[TriLUG] Port Knocking Alternatives?

Brian Henning brian at strutmasters.com
Fri Feb 4 10:28:42 EST 2005


I'd like to add my "ME TOO" to this topic, as I am examining a similar 
situation myself.  My idea already was to have an SSL-encrypted web page 
where a user could enter credentials and have an SSH port opened to him 
via tcpwrappers.  I was imagining a back-end perl script that would 
append and remove entries from /etc/hosts.allow as needed.

I too welcome further comments.

Cheers,
~Brian

Rick DeNatale wrote:
> I've been thinking about ways to keep ports like ssh closed to the
> internet until I need them.
> 
> Port knocking seems to be a popular technique but I'm not sure that
> that's what I want.  For one thing it won't work if the incoming
> client is behind a firewall which blocks outgoing traffic on one or
> more of the knock ports.
> 
> So I was thinking of something like a cgi on my webserver which I
> could talk to via ssl. This could accept a passphrase and alter the
> firewall rules to open up another port for the client's ip address,
> perhaps for some time period, or whatever policy I wanted to apply.
> 
> Is anyone aware of anything which does this or something similar?
> 
> Another nice thing to support might be, under client request, instead
> of opening up port 22 for sshd, redirect port 443 to 22 for that
> client in order to let ssh tunnel through a firewall which allows
> outgoing https but not ssh,
> 
> I've also thought of setting up a "fake" sshd, which would make
> intruders "think" that they had gotten in, only to get a "MOTD" which
> said something like:
> 
> Thank you for participating in the NSAs cyber-hacker registration program.
> We have noted your information and entered it into our target database.
> Retaliation will be performed at a random time, under the authority of
> the US Patriot Act.
> Have a great day!
> 
> and then they would be disconnected.
> 
> I think that this could be done with iptables and a small bit of programming.



More information about the TriLUG mailing list