Hi all,

Can a port be front-ended with a security measure that doesn't announce itself, but waits for certain keystrokes, before continuing?

I want to open a port for ssh server, on a random number like 5833, but when someone connects to it, it will not respond at all, acting like it's broken or dead. They will have to hit some keys in a certain order, before it prompts for a password. I'd like to keep it simple, no certs, etc.

Can ssh server be configured to do this, or is there a front-end app that can be configured to do this?

Thanks

I don't know about what you're describing, but you may be interested in playing around with port knocking (e.g. doorman).

On the other hand, this is a rather ho-hum security mechanism (both what you're describing and port knocking). It's no substitute for hardening sshd properly.

Thanks

Hmm, the doorman isn't really a good solution either. Listens to all packets on an interface... I wonder how much cpu that eats up.

I found the one for my debian etch server:
http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki

You're right though, might be better to just harden ssh. I move around a lot, don't always have my laptop. Maybe I should buy a usb mem stick, put it on my key chain, and store some cert keys on it.

That's not a bad idea. Pubkey authentication with a strong passphrase might be just the thing for your situation.

The port knock concept has been around since at least 2004. It's a good concept but I don't think it will keep the port from responding to things such as nmap or telnet. I haven't tested this yet, though. I know that you can't keep SSH itself from providing a banner if you telnet to port 22, but you may be able to keep the server from responding to an unauthorized client by blocking unauthorized IPs. Blocking prevents an SSH server in providing a banner, I believe.

You might want to consider SPA: single packet authorization. It may be more efficient on CPU usage, as it can be set up to only listen on a single port (eg 22). It is more secure than port knocking (see the white papers on the web site), and more time-efficient. There is a windows UI client for it as well; I use it to initiate putty ssh sessions, it works fine and all my ports on my server are stealthed.
http://www.cipherdyne.com/fwknop/

Hmmm, close, but not quite what I was looking for. Thanks though, it was close.

From that site...

If I have to install keys on each client, as well as the server, I might as well harden ssh, and use it's keys for more security.

I was looking for something that doesn't require installation of *anything* on the "client", so when I'm sitting at a random pc, I can still get through my firewall, after sending keystrokes to a port.

I must apologize, I should have been more specific from the beginning:

Server: Debian Etch 4.0r2
Firewall: Shorewall 3.2.6

I think I found what I'm looking for (still reading it). It's a shorewall implementation of port knocking:

http://www.shorewall.net/PortKnocking.html

Which was created, based on this interesting article:

http://www.soloport.com/iptables.html

At first read through, it looks like what I'm looking for... will let you all know.

Actually, I wouldn't give up on the SPA concept just yet. You can use symmetric keys, which is what I have set up. In the conf file you specify the symmetric key to use, and then you can log in from any arbitrary PC, just as you desire, with that same key using the client. Nothing to install. I think that the author was saying that if you want to use GnuPG, then you need to install keys, but that is not a prerequisite to use SPA.
Cheers

I guess I should have mentioned: I have been using an alternate solution to your problem for over a year now, doing port knocking using just iptables rules. It's just more work to get in than the SPA solution, which is why I didn't suggest the iptables rules. The rules are set up so that you hit specified ports in a particular order, and if you do, then your IP address is allowed access to your SSH server. One very simple way to activate the rules is to just simply use a browser with the port number at the end of the address, for example, http://your.ipaddress:10001 would hit your port 10001. So you hit one, then the next, etc. in this manner until you open the door. As I said, this is more work and less elegant/optimal than the SPA solution, but here goes:
This rule set is set up to require you to hit port 10001, then 20002, then 30003, then 40004, then 50005, and then you are admitted to access ports 22 and 80.

iptables -N INADDON
iptables -N SSHCLEAR
iptables -N SSHK1
iptables -N SSHK2
iptables -N SSHK3
iptables -N SSHK4
iptables -I INPUT 21 -p tcp -m tcp -j INADDON
iptables -A INADDON -p tcp -m tcp --dport 10001 -m recent --set --name SSH1 --rsource
iptables -A INADDON -p tcp -m tcp --dport 20002 -m recent --rcheck --name SSH1 --rsource -j SSHK1
iptables -A INADDON -p tcp -m tcp --dport 30003 -m recent --rcheck --name SSH2 --rsource -j SSHK2
iptables -A INADDON -p tcp -m tcp --dport 40004 -m recent --rcheck --name SSH3 --rsource -j SSHK3
iptables -A INADDON -p tcp -m tcp --dport 50005 -m recent --rcheck --seconds 300 --name SSH4 --rsource -j SSHK4
iptables -A INADDON -p tcp -m multiport --dports 10002,10000,20003,20001,30004,30002,40005,40003,50006,50004 -j SSHCLEAR
iptables -A INADDON -p tcp -m tcp --dport 22 -m recent --rcheck --name SSH5 --rsource -j ACCEPT
iptables -A INADDON -p tcp -m tcp --dport 80 -m recent --rcheck --name SSH5 --rsource -j ACCEPT
iptables -A SSHCLEAR -m recent --remove --name SSH1 --rsource
iptables -A SSHCLEAR -m recent --remove --name SSH2 --rsource
iptables -A SSHCLEAR -m recent --remove --name SSH3 --rsource
iptables -A SSHCLEAR -m recent --remove --name SSH4 --rsource
iptables -A SSHCLEAR -p tcp -j LOG --log-prefix "kicked out of knock"
iptables -A SSHK1 -m recent --remove --name SSH1 --rsource
iptables -A SSHK1 -p tcp -j LOG --log-prefix "port 20002 knocked"
iptables -A SSHK1 -m recent --set --name SSH2 --rsource
iptables -A SSHK2 -m recent --remove --name SSH2 --rsource
iptables -A SSHK2 -p tcp -j LOG --log-prefix "port 30003 knocked"
iptables -A SSHK2 -m recent --set --name SSH3 --rsource
iptables -A SSHK3 -m recent --remove --name SSH3 --rsource
iptables -A SSHK3 -p tcp -j LOG --log-prefix "port 40004 knocked"
iptables -A SSHK3 -m recent --set --name SSH4 --rsource
iptables -A SSHK4 -m recent --remove --name SSH4 --rsource
iptables -A SSHK4 -p tcp -j LOG --log-prefix "port 50005 knocked"
iptables -A SSHK4 -m recent --set --name SSH5 --rsource

Note that where I have the chain INPUT and the command -I INPUT 21, you would replace 21 with whatever is the appropriate number to insert the rule. You can check the rule numbers by running the command:
sudo iptables -L -n -v --line-numbers
Once you find the correct number in your INPUT chain to insert that rule, the rest of the commands can be unchanged. The above rules check that ports adjacent to the right ports must not be hit between hits, or it is an invalid knock sequence. When you get near the end of the knock, you have only 300 seconds to complete the sequence.
As I mentioned, this worked just fine for me, but it is a lot more hassle than the simple SPA setup, where once you install the daemon, the server runs and listens for the valid SPA, and it adds the right iptables rule just long enough for the session of interest.

Thanks Jeff, I think I will try the 5 port knock, close enough to what I was looking for.