Re: Re: SSHD and SSH Call-out via Port Knocking

guyverdh_at_mchsi.com
Date: 09/08/05

  • Next message: giany007_at_yahoo.com: "Re: SSH Tunnel logging only local ip's"
    Date: 8 Sep 2005 15:45:56 -0000
    To: secureshell@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) >Ah, one specific octet per command port, so
    >you need to nock them in the right order.

    Actually, it's one numeric per port, so 12 knocks to build the address.

    >Still don't see the point to this one.

    The reason behind having the server call out, rather than allowing you to call in, is that it leaves the server with NO listeners on the externally facing network interface. If there are essentially no listeners, then there's nothing for hackers to attack.
    Also, since the callout is using a public-key authentication method, you have to have the servers public key already loaded in your authorized_keys file.

    >I see. Combining this with the first one, you
    >could spawn an sshd that is bound to the
    >loopback interface, thus never exposing an
    >sshd, even for 30 seconds.

    I hadn't actually thought of it that way, but it could be used that way.
    They really were intended to be 2 different methods of access.

    >Or am I missing something here ?

    You're close, very close. What I was attempting to do, that wasn't done with normal port knocking implementations, was to transfer data, not via TCP payload or traditional transport mechanisms, but via the actual knock sequence.
    Think of it like morse code, only with 65Kx2 (tcp/udp) different code components instead of just long and short.

    By building information via knock sequences (and using more than one port for each numeric), you could possibly extend this so that it contains not only the IP address, but a numeric ID that represents a user who is going to connect from the stated IP address, as well as a PIN number to use for that connection.

    Again, all of this without any form of payload that could be sniffed. It's just hits to certain ports.


  • Next message: giany007_at_yahoo.com: "Re: SSH Tunnel logging only local ip's"

    Relevant Pages

    • How did this happen?
      ... May 12 06:50:43 localhost sshd: Failed password for illegal user ... cgi from 212.93.149.205 port 2265 ... Starting sshd: ...
      (comp.os.linux.security)
    • Re: bypassing employers proxy to surf anonymously
      ... port 443, so it's harder to distinguish from an https server. ... through the remote sshd. ... You have an option to go with a managed service or an enterprise software. ...
      (Pen-Test)
    • Re: ssh under attack - sessions in accepted state hogging CPU
      ... I haven't tried this specific port knocking sequence but you could setup a knock where if a user attempts to connect to port 22 say 3 times it then opens up port 22 to that ip and allows them to connect to sshd. ... I'm working on getting sshguard+ipfw in place to deal with it, but in the meantime, my box is getting pegged because sshd is accepting some connections which are getting stuck in state and eating CPU. ...
      (freebsd-questions)
    • RE: possible ssh hack
      ... What version of SSHD were you running, ... Apache and we can help you out. ... Subject: possible ssh hack ... port 4207 ...
      (Incidents)
    • Re: Possible New Security Tool For FreeBSD, Need Your Help.
      ... We just want to hide the sshd port until we need it. ... >> the Internet where would they put the sniffer? ... Do a traceroute between the host you're ...
      (FreeBSD-Security)