[TriLUG] Port Knocking Alternatives?
Brian Henning
brian at strutmasters.com
Fri Feb 4 10:28:42 EST 2005
I'd like to add my "ME TOO" to this topic, as I am examining a similar
situation myself. My idea already was to have an SSL-encrypted web page
where a user could enter credentials and have an SSH port opened to him
via tcpwrappers. I was imagining a back-end perl script that would
append and remove entries from /etc/hosts.allow as needed.
I too welcome further comments.
Cheers,
~Brian
Rick DeNatale wrote:
> I've been thinking about ways to keep ports like ssh closed to the
> internet until I need them.
>
> Port knocking seems to be a popular technique but I'm not sure that
> that's what I want. For one thing it won't work if the incoming
> client is behind a firewall which blocks outgoing traffic on one or
> more of the knock ports.
>
> So I was thinking of something like a cgi on my webserver which I
> could talk to via ssl. This could accept a passphrase and alter the
> firewall rules to open up another port for the client's ip address,
> perhaps for some time period, or whatever policy I wanted to apply.
>
> Is anyone aware of anything which does this or something similar?
>
> Another nice thing to support might be, under client request, instead
> of opening up port 22 for sshd, redirect port 443 to 22 for that
> client in order to let ssh tunnel through a firewall which allows
> outgoing https but not ssh,
>
> I've also thought of setting up a "fake" sshd, which would make
> intruders "think" that they had gotten in, only to get a "MOTD" which
> said something like:
>
> Thank you for participating in the NSAs cyber-hacker registration program.
> We have noted your information and entered it into our target database.
> Retaliation will be performed at a random time, under the authority of
> the US Patriot Act.
> Have a great day!
>
> and then they would be disconnected.
>
> I think that this could be done with iptables and a small bit of programming.
More information about the TriLUG
mailing list