Re: SSHD and SSH Call-out via Port Knocking
From: Johan De Meersman (jdm_at_operamail.com)
Date: Wed, 07 Sep 2005 17:11:40 +0200 To: email@example.com
>The 12 digits, are the numbers that make up your 4 octets of your IP address.
>I'm going very low tech on this.
>As you tcp-ping (or telnet as I used in my demo), the appropriate ports, the
>shell scripts configured to run via xinet.d config files, write numbers, 1 per
>line into a temporary file.
Ah, one specific octet per command port, so you need to nock them in the
>Once you've written all 12 digits (including leading zeros), then hit one of
>the 2 command ports.
>One command port reads the temp file, creates the IP address to use, then
>opens a reverse tunnel to the IP address noted in the temp file. This
>requires the use a public key (already configured in the client system as an
>authorized key). The plus side to this, is that there are NO SSH daemons
>running on the box ever.
Still don't see the point to this one.
>The 2nd command port reads the temp file, modifies the iptables, spawns a
>temporary sshd on an off port. Waits 30 seconds, then removes the iptables
>entry, and kills the sshd process. The plus side to this, is that there are
>NO ssh daemons running normally, nothing to see, nothing to probe.
I see. Combining this with the first one, you could spawn an sshd that
is bound to the loopback interface, thus never exposing an sshd, even
for 30 seconds.
Actually, you could probably keep one running that's bound to loopback,
as it's never exposed, and use just the first command port to lay a tunnel.
Interesting concept, certainly.
>Since it's all low tech, there's no packet vulnerabilities, no way for an
>attacker to gain a foot hold into the system.
Well... in the end, the only difference with regular port knocking is
that your sshd is only spawned after you knock the right sequence of
ports - something that could probably be set up with less scripts as
well. The callback is an interesting twist, but in my opinion not all
that interesting except for accessing otherwise insecure services that
you don't want to shove through ssl for some reason.
Or am I missing something here ?
-- You may get an opportunity for advancement today. Watch it! -- Public GPG key at blackhole.pca.dfn.de GCS/IT d- s:+ a- C(+++)$ UL++++$ P+++(++++)$ L++(+++)$ !E- W+(+++)$ N+(++) o K w$ !O !M V PS(++)@ PE-(++)@ Y+ PGP++(+++) t(+) 5 X R tv-- b++(++++) DI++(++++) D++ G e++>+++++ h(+) r y+**
- application/pgp-signature attachment: OpenPGP digital signature