Re: SSHD and SSH Call-out via Port Knocking
guyverdh_at_mchsi.com
Date: 09/07/05
- Previous message: Johan De Meersman: "Re: SSHD and SSH Call-out via Port Knocking"
- Maybe in reply to: guyverdh_at_mchsi.com: "SSHD and SSH Call-out via Port Knocking"
- Next in thread: Johan De Meersman: "Re: SSHD and SSH Call-out via Port Knocking"
- Reply: Johan De Meersman: "Re: SSHD and SSH Call-out via Port Knocking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Johan De Meersman <jdm@operamail.com> Date: Wed, 07 Sep 2005 14:21:31 +0000
The 12 digits, are the numbers that make up your 4 octets of your IP address.
I'm going very low tech on this.
As you tcp-ping (or telnet as I used in my demo), the appropriate ports, the
shell scripts configured to run via xinet.d config files, write numbers, 1 per
line into a temporary file.
Once you've written all 12 digits (including leading zeros), then hit one of
the 2 command ports.
One command port reads the temp file, creates the IP address to use, then
opens a reverse tunnel to the IP address noted in the temp file. This
requires the use a public key (already configured in the client system as an
authorized key). The plus side to this, is that there are NO SSH daemons
running on the box ever.
The 2nd command port reads the temp file, modifies the iptables, spawns a
temporary sshd on an off port. Waits 30 seconds, then removes the iptables
entry, and kills the sshd process. The plus side to this, is that there are
NO ssh daemons running normally, nothing to see, nothing to probe.
Since it's all low tech, there's no packet vulnerabilities, no way for an
attacker to gain a foot hold into the system.
The shell scripts don't even talk to the ports, or the tcp stack. They just
write a number, appending to a temporary file.
One is a nice simple call back routine (like the old secure BBS days), while
the other allows a 30 second window to a specific IP address.
> guyverdh@mchsi.com wrote:
>
> >Both versions use a series of scripts to write numerals into a temporary file
> via knocks on specific ports. This file is then read when one of two ports are
> knocked after having 12 digits written to the file.
> >
> >
> expand on this, please - what are those 12 digits, where do you get them
> from, ... ?
>
> >One port, reads the temporary file, builds the IP address, then creates an
> iptables entry that allows the specified IP address to connect via SSH for
> approximately 30 seconds. It then closes the SSHD daemon, and drops the
> iptables entry.
> >
> >
> Standard port knocking, well documented. What's the use of the tempfile ?
>
> >The second port, reads the temporary file, builds the IP address, then causes
> SSH to connect to the specified IP address with a backchannel defined. This
> allows the remote client to ssh into the server via this backchannel.
> >
> >
> If I understand this correctly, you're going to tunnel an SSH connection
> over another SSH connection ? Why ?
>
>
> --
> You will gain money by a fattening action.
> --
>
> Public GPG key at blackhole.pca.dfn.de
>
> GCS/IT d- s:+ a- C(+++)$ UL++++$ P+++(++++)$ L++(+++)$ !E- W+(+++)$
> N+(++) o K w$ !O !M V PS(++)@ PE-(++)@ Y+ PGP++(+++) t(+) 5 X R tv--
> b++(++++) DI++(++++) D++ G e++>+++++ h(+) r y+**
>
attached mail follows:
To: guyverdh@mchsi.com Date: Wed, 7 Sep 2005 09:06:12 +0000
- application/pgp-signature attachment: OpenPGP digital signature
- Previous message: Johan De Meersman: "Re: SSHD and SSH Call-out via Port Knocking"
- Maybe in reply to: guyverdh_at_mchsi.com: "SSHD and SSH Call-out via Port Knocking"
- Next in thread: Johan De Meersman: "Re: SSHD and SSH Call-out via Port Knocking"
- Reply: Johan De Meersman: "Re: SSHD and SSH Call-out via Port Knocking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
