Can a ssh server NOT identify itself?
Hi all,
Can a port be front-ended with a security measure that doesn't announce itself, but waits for certain keystrokes, before continuing? I want to open a port for ssh server, on a random number like 5833, but when someone connects to it, it will not respond at all, acting like it's broken or dead. They will have to hit some keys in a certain order, before it prompts for a password. I'd like to keep it simple, no certs, etc. Can ssh server be configured to do this, or is there a front-end app that can be configured to do this? Thanks |
I don't know about what you're describing, but you may be interested in playing around with port knocking (e.g. doorman).
On the other hand, this is a rather ho-hum security mechanism (both what you're describing and port knocking). It's no substitute for hardening sshd properly. |
Thanks
Hmm, the doorman isn't really a good solution either. Listens to all packets on an interface... I wonder how much cpu that eats up. I found the one for my debian etch server: http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki You're right though, might be better to just harden ssh. I move around a lot, don't always have my laptop. Maybe I should buy a usb mem stick, put it on my key chain, and store some cert keys on it. |
Quote:
|
Quote:
|
You might want to consider SPA: single packet authorization. It may be more efficient on CPU usage, as it can be set up to only listen on a single port (eg 22). It is more secure than port knocking (see the white papers on the web site), and more time-efficient. There is a windows UI client for it as well; I use it to initiate putty ssh sessions, it works fine and all my ports on my server are stealthed.
http://www.cipherdyne.com/fwknop/ |
Hmmm, close, but not quite what I was looking for. Thanks though, it was close.
From that site... Quote:
I was looking for something that doesn't require installation of *anything* on the "client", so when I'm sitting at a random pc, I can still get through my firewall, after sending keystrokes to a port. |
I must apologize, I should have been more specific from the beginning:
Server: Debian Etch 4.0r2 Firewall: Shorewall 3.2.6 I think I found what I'm looking for (still reading it). It's a shorewall implementation of port knocking: http://www.shorewall.net/PortKnocking.html Which was created, based on this interesting article: http://www.soloport.com/iptables.html At first read through, it looks like what I'm looking for... will let you all know. |
Actually, I wouldn't give up on the SPA concept just yet. You can use symmetric keys, which is what I have set up. In the conf file you specify the symmetric key to use, and then you can log in from any arbitrary PC, just as you desire, with that same key using the client. Nothing to install. I think that the author was saying that if you want to use GnuPG, then you need to install keys, but that is not a prerequisite to use SPA.
Cheers |
I guess I should have mentioned: I have been using an alternate solution to your problem for over a year now, doing port knocking using just iptables rules. It's just more work to get in than the SPA solution, which is why I didn't suggest the iptables rules. The rules are set up so that you hit specified ports in a particular order, and if you do, then your IP address is allowed access to your SSH server. One very simple way to activate the rules is to just simply use a browser with the port number at the end of the address, for example, http://your.ipaddress:10001 would hit your port 10001. So you hit one, then the next, etc. in this manner until you open the door. As I said, this is more work and less elegant/optimal than the SPA solution, but here goes:
This rule set is set up to require you to hit port 10001, then 20002, then 30003, then 40004, then 50005, and then you are admitted to access ports 22 and 80. iptables -N INADDON iptables -N SSHCLEAR iptables -N SSHK1 iptables -N SSHK2 iptables -N SSHK3 iptables -N SSHK4 iptables -I INPUT 21 -p tcp -m tcp -j INADDON iptables -A INADDON -p tcp -m tcp --dport 10001 -m recent --set --name SSH1 --rsource iptables -A INADDON -p tcp -m tcp --dport 20002 -m recent --rcheck --name SSH1 --rsource -j SSHK1 iptables -A INADDON -p tcp -m tcp --dport 30003 -m recent --rcheck --name SSH2 --rsource -j SSHK2 iptables -A INADDON -p tcp -m tcp --dport 40004 -m recent --rcheck --name SSH3 --rsource -j SSHK3 iptables -A INADDON -p tcp -m tcp --dport 50005 -m recent --rcheck --seconds 300 --name SSH4 --rsource -j SSHK4 iptables -A INADDON -p tcp -m multiport --dports 10002,10000,20003,20001,30004,30002,40005,40003,50006,50004 -j SSHCLEAR iptables -A INADDON -p tcp -m tcp --dport 22 -m recent --rcheck --name SSH5 --rsource -j ACCEPT iptables -A INADDON -p tcp -m tcp --dport 80 -m recent --rcheck --name SSH5 --rsource -j ACCEPT iptables -A SSHCLEAR -m recent --remove --name SSH1 --rsource iptables -A SSHCLEAR -m recent --remove --name SSH2 --rsource iptables -A SSHCLEAR -m recent --remove --name SSH3 --rsource iptables -A SSHCLEAR -m recent --remove --name SSH4 --rsource iptables -A SSHCLEAR -p tcp -j LOG --log-prefix "kicked out of knock" iptables -A SSHK1 -m recent --remove --name SSH1 --rsource iptables -A SSHK1 -p tcp -j LOG --log-prefix "port 20002 knocked" iptables -A SSHK1 -m recent --set --name SSH2 --rsource iptables -A SSHK2 -m recent --remove --name SSH2 --rsource iptables -A SSHK2 -p tcp -j LOG --log-prefix "port 30003 knocked" iptables -A SSHK2 -m recent --set --name SSH3 --rsource iptables -A SSHK3 -m recent --remove --name SSH3 --rsource iptables -A SSHK3 -p tcp -j LOG --log-prefix "port 40004 knocked" iptables -A SSHK3 -m recent --set --name SSH4 --rsource iptables -A SSHK4 -m recent --remove --name SSH4 --rsource iptables -A SSHK4 -p tcp -j LOG --log-prefix "port 50005 knocked" iptables -A SSHK4 -m recent --set --name SSH5 --rsource Note that where I have the chain INPUT and the command -I INPUT 21, you would replace 21 with whatever is the appropriate number to insert the rule. You can check the rule numbers by running the command: sudo iptables -L -n -v --line-numbers Once you find the correct number in your INPUT chain to insert that rule, the rest of the commands can be unchanged. The above rules check that ports adjacent to the right ports must not be hit between hits, or it is an invalid knock sequence. When you get near the end of the knock, you have only 300 seconds to complete the sequence. As I mentioned, this worked just fine for me, but it is a lot more hassle than the simple SPA setup, where once you install the daemon, the server runs and listens for the valid SPA, and it adds the right iptables rule just long enough for the session of interest. |
Thanks Jeff, I think I will try the 5 port knock, close enough to what I was looking for.
|
All times are GMT -5. The time now is 01:19 PM. |