LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 02-08-2004, 09:44 PM   #1
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
port open but make it look closed.... Possible?


I have a slack9.1 router running iptables as a firewall. I have it forwarding port 22 (ssh) to my linux machine. I want that port to be open so I can get to it remotely. I was wondering if there was something I could do with my iptables definitions to make it look like port 22 is closed when you scan the computer with something like nmap, but when I go to start a remote ssh session it will accept my connection.

I know I can do things such as specify IP address that I could connect from, but I was wondering if I could make it appear closed for all IPs.

Thanks.
 
Old 02-08-2004, 09:51 PM   #2
crabboy
Moderator
 
Registered: Feb 2001
Location: Atlanta, GA
Distribution: Slackware
Posts: 1,823

Rep: Reputation: 120Reputation: 120
Not possible.
 
Old 02-08-2004, 09:54 PM   #3
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Original Poster
Rep: Reputation: 45
D'oh!! That's what I thought. Thanks anyways.
 
Old 02-08-2004, 09:55 PM   #4
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
No.

Read this post for the explanation. Specifically read the first and last paragraphs.

Edit: Oh, I suppose someone is going to say you could do it with port knocking, but personally I think port knocking is pretty dumb. Due to the complexity, I tend to think that an implementation of port knocking would actually introduce new vulnerabilities and all it's really doing is obscuring stuff that's already there.

Last edited by chort; 02-08-2004 at 09:56 PM.
 
Old 02-08-2004, 10:31 PM   #5
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Original Poster
Rep: Reputation: 45
Thanks for that. I was 99.9999% sure I couldn't do it, I just wanted to have it verified.
 
Old 02-11-2004, 07:21 PM   #6
Skunk_Face
Member
 
Registered: Jan 2004
Posts: 54

Rep: Reputation: 15
just a thought here....u could prolly set ssh.conf or sshd.conf to listen on a specific network interface...then in iptables ..limit ssh to a certain IP only and to be super paranoid u could prolly specifiy a MAC address too to limit access to a specific box
 
Old 02-11-2004, 08:15 PM   #7
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Original Poster
Rep: Reputation: 45
I already do that. I have ssh running internally only. It doesn' listen on the external interface (one to the internet) I've done that with any other services I have running.. This is my home computer, so if I were to set anything to listen externally then I would set the destination IP to be something like my work's ip address.
 
Old 02-12-2004, 12:08 AM   #8
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Quote:
Originally posted by Skunk_Face
just a thought here....u could prolly set ssh.conf or sshd.conf to listen on a specific network interface...then in iptables ..limit ssh to a certain IP only and to be super paranoid u could prolly specifiy a MAC address too to limit access to a specific box
Good idea, but the MAC address will only work for machines connected to the same switch. The link layer address for each frame changes at every hop.
 
Old 02-12-2004, 02:09 AM   #9
Skunk_Face
Member
 
Registered: Jan 2004
Posts: 54

Rep: Reputation: 15
i knew i should have kept my opinion to myself....what Chort just explained is wayyy beyond me ..i dont even know what a link layer address is!!!
 
Old 02-12-2004, 02:32 AM   #10
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Handy chart:
Quote:
OSI Layers (commonly referred to as network layers, although OSI is pretty much extinct!)
1-Physical, that is the actual hardware itself, cables, NIC portss, switch ports, etc
2-Data link, the communication between the physical devices, how the electrons are actually moved across the physical media
3-Network, IP, IPX, ICMP, etc...
4-Transport, TCP, UDP, etc
5-Session, probably best described as connection states
6-Presentation, formatting (usually used for image formats)
7-Application, the actual network application protocol being used, HTTP, SMTP, etc
There is also a chart of TCP/IP layers, which is similar to OSI, but more compact. Also, TCP/IP is the de facto standard and has almost universally displaced OSI as a protocol standard, although the OSI model remains as the description of networking

Quote:
TCP/IP Layers
1-Network access (OSI 1&2)
2-Internet (OSI 3)
3-Host-to-Host (OSI 4)
4-Application (OSI 5-7)
MAC addresses are considered "data link, which is OSI layer 2, or TCP/IP layer 1. A MAC address is used to mark the sender and recipient of a frame across the wire (physical media) so it only works between media that is physically attached. Each network device re-encapsulates the frame by modifying the data link addresses. The recipient address is moved to sender, and the new recipient is the MAC address of the next device that will receive the frame.

This is sort of like DNS for network devices, since physical media is not aware of IPs. Physical media examines the IP and translates that to a MAC address based on what's in it's cache, or else it sends out an ARP request on the local media asking what physical address is assigned the IP address in question.

Thus, MAC addresses are always the address of whatever device is directly connected to you. If you get an IP datagram from someone, it goes out their NIC, through their switch, through their router (and a bunch of other routers), through your router, through your switch, to you. Switches act like routers for data frames, so a switch does not change the address on a frame, it just tells the frame where to go. Thus when you receive an IP datagram to your NIC (from the Internet) the MAC address will always be that of your router. Now if the IP datagram is from another machine plugged into your switch, then yes, the MAC address will be that of the NIC in the machine that sent you the IP datagram.

Last edited by chort; 02-12-2004 at 02:35 AM.
 
Old 02-13-2004, 01:58 AM   #11
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
another option you could try is to have the router opened on an obscure port number that would be rarely scanned then have the iptables redirect from that port to 23. I have done similar when I have multiple services running on the same network. eg to HTTP servers... from public one is accessed on 80 (default) the other is open on 8080 and is forwarded to port 80 on the local PC.

Still not 'secure' but just an idea

Chris
 
Old 02-13-2004, 08:24 AM   #12
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Original Poster
Rep: Reputation: 45
Many people refer to this as security through obsurity. It is generally not regarded as secure, as you pointed out. Just a note: If I were to write a port scanner that scanned "interesting ports", port 8080 would be one of them. Many people run webservers off that port as well.
 
Old 02-13-2004, 09:39 AM   #13
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The newer nmap versions make hiding services on alternative ports ineffective. The newer versions do service fingerprinting, so even if you ran it on say port 80, nmap would still return the proper service name rather than just saying "port 80 == web server". FWIW, I think port-knocking is the only way to make it "look" closed, but as chort pointed out, there are issues with doing that as well.
 
Old 02-15-2004, 08:29 PM   #14
chrisfirestar
Member
 
Registered: Sep 2003
Location: Adelaide, Australia
Distribution: Fedora/RH
Posts: 231

Rep: Reputation: 30
I was only using 8080 as an example.. in my example 8080 IS a webserver :P perhaps a higher less common port number would be advisable.. but still only half a solution...

Thanks
Chris
 
Old 02-15-2004, 10:14 PM   #15
frieza
Senior Member
 
Registered: Feb 2002
Location: harvard, il
Distribution: Ubuntu 11.4,DD-WRT micro plus ssh,lfs-6.6,Fedora 15,Fedora 16
Posts: 3,104

Rep: Reputation: 369Reputation: 369Reputation: 369Reputation: 369
hmmm. i just thought of an idea, don't shoot me if this is a stupid one, but perhaps a custom 'service' (a daemon of course) hidden on an obscure port to act as a 'gate opener'... so when a predefined key sequence is sent (preferably encrypted) it opens the requested port, then when another signal is sent... it closes the port, that way only those with the proper software at the other end can send the requests to open/close the ports, of course that would leave the port vulerable while it is open still, unless of course you can manage to make the program open and close the port on a per-packet basis somehow... i'm not a programmer so i wouldn't be able to do this myself, but just my
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
2.4.20-8 port 25 closed, cant open mwmethe Linux - Networking 4 10-27-2004 02:54 PM
2.4.20-8 port 25 closed, cant open mwmethe Linux - Networking 1 10-27-2004 01:37 PM
Port 25 Closed karuna Linux - Newbie 0 03-02-2004 02:17 PM
port closed hotrodowner Linux - Networking 2 12-02-2002 05:06 AM
firewall.rc.config says :"open port 8080" but nmap says port is closed saavik Linux - Security 2 02-14-2002 12:16 PM


All times are GMT -5. The time now is 05:23 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration