[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Port Knocking on openBSD?
On Thu, Feb 05, 2004 at 05:58:09PM -0500, Rick Wash wrote:
> OpenBSD has a much better and more secure solution to this problem. Its
> called AuthPF.
authpf is fine. I use it.
But if you don't want to expose any tcp-ports at all, that includes port 22 as
well. And if you are on the move and cannot guarantee that ah/esp et al is even
transported then one alternative is to hide.
I personally don't like the "port-knocking" way of doing it and the
implementation itself so I wrote a simple script myself that
1. use Net::Pcap and listen for ICMP echo req.
2. if a valid combination of uid + one time password
flies by in the PAYLOAD of the ICMP, then insert ip in
a special pf-table (so she will get access to tcp/22).
3. check regulary for table-entries that has had no valid connection
for a couple of minutes and remove them from the table.
Pretty trivial and effective and a good complement to authpf, actually.
If any is interested I can wrap it up in a package.
I trust OpenSSH as I trust my ASSA Twin-lock on my house, but only those who
walk upfront my yard will be able to test their lock-picking abilities to it.
If it's possible to hide my tcp/22-port from occasional portscan-kiddies,
that would be a way of lowering the risk even more.