ágnes lett és az élet szép volt.
Később egynémely kevésbbé kellemes részlet következett. Igy:
tanulni kellett, holott Ibolya azelőtt csak a varrás és himzés
ismereteit sajátította el. De ez is elég könnyen ment. Megbirkózott a
zongorával is és egy-két hónap mulva franciául és angolul is kezdett
már fecsegni. Édes süteményt kapott annyit, amennyit akart – élt-
halt az édességekért – és a cselédek alázatosak voltak vele
szemben: ez kibékítette mindennel. Művelt fiatal hölgy vált belőle
rövidesen és fogadott szüleinek nagy öröme telt benne.
Az öreg Konc egy napon megsimogatta az arcát és így szólt
hozzá:
Á

– Ágnes, kis lányom, holnap elviszünk egy mulatságba.
Ágnes örült. Szeretett táncolni és csodaszép fehér ruhát kapott
erre az alkalomra. A mulatságot a sörgyár hivatalnokai rendezték. Az
öreg Konc ide vitte el először, mert bizonyos volt benne, hogy itt
senki sem meri éreztetni vele a multját. Nem is éreztette senki.
Ágnes pompásan mulatott.
Nemsokára szinházba ment és egy év alig telt el, bálba is járt.
– Hja, eladó lány… Istenem, bizony, az ilyent bálba kell vinni,
sóhajtott az öreg asszony és boldog volt, hogy ő bálba viszi a lányát.
Ágnes besorozódott a finom, csendes, előkelő urilányok közé.
Beállott ő is – sima hajjal és fehér ruhában – a szelid
galambcsoportba, az ártatlan fehér báránykák közé, akik várják, ki
kéri őket táncra és házasságra. Soha nem éreztette vele senki, hogy
ő más mint a többi lány. Az emberek feledékenyek és a millió nagy
úr.
Ágnes maga sem érezte magát másnak. Az uri lányokat – akiknek
a világa olyan elzárt világ volt neki azelőtt és akikre nem tudott
másképpen gondolni, mint csodálattal vagy dühvel – éppen
olyanoknak találta, mint amilyen ő. Ami elmult, azt elfelejtette.
Elhalványodott, megfakult, elaludt minden, ami a multé volt. Új
örömei foglalkoztatták, könyveket olvasott és úgy szokott elaludni,
hogy leánylelkének az álma a regényekből szállott ki: egy hidegen
mosolygó, rettenthetetlen férfi, aki szeliden vonja őt magához… Ha
felébredt, úgy tetszett neki, hogy sohasem volt más az élet, mint
most. Mindig kétlovas hintón ment el bevásárolni a mamával, turkált
a selymek között és inas hozott neki egy pohár vizet.
A bálak, piknikek, thé dansantok, a legkülönbözőbb táncos-
alkalmak igen mulatságosak voltak és el kellett jönnie annak a
napnak, mikor Ágnes pirulva válaszolt egy fontos kérdésre.
– Beszéljen a mamával, – mondta ekkor szemét lesütve.

Ez azonban felesleges volt. Az ifjú és felfelé törekvő ügyvéd ezt
már előzőleg bölcsen elvégezte és miután megtudott mindent a
multról, amit úgy is tudott és miután a lányhoz utasították, azt
gondolta magában:
– Felhagyok az irodával és átveszem a sörgyárat.
Nem volt ugyan egészen az, aminek Ágnes leányszíve hősét
elképzelte, de csinos fiu volt és így elhatározták, hogy farsang végén
meglesz az eljegyzés. Addig hadd mulasson Ágnes.
Ágnes mulatott. Ott volt minden bálon és szíve szerint kitáncolta
magát. Farsang végén egy nagy bálra mentek el, egy dísz-bálra, egy
főmulatságra. Tíz grófnő volt lady patroness és egy főhercegnő is
megjelent.
Egyik rendező tizenegy óra tájban bemutatott Ágnesnek egy
fiatalembert, akinek a nevét nem értette és aki táncra vitte őt. Ágnes
némán és finoman támaszkodott a karjára. Hallgattak. A fiatalember
azután a tánctól fáradt hangon suttogta:
– Ibolya.
Ágnes meglepetve nézett rá. Megismerte. Dobó… Dobó Bandi.
Zavarban volt. Nem tudta, mit szóljon.
– Ibolya, sugta a fiú, imádásra méltó vagy. Tudod, hogy
szeretlek.
Ágnes fel akart háborodni. De nem tudott. A fiú magához
szorította és úgy repült vele. Jól táncol. Szemtelen. De kedves.
– Ibolya, imádlak.
– Nem szabad így beszélni.
– Tudom, Ibolya, tudom. Most utoljára. Férjhez mégy. Imádlak,
Ibolya.
Ágnesnek tüzelt az arca. Régi emlékek parázslottak fel benne.

– Bandi.
– Parancsolj, szívem, királynőm, Ibolyám.
– Fáradt vagyok.
– Gyere, Ibolyám, szerelmem, jöjj, istenasszony.
Karon fogta, átment vele a termen, a buffet-n. Itt fülkék voltak
felállítva; egy bársony karosszékbe beültette a lányt.
Egymásra néztek. A lány zavart volt.
– Tudod, Ibolya, hogy mindig imádtalak, mondta a fiú.
A lány egy sóhajtással hajtotta hátra a fejét.
– Szomjas vagyok.
A fiú kopogott és a pincér pezsgőt hozott.
– Nem, mondta a leány, nem pezsgőt.
– De. De igen. Most az egyszer. Utoljára. Sohse pezsgőzöl te
többé velem, Ibolya.
A lány gondolkozott. Nagyon szemtelen és nagyon vakmerő ez a
fiú. De nagyon kedves. A legkedvesebb emléke a multból. És most
utoljára pezsgőzik vele. Azután meg szomjas is.
A pohár után nyult és felhajtotta az egészet. Az ital tüze
végigfutott rajta. De még mindig szomjas volt. Még egy pohárral
ivott. Érezte, hogy ez a fejébe szállott, de kötekedő, duhaj jókedv
vett rajta erőt. Tölts még, mondta a fiúnak és az töltött. A lány
kimondhatatlanul szomjasnak érezte magát. Mintha másfél év óta
szomjaznék. És a pezsgő oly jó, hideg, tüzes, édes, csipős. Olyan
volt, mintha a Párisi Mulatóban volna, és a lábait feltette a másik
székre. Az ital elfogyott és új üveggel kellett hozatni. Koccintottak és
ittak. A leány fütyörészett és a fiú hozzáhajolt. A buffet népesedni

kezdett és a fülke elől ijedten siettek tovább a nők, akik
bepillantottak.
A leány ekkor homályosan, alig derengve, ködös formátlansággal
úgy érezte, hogy őt várja valaki. A mama. A papa. A vőlegénye.
Várják őt valahol. Felállott.
– Megyek, szólt határozottan.
– Maradj még, könyörgött a fiú.
– Nem, mondta energikusan a lány, engem várnak.
Felkelt és komoly kötelességtudással indult a terembe. A fiú
kisérte. A teremben szólt a zene. Valami galoppot játszottak. Valami
ismerőset. De milyen ismerőset. Oh, hiszen ez a néger dal. És amint
a főhercegnő, a tíz grófnő, a mamák és a lányok odapillantottak,
Ibolya a terem közepén hátrahajtotta a fejét, kifeszítette a derekát
és karcsúan, graciózusan, csábítón és pokoli jókedvvel járta a néger-
táncot. Köröskörül egy szisszenés hangzott fel, egy ismerős, öreges
sikoltás hatolt hozzá és tíz rendező között, akik feléje rohantak,
Ibolya ott állott bámuló, kitágult szemmel, egyedül.
A rendezők még nem is szólhattak, ő már tisztában volt
mindennel. Egy pillanat alatt kijózanodott és megértett mindent.
Régen nem ivott pezsgőt, becsipett tőle. Látta, hogy a társa, a gyáva
elmaradt tőle és mély megvetést érzett az egész sziszegő társaság
iránt. Egy pillanat alatt megmérte: mit veszít el. Megtarthatná, talán
megtarthatná, ha sírna és megalázkodnék. De minek? Kell ez neki?
Még mindig érezte a vérében a pezsgő forró erejét és
képtelennek, ostobának, elveszettnek érezte elmult másfél
esztendejét. Hát mulatott ő? Hát volt neki élvezete? Gágogott, mint
ezek a többi lányok. Hát kell ez neki? Ibolya ő, nem Ágnes.
A rendezők még nem is szólhattak. Ibolya felemelte a kezét és
feléjük legyintett.
– Pukkadjatok meg – mondta teljes nyugalommal.

Sarkon fordult. Kiment. Vette a köpönyegét. Az utcán volt.
Megállott egy percre és határozott léptekkel indult a télikert felé.

A gyermek.
– Sikkasztottam, – mondta a férfi.
Az asszony arca halálsápadt lett.
– Még négy-öt napom van. Szökni fogok.
Az asszony nem szólt. Bosszusan mondta a férfi:
– Mit nézel úgy? Hát kártyáztam, szeretőm volt. No!
Az asszony halkan mondta:
– Lehetne talán segíteni… Apa…
– Nem lehet. Százezernél több. Összeszedem, amit lehet. Az éjjel
megyek. Hamburgba… Amerikába…
– Én veled megyek.
A férfi arcán kiragyogott az öröm.
– Óh te drága, te édes. Csakugyan jönnél? Hiszen én mindig csak
téged szerettelek igazában.
Egyszerre megnyugodott. Leült. Tervezgetett.

– Pénzt viszek magammal. Ott megbecsülik azt, aki ér valamit.
Ha ügyes az ember és pénze is van, ott boldogul. Milyen jó lesz, nem
törődni senkivel, semmivel. Ketten élni…
– Hárman.
A férfi rábámult.
– Hát a kicsi? – mondta az asszony.
– Óh csak nem gondolod, hogy őt is elvisszük! Négyhónapos
gyereket ilyen nagy útra! Itthagyjuk a mamánál.
– Akkor én nem megyek, – mondta hidegen az asszony.
A férfi könyörgött:
– De édesem, drágám, szívem.
– Nem.
A férfi végre beleegyezett. Este összecsomagoltak valami ruhát,
sokat nem szabad, hogy gyanút ne keltsen, és mentek a vasuthoz.
Az asszony karján a kicsivel. Ősz volt, köd, a poronty köhögött.
A terembe nem mentek be, künn bujkáltak és lopva surrantak be
a kocsiba. A fülke piszkos volt, nedves a ködtől, dohányszagú, a
bőrpárnák szinte tapadtak. Emberek jöttek-mentek, beültek a
fülkébe, de a gyerek sirt és lassankint egyedül maradtak.
Az asszony a gyerekkel foglalkozott, a férfi bámult ki a sötétbe és
reszketett, mikor lépések hallatszottak. A vonat dübörögve fúrta be
magát a ködös éjszakába.
Késő ősz volt, még nem fűtötték a kocsikat. És az éjszaka egyre
hidegebb lett. Amint a hegyek közé vágtatott be a vonat, az
ablakokra jégvirágok rakódtak. Minden nyiláson dermesztő hideg
sziszegett be, és a menekülő pár didergett. A gyerek köhögött.

Hajnalodott. Kétoldalt a fenyőket már hó lepte el. Dermedt
testtel, álmatlanul és sápadtan nézték egymást.
– A kicsinek láza van, – mondta az asszony.
A férfi összevonta a szemöldökét.
– Orvost kellene keresni, – tördelte az asszony.
– Ostobaság. Nincs annak a gyereknek semmi baja. Szoptasd
meg.
A kicsi arcán pir tüzelt. Szegény, vékony ajkai cserepesek voltak.
Nem szopott…
– Én orvost keresek, – zokogta az asszony.
A férfi durva lett. Megfogta az asszony csuklóját.
– Itt maradsz. Itt maradsz, vagy… El akarsz árulni? Azt akarod,
hogy nyomunkra jöjjenek?
– De beteg, látom, hogy beteg.
– Hát minek hoztad magaddal? Én nem akartam. Te akartad.
Az asszony ült. Könnyes szemekkel bámult a gyermekére.
Fuldokló, hosszú lélegzettel nyelte el a zokogását.
Jött egy állomás. Ki kellett szállniok. Ettek. A férfi csak, az
asszony nézte a gyereket.
Azután újra a vonatba, neki a nagy útnak. A gyerek elaludt.
– Alszik – mondta az asszony.
– No látod.
A karjai között tartotta gyengéden, reszkető gonddal. A vonat
dühödten rohant előre, csörömpölve, zakatolva. A férfi fáradtan
hunyta le a szemeit.

Egy irtózatos sikoltás. A férfi felugrik. Az asszony őrjöngve sikolt:
– Meghalt! Meghalt!
A férfi dermedten bámul. Nézi a gyermeket: meghalt. Künn
mozgás hallatszik és az agyán átvillan a rémült gondolat: ez
elárulhatja őket, ezt senkinek sem szabad megtudnia.
Kezével tapasztja be az asszony száját:
– Hallgass, hallgass!
Az asszony zokogva nyög. A férfi a fogát csikorgatja.
– Hallgass, hallgass!
A folyosón mozgás támad. A férfi kimegy.
– Semmi sem történt – szól – egy szegény, beteg, hiszteriás
asszony…
Bejön. – Az asszony fuldokolva zokog.
– Fogsz hallgatni! – rivall rá. – Meg vagy őrülve? Minek hoztad el
azt a kölyköt?
Az asszony kínzottan nyög. Dermedten szorítja magához a
gyermeket.
A férfi parancsol:
– Nem szabad senkinek megtudnia, hogy meghalt. El kellene
temetni, vizsgálat volna, rendőrség, útlevél, – a végén elfognának.
Úgy kell vinned, mint eddig.
Az asszony félőrülten néz rá. Csendesen zokog és mereven
szorítja magához a gyermeket. Dél. Utasok jönnek-mennek. A férfi
halkan parancsol.
– Takard be az arcát és foglalkozz vele úgy, mintha élne.

Az asszonynak már kiszáradt a szeme és zavaros fény lobog
benne. Engedelmeskedik. Szól a kicsihez, gügyög neki, aztán
kibontja mellén a ruháját és elfordul.
A férfi gyanakodva nézi…
A vonat egyre rohan, vágtat, dübörög… Alkonyodik. Meggyujtják
a lámpákat. Jön az éjjel, feketén és végtelenül… Sohasem lesz már
hajnal?!
Végre! Hamburg!
– A gyerekkel nem szabad kiszállnunk – mondja a férfi. – El kell
rejtenünk.
Az asszony hallgat.
– A kofferbe.
Az asszony egy kézmozdulattal tud csak tiltakozni.
– Kell! – mondja a férfi.
A koffert kinyitja, rakosgat benne. A vonat rohanása lassul,
mindjárt megáll. Az utasok a folyosóra tódulnak. A férfi a gyermek
után nyul. Az asszony görcsösen kapaszkodik belé.
– Te! – mondja a férfi és felemeli az öklét. Az asszony félholtan
dől hátra, a kezei ólmosan hullanak le. A vonat megáll. A férfi
megkapja a gyermeket, a zár csattan egyet, a hordárok berohannak
és egyik viszi már a koffert.
Az asszony a kezét nyújtja utána. A férfi megfogja a kinyújtott
kezet és vonszolja magával az asszonyt.
Kocsiba ülnek.
– A koffer… – suttogja az asszony.
– Jó helyen van, – mondja a férfi.

A kocsi szalad velük a tenger felé. Csónakba ülnek. Hajóra
szállnak. Bemennek a kabinjukba.
– A koffer… – sugja az asszony.
– Mindjárt hozzák.
Hozzák. Az asszony leesik mellé a földre.
– A kulcsát!
– Nem. Valaki be talál nyitni és észreveszi.
– Csak egy percre… Hadd lássam.
– Nem. Majd éjjel.
Kimegy. A hajót nézi, a berendezést, hol van elhagyott rész,
milyen magas a korlát. Az asszony benn fekszik a földön és öleli a
koffert.
A hajó elindul. Hangos kiáltozás, csörömpölés, nyikorgás. A férfi a
fedélzeten áll és nézi a partot. Bemegy a kabinba.
– Gyere ebédelni.
– A kulcsot, – nyöszörgi az asszony.
– Nem, – mondja a férfi és egyedül megy ebédelni.
Az órák telnek. Az asszony fekszik a földön és öleli a koffert. A
férfi a fedélzeten jár-kel.
Este. A szalon lassan kiürül, az utasok lefekszenek, a fedélzet
sötét.
Kilenc óra.
Tíz…
Tizenegy…

A férfi lemegy az asszonyhoz.
– Kelj fel. Eltemetjük.
Az asszony értelmetlenül bámul rá.
– A tengerbe, – mondja a férfi. – Kinéztem, hol dobhatjuk be
észrevétlenül.
A koffert kinyitja. Halomra gyürve ingek, ruhák és a gyermek.
Az asszony újra zokog. Magához szorítja a testet.
– Siessünk – mondja a férfi.
Az asszony nem mozdul.
– Ej, hát te itt maradsz. Majd én magam…
– Nem, nem! – könyörög az asszony.
Felkel. Ingadozva botorkál a lépcsőn. A fedélzeten vannak. Teljes
sötétség. A férfi fogja a kezét. Ő vonszolja magát utána, görcsösen
szorítva a gyereket.
A korláthoz értek. A férfi suttog:
– Itt vagyunk.
A gőzgép kattogása hallatszik és a víz suhogása, amint a csavar
szeli. Az asszony térdre esik.
– Ne, ne… – tördeli őrült félelemmel.
A férfi dühbe jő.
– Azt akarod, hogy rajtakapjanak bennünket?
A gyermek után nyul. Az asszony karjai, mintha vaskapcsok
lennének, úgy zárják körül a kicsit.

A férfi durva erővel rántja szét az asszony karjait, megfogja a
gyermeket, áthajol a korláton és beleejti a tengerbe. Egy csobbanás.
Az asszony végigzuhan a fedélzeten, a férfi pedig megkönnyebbülten
sóhajt egyet.

Mámor.
Lassan haladtak lefelé egy hegyi úton. Mögöttük volt a cifra
nyaraló-telep, előttük, jó messze még a Bárczy-villa.
– Azt hittem, szólt a lány, nem is jön el.
– Eljönni könnyű volt, mondotta Olt. De itt maradni nehéz lesz.
– Miért?
– Utálom ezeket a nyaraló-telepeket. A hotel kellemetlen, hangos,
lármás, tolakodó és parvenu-módra követelő.
A lány elgondolkozott. A villában volt egy csomó üres szoba, de
oda nem hivhatta meg a férfit.
– Tudja mit, mondta azután felvillanó szemmel, nagy igényei
vannak? Nagyon követelő?
– Oh, nevetett Olt, dehogy.
– A kertészünknek nem messze innen van egy kis háza. Tavaly,
amikor olyan nagy Tátra-járás volt, az egyik szobáját kiadta. Azt
kivehetné. Valami nagy pompát nem kap, de kényelmet igen.
– Helyes. Kitünő. Nagyszerű.

Elindultak a ház felé. A villa mellett elkanyarodtak,
felkapaszkodtak a dombra és ott voltak. A kis fehér ház a
hegyoldalon volt, mögötte felfelé tört a szikla, előtte lankásan
huzódott lefelé.
– Pompás, mondta Olt, micsoda szikrázó napsütéseket fogok
innen festeni.
– Julcsa asszony – kiáltott a lány.
Magas, délceg, erős parasztasszony jött ki a házból. Az alkut
megkötötték. Olt egy tágas, világos, földdel tapasztott szobát kapott.
– Még délután ide hozatom a holmimat, mondta.
Elkisérte a lányt, azután elvált tőle. Délután beköltözött uj
lakásába.
– Oh, mondotta magában, négyszáz lépésnyire vagyok tőle.
Mindkettejük szemében ez volt a legnagyobb értéke a lakásnak.
Közel akartak lenni egymáshoz, hogy minden percben láthassák
egymást, hallhassák egymás hangját. Kezdődő szerelem volt ez,
tüzesen, erősen, forrón bimbózó indulat. A lányé volt a kezdet. A
festő lusta álmodozó volt, tétlen elmélkedő, energiátlan filozófus. A
lány kezdett vele foglalkozni, belekényszerítette a lelkébe az
érdeklődést, beleparancsolta az elméjébe a rágondolást, belelopta a
lelkébe barna szemeinek lágy pillantását. Tavasszal tizszer mondta
meg neki, hogy el kell jönnie a Tátrába és a festő lustaságán úr lett
ez az édes, kemény akarat. Szerette a lányt, de ha olyan parancsoló
módon nem hallotta volna, hogy el kell jönnie, kényelme, lustasága,
tétlenségének szeretete az egész nyárra távol tartotta volna, vagy
elvitte volna másfelé valahová.
Most jó volt, hogy eljött. A lány közel volt, nem kellett fáradni
érte és a hangját, a pillantását, egész üde, finom és sugárzó
megjelenését szomjasan várta napról-napra és óráról-órára, és
szomjasan itta fel szépségeket kereső szemével. Szinte egész nap
együtt voltak. A festő kifeszített vászna mellett ült gyakran, mikor a

lány megjelent. Nézte a munkáját, várt, azután együtt indultak
csatangolni. Gyakran csak átkiáltott érte; és Olt néha odaát töltötte
az egész napot a Bárczy-villában. És nem kellett udvariaskodni, nem
kellett átöltözni, nem kellett puha ingét kicserélnie egy kemény
páncéllal. A lusta, forró nyár tele volt számára édes, csendes
szenzációkkal. Mint a permetező lágy nyári eső, úgy hullottak a
szivére az örömek. A tétlen, fáradság nélkül való, lusta élet szép volt.
És szép volt a lány. Barna szeme és finom karcsusága, a hangja és a
keze egyformán szép, drága és óhajtott volt.
A lelkét, amelyhez most semmi más indulat hozzá sem férkőzött,
egészen betöltötte. Elalvása és ébredése is a lányé volt. Rá gondolt,
amikor elaludt és rá gondolt, amikor ébredt. Az alacsony gerendás
tetőt nézte az álomtól még részeg szemekkel és a nevét mondta:
– Ilona… Ilona…
Az álom és az ébredés mámoros hidján is tele volt vele a szive. A
vérében tüzes indulatok keltek fel és az álom indulatkeltő
részegségében olyan forró vágyódással gondolt rá, mint ahogy lágy
álmodozása soha máskor.
Künn világos, napos nyári reggel volt már. Az ajtó kinyilott és az
asszony jött be, a kertész felesége. Vizet hozott, lábujjhegyen, hogy
a férfit fel ne keltse.
Olt félig nyitott szemmel nézett rá. Az asszony észrevette, hogy
ébren van és délceg, teli, duzzadó termetét kényeskedve riszálta
meg. Nem ment ki mindjárt; forgolódott a szobában, kacérul tett-
vett.
Az Olt lelke, az elméje, a vére tele volt szerelmes vágyódással.
Részeg volt az álomtól, a szemeit még fel sem nyitotta egészen. Az
asszony duzzadó, teli termetét nézte és álmos kábulatban, az álom
és az ébrenlét mámoros hidján szólt neki:
– Julcsa asszony.

Az asszony mosolyogva lépett hozzá. Olt megfogta a kezét. Az
asszony engedte. Olt megölelte.
… A lány gondolatával aludt el, a lány gondolatával ébredt. A
piros, duzzadó formájú parasztasszony számára nem volt egy
gondolata sem. A lány finom, gyöngéd szépsége sugárzott vakító
pompával a lelkében. De a részeg ébredés kerítő mámorában
magához ölelte mindig az asszonyt. A lányra gondolt. Ez a gondolat
illatozta be az álmait, ez a gondolat tette mámorossá az ébredését.
De ott volt az asszony.
Nem érezte, hogy csalást követ el. A lányé volt minden gondolata
és minden perce. Amikor az ébredés mámoros ölelése következett,
akkor is a lányra gondolt. Reggelei az öntudatlanság, a mámor, az
álom képében éltek a lelkében.
Egy napon későn ébredt. Az órájára tekintett. Kilenc óra elmult.
Az asszony ekkor jött be hozzá.
Künn egy meleg leányhang csendült fel:
– Olt, Olt…
Olt érezte, hogy az arcát az ólom szürkesége lepi be. Minden
vére a szivébe futott és a dermedt rémület szinte fájt minden
tagjában.
A lány künn maradt. Csak a hangját hallotta.
– Olt, jőjjön a tóhoz. Milyen lustaság: most is aludni.
Nem jött be. Elment. Olt ismét tudott lélekzeni. De a szivén
dideregve reszketett át az a gondolat: hátha bejött volna. Amint
bejött már máskor, hogy egy-egy képét megnézze. Hogyan tekintett
volna rá? Mit mondott volna neki? Hogyan érttette volna meg
tudatlan lányságával, hogy egyetlen bűne van: az, hogy mámoros
lesz, ha rágondol.

Futva öltözött fel és sietett utána. Künn a tiszta, nyári reggelben
úgy érezte, hogy mégis bűnös. Bűnös: gyengeségében. Bűnös: mert,
nincs ereje arra, hogy mámorának ellentálljon.
Lelkének lágy, filozófus lustaságát eddig szerette, most
gyülölettel gondolt rá. Ezzel a lélekkel át lehet álmodni egy életet, de
kötelességet vállalni nem lehet.
Forró gyöngédséggel telt meg a szive a lány iránt. Most szereti.
Szeretni fogja akkor is, ha a felesége lesz. De elmult, mámoros
reggelei megérttették vele, hogy akkor is csak erősen kell akarnia
valakinek és ő megszegi azt a hűséget, amelyet pedig szive szerint
becsületesen meg akart tartani. Túlságosan hozzászoktatta vágyait,
hogy teljesüljenek, túlságosan sok féket dobott le bölcs, nagy
lustaságában magáról, semhogy egy örök kötelezettség nagy fékjét
rá merné tenni indulataira. A csodálatos lány boldogtalan, siró,
elhanyagolt asszony lenne. Szerette a lányt, boldognak akarta és
most bizonyos volt benne, hogy vele és általa nem lehet.
Becsületesen belenézett a lelkébe és még szerelmét sem látta a
tilalomra erősnek.
És becsületesen szerette a lányt. És becsületesnek tudta magát.
És becsületes akart lenni. Nem ment a lány után a tóhoz.
Visszafordult. Csomagolt. Elutazott.

Én.
A bécsi gyorsvonat ott állott az első sinen. Még idejében
érkeztem. Beszálltam. Elhelyeztem a kézi táskámat és abban
reménykedtem, hogy egyedül leszek és átalhatom az éjszakát. Künn
sipolás hallatszott. A vonat indul. Ekkor – az utolsó másodpercben –
egy hordár rontott be a fülkébe és elegáns kézi táskát dobott fel a
tartóba. Kinéztem az ablakon. A hordár kiugrott a kocsiból és
alázatosan integetett egy urnak, aki lassu léptekkel jött végig a
perronon. Hosszu, kockás kabát volt rajta, felgyürt gallérja eltakarta
az arcát. A hordár rámutatott a kocsira, a vonat már megindult és a
hosszukabátos ur fellépett a lépcsőre.
Ketten elférünk, gondoltam, és hozzáláttam, hogy a fülke egyik
oldalát lefoglaljam a magam számára. A hátam mögött nyilott az
ajtó. Kiegyenesedtem, megfordultam. Szemben állottunk. Az idegen
– a meleg kocsiban – már levetette a kabátját, kalapja a kezében
volt. Meghökkenve, riadtan, sápadtan bámultam rá. Elakadt a
lélekzetem, elakadt a gondolatom és a szédülés kerülgetett. Ki ez? Ki
vagyok én? Hol vagyok? Én voltam-e az, aki az imént kihuztam a
pamlagot, hogy kényelmes fekvés essék rajta? Vagy én vagyok-e az,
aki most beléptem egy fülke ajtaján és szemben állok egy sápadt és
reszkető emberrel?

A hosszukabátos ember nem én vagyok-e? Nem az én egyenes,
kemény metszésü orrom-e ez? Nem az én baloldalon kettéválasztott
szőke hajam-e ez? Nem az én szemem, nem az én szájam, nem az
én szikár, izmos termetem-e ez? Aki belépett mögöttem a vasuti
kocsiba, nem árnyékom-e, nem valamely csalódása az érzékeimnek,
nem valamely káprázat-e: földöntúli vagy lázszülte?… De aki velem
szemben állott, megmozdult. Sápadt volt ő is, a felindulástól
vonaglott az ajka, de erősebb volt, mint én. Megmozdult. Leült.
Leültem én is kimerülten. A vonat már teljes erővel robogott.
Benne voltunk az éjszakában, a dübörgésben és dideregve
tekintettünk egymásra. Ebben a percben hittem a csodákat, minden
földöntúli hatalmakat. Boszorkányokat, elátkozott lelkeket, amelyek
fekete kutyák képében bolyonganak a világon. Reszketett a lelkem
ez előtt a gondolat előtt: mi fog most történni.
A másik megmozdult. Idegesen fészkelődött egy kicsit, a
homlokán egy kemény elhatározás ránca huzódott lefelé, és
megszólalt:
– Sir, – mondta angolul – bocsássa meg azt a merészséget, hogy
ismeretlenül önhöz fordulok… Én lord Torcy Henry vagyok.
A rekedtes hangja is olyan volt, mint az enyém. De a kábulatnak
vége volt. A csodákban és a babonákban nem hittem már. Egy ritka,
bámulatos, szenzációs hasonlatosság az egész. Ez az ember sem a
földöntúlról nem jött, sem az árnyékom, hanem egy feszes angol, aki
nagy lelki küzdelem után elhatározta, hogy bemutatkozik.
– Én pedig – válaszoltam neki – dr. Vas János vagyok és
természetesnek találom, hogy mi egy pár szót váltunk. Furcsa lett
volna hallgatva bámulnunk egymást az egész éjszaka.
Erre elmosolyodott. A mosolygását kedvesnek és ismerősnek
találtam. A következő másodpercben rájöttem, hogy ez az én
mosolygásom.
É

De most már szaporán beszéltünk. Én kissé küzdöttem az
angollal, de a lord egészen belemelegedett a beszélgetésbe és
gyorsan, vidáman, kedvesen fecsegett. Csodálatos, ismételte folyton,
csodálatos ez a hasonlatosság. Még a ruhánk is egyforma.
– Az nem csodálatos, válaszoltam neki. Mielőtt elindultam –
utazni akarok hat hónapig – azt mondtam a szabómnak, csináljon
nekem egy angolos utazóruhát. Elém tett egy londoni divatlapot,
abból választottam ki a formát és a szövetet.
– De a gallérja is, a nyakkendője is.
– Ez csak annyit jelent, hogy önök uniformisba bujtatták az
emberiséget.
Megint nevetett.
– Bécsben vár rám – mondta – az anyám és a menyasszonyom.
Olaszországba indulunk. De én előbb látni akartam Budapestet.
Reggel várnak. Össze fogják önt téveszteni velem.
– Anya és menyasszony: nem fognak tévedni.
– Tévedhetnek, válaszolt hevesen a lord. Az ön orra, szeme,
szája, homloka, haja, mind az enyém. Még a termete is. Hány éves?
– Huszonhét.
– Én is.
Elgondolkozva nézett rám és töprengve rázta a fejét.
– Uram, azt mondják, hogy én minden vonásomban hasonlítok
nagyatyámra, Broke Tamásra, a gibraltari győzőre. Nem angol
eredetű az ön családja? Vagy nem éltek valaha Angolországban?
– Nem, válaszoltam. Az én apám és a nagyapám és a dédapám
földmivelő parasztok, akik a megyéjük határán túl nem jártak. Az én
anyám szegény asszony, aki a Tisza-parti falujából soha ki nem

mozdult. Talán ötszáz év óta én vagyok az első a fajtánkból, aki
kimozdul ebből az országból.
Mulatságos kétségbeeséssel rázta a fejét. Érthetetlen,
érthetetlen.
Beszélgettünk még egy ideig, azután elbucsuzott tőlem.
Hálófülkét vett – mondta – és most már kezd álmosodni. Kezet
szoritottunk. Elment. Lefeküdtem én is. De aludni nem tudtam. Az én
bámulatom már régen eltünt. A helyét most már egészen elfoglalta
egy különös, nagy levertség. Minden rajongás, amelylyel valaha
angolokra, Angolországra, angol életre, angol izlésre és angol
büszkeségre gondoltam, most irigységgé változott. Miért ő és miért
nem én? Miért lord ő, miért nagy ur, miért járja a világot uri
hódítóként, miért őt várja Bécsben a menyasszonya és miért nem
engem? Én vonásról vonásra ő vagyok és ő izről-izre én? Miért
vagyok hát én szegény ország fia, aki keserves fáradsággal dolgozott
az ügyvédi diplomájáért, aki összekuporgatta az utazásra való pénzt
és kikönyörögte az első osztályú szabadjegyet, akit egy piszkos
küzködéssel teljes élet vár, és miért királya az életnek ő?
Keserű lélekkel próbáltam aludni. Előbb hánykolódtam még egy
óra hosszat, de azután – a vonat dübörgése egyhangú
csattanásokban és zökkenésekben ért a fülemhez – a zaj egyre
halkult és közeledett hozzám az álom. A csendből egyszerre
kidörrent egy pokoli csattanás. Ezt ujabb dörej követte, azután
sziszegő, zúgó, csikorgó roppanások zaja tört be hozzám. A kocsi
megrándult. Egy ujabb rántás szinte szétrepesztette eresztékeiben.
Ujra jött egy rázkódás, én kábult fekvésemből nekirepültem a falnak,
a fejem belevágódott a vastartóba és elvesztettem az eszméletemet.
… A kora tavaszi reggel csipős levegője téritett eszméletre. Egy
mentőágyon feküdtem. Körülöttem élénk sürgés-forgás volt.
Megpróbáltam felkönyökölni. Egy fehérkötényes úr sietett hozzám:
– Csak nyugalom. Nem lesz semmi baj.
– Mi történt? – kérdeztem tőle.

– A bécsi gyorsvonat összeütközött egy tehervonattal. Ön egy hét
mulva elfelejti az egészet. A fejére kapott egy nagy ütést, bekötöttük
úgy ahogy; nem lesz semmi baj. De amott nagy szükség van ránk.
Elsietett. Körülnéztem. A fejemen formátlan nagy kötés volt és
minden mozdulat fájdalmat okozott. Az orvos már ott volt a
szomszéd ágynál, ahol operációt végeztek. Ezt nem tudtam nézni.
Valami vasuti embernek szóltam: vigyenek odébb. Elvittek jó
messzire, a langyos reggeli napra. Jobban éreztem magamat egy
kicsit. Pénzt adtam az emberemnek és elmondattam: mi történt.
Közönséges vasuti katasztrófa: hibás váltóállítás; az utolsó percben
vették észre; a lokomotiv, a hálókocsi, az első két kocsi teljesen
összetörött; husz halott; egy tömeg sebesült; egy óra óta itt van a
bécsi segélyvonat és aki él, egy óra mulva utazhatik tovább.
Cigarettát kértem. Néztem bele a reggeli napsugárba és fáradt
bámulattal kérdeztem: hogyan menekültem én meg. Gyengébb
voltam még, semhogy örülni tudtam volna neki és az egyetlen érzés,
amely a világhoz füzött, az az öröm volt, hogy a cigarettám jó.
Még amikor a bécsi vonat indult, akkor is kábult voltam, fáradt és
összezuzott. Minden porczikám sajgott, fájt, égett. Betettek a
kocsiba és félig eszméletlenül hajtottam hátra a fejemet. A kocsiban
csupa menekült volt, egy riadt, fáradt, agyonhajszolt nyáj. Robogó
kórház a vonat.
Nem volt egyetlen teljes és határozott gondolatom sem. Ötletek,
gondolat-szilánkok röpködtek az elmémben: szándékok rongyai és
elhatározások törmelékei. A vonat szabadon vágtatott át a napfényes
tájon. Mindjárt jön Bécs.
A vonat megállott. Fojtott moraj fogadta. A perronon óriási tömeg
állott: ezek mind keresnek valakit.
Szédülve léptem ki: bele kellett kapaszkodnom a feljáró
korlátjába. Kábultan állottam. A zavaros zajból ekkor egy sikoltás
válik ki, a tömegen egy karcsu alak töri át magát, két leánykar fonja

Welcome to our website – the ideal destination for book lovers and
knowledge seekers. With a mission to inspire endlessly, we offer a
vast collection of books, ranging from classic literary works to
specialized publications, self-development books, and children's
literature. Each book is a new journey of discovery, expanding
knowledge and enriching the soul of the reade
Our website is not just a platform for buying books, but a bridge
connecting readers to the timeless values of culture and wisdom. With
an elegant, user-friendly interface and an intelligent search system,
we are committed to providing a quick and convenient shopping
experience. Additionally, our special promotions and home delivery
services ensure that you save time and fully enjoy the joy of reading.
Let us accompany you on the journey of exploring knowledge and
personal growth!
ebookultra.com

Download Full Next Generation SSH2 Implementation Securing Data in Motion 1st Edition Max Caceres PDF All Chapters

More Related Content

Similar to Download Full Next Generation SSH2 Implementation Securing Data in Motion 1st Edition Max Caceres PDF All Chapters (20)

Recently uploaded (20)

Download Full Next Generation SSH2 Implementation Securing Data in Motion 1st Edition Max Caceres PDF All Chapters