SSHD and SSH Call-out via Port Knocking

guyverdh_at_mchsi.com
Date: 09/06/05

  • Next message: Miro Dietiker, MD Systems: "AW: Logging Traffic by user @ OpenSSH 3.8.1" 
    Date: 6 Sep 2005 03:11:42 -0000
To: secureshell@securityfocus.com
    ('binary' encoding is not supported, stored as-is) I finally took the time to flesh out an idea that I'd had for some time. The idea was pretty simple, a semi-secure way of having the SSH server allow remote connectivity, without having an SSHD listener always on.

    It took a couple of hours to write, test, re-write, re-test, etc both versions.

    Both versions use a series of scripts to write numerals into a temporary file via knocks on specific ports. This file is then read when one of two ports are knocked after having 12 digits written to the file.

    One port, reads the temporary file, builds the IP address, then creates an iptables entry that allows the specified IP address to connect via SSH for approximately 30 seconds. It then closes the SSHD daemon, and drops the iptables entry.

    The second port, reads the temporary file, builds the IP address, then causes SSH to connect to the specified IP address with a backchannel defined. This allows the remote client to ssh into the server via this backchannel.

    Would there be any interest in seeing the sample shell scripts that I have written for Redhat Enterprise and SuSE Enterprise Linux?

    Is this even something anyone would like to do?

  • Next message: Miro Dietiker, MD Systems: "AW: Logging Traffic by user @ OpenSSH 3.8.1"

    Relevant Pages

    • Re: sshd brute force attempts?
      ... I think you misunderstood what I meant by public service, or maybe it wasn't clear: By a public service I mean a service available for anyone, even anonymously: You're not going to register the world to let people send mail to your server, require authentication to send mail from your server). ... If this is stored on a usb-stick the user carries with him, or only on systems that require local authentication first, then I think you're better off than password based ssh. ... Cracklib is in ports and easy to build -- FreeBSD could use a) an option in make.conf to prevent passwd from getting built on a buildworld and b) the patched passwd/yppasswd tree in ports. ... I don't assume that level of savvy. ...
      (freebsd-questions)
    • Re: Prot Forwarding
      ... Al's SSH method would be the best. ... configure the remote control programs to use different ports on each ... that let you configure the ports in use. ... > Personally I use a Secure Shell tunnel to access multiple XP Pro ...
      (microsoft.public.windowsxp.network_web)
    • Re: hacked?
      ... So I ssh'd in and did a netstat and saw what looked like an unwanted SSH connection... ... On the local host type nmap -sV localhost -p 1-65535 to see what ports respond and which apps/services. ...
      (comp.os.linux.misc)
    • Re: [SLE] Security, ssh/vpn into a network
      ... "My server is running several services, ... outside are http and ssh. ... Again, ports 5900 is not open to the outside, neither is any of the ... not being forwarded on the firewall but through the ssh tunnel. ...
      (SuSE)
    • Re: IPTABLES: Per erfolgreichem SSH Login Ports =?iso-8859-15?Q?=F6ffnen?=
      ... Also sollen weitere Ports z.B. nur mit dem korrekten Keyfile ... Entkopple doch den Teil, der iptables aufruft, von dem teil, der ... wenn sich jemand per ssh einloggt. ... kommandos absetzt und keinen User-input entgegen nimmt. ...
      (de.comp.security.firewall)