[plug] firewalling ssh

Bernd Felsche bernie at innovative.iinet.net.au
Tue Jan 9 09:42:16 WST 2007 

Adrian Woodley <Adrian at Diskworld.com.au> writes:
>Bernd Felsche wrote:
>> Tim Bowden <tim.bowden at westnet.com.au> writes:

>> You should also look at "port knocking".

>> This means that you don't run the sshd (at the usual port) but with
>> a deft sequence of hitting a pre-defined sequence of ports within a
>> short period of time, you then set the sshd to listen to the IP
>> address from which you're knocking... for a minute.

>> Connection by pre-shared key is also possible which frustrates
>> dictionary attacks for trying to get access. Change the key
>> irregularly.

>I'm personally not a huge fan of Port Knocking - its smacks of "security 
>through obscurity".

It's a shared secret; just like a password. You can explain exactly
*how* it works so it's not oscurity that's the protection; it's the
port numbers and the sequence in which they're knocked.

Of course somebody could listen to the IP traffic to the protected
machine, and try to work out what is the real knock sequence and
attempt a replay attack.  And that is exactly like password
sniffing. There are ways of frustrating such sniffing through noise
insertion and deliberate setting of "poison ports" in the sequence
which when once knocked, invalidate the knocking sequence for a long
(in computer terms) time.

>Using ssh keys is much more convenient and secure method of protecting 
>both your password and your ssh server (its the current basis for access 
>at my work).  If you're frequently on strange/different machines then 
>keeping your private key and a known_hosts file on a thumb-drive is a 
>convenient way of authenticating  both yourself and your server (avoid 
>Man-in-the-Middle attacks).

Having an sshd listen all the time to the world opens the system to
a DoS attack.... a dictionary attack can generate hundreds of
megabytes of sshd log entries in a day. The firewall's memory may
also be exhausted if the sshd tries to handle too many connections
at once.

Port-knocking reduces the vulnerability to such attacks and others.
It's not used for authentication per se; it's used to gain access to
authentication.

>Alternatively theres Ajaxterm 
>(http://antony.lesuisse.org/qweb/trac/wiki/AjaxTerm) as run on 
>https://ssh.diskworld.com.au :P
>(I'll wake up tomorrow to find Bernard has 'sploited my box through this 
>little gateway - he's a dodgy character that one; heard he was spoofing 
>MAC addresses yesterday!).
-- 
/"\ Bernd Felsche - Innovative Reckoning, Perth, Western Australia
\ /  ASCII ribbon campaign | "If we let things terrify us,
 X   against HTML mail     |  life will not be worth living."
/ \  and postings          | Lucius Annaeus Seneca, c. 4BC - 65AD.

More information about the plug mailing list