Re: Port Knocking on openBSD?

[Magnus Bodin <magnus@bodin.org>]

On Thu, Feb 05, 2004 at 05:58:09PM -0500, Rick Wash wrote:
> 
> OpenBSD has a much better and more secure solution to this problem.  Its 
> called AuthPF.

authpf is fine. I use it.

But if you don't want to expose any tcp-ports at all, that includes port 22 as
well. And if you are on the move and cannot guarantee that ah/esp et al is even
transported then one alternative is to hide.

I personally don't like the "port-knocking" way of doing it and the
implementation itself so I wrote a simple script myself that

    1. use Net::Pcap and listen for ICMP echo req.
    2. if a valid combination of uid + one time password
         flies by in the PAYLOAD of the ICMP, then insert ip in 
         a special pf-table (so she will get access to tcp/22).
    3. check regulary for table-entries that has had no valid connection
       for a couple of minutes and remove them from the table.

Pretty trivial and effective and a good complement to authpf, actually. 
If any is interested I can wrap it up in a package.

I trust OpenSSH as I trust my ASSA Twin-lock on my house, but only those who
walk upfront my yard will be able to test their lock-picking abilities to it. 

If it's possible to hide my tcp/22-port from occasional portscan-kiddies,
that would be a way of lowering the risk even more.

-- 
    magnus, http://x42.com