Re: idea for improving security

To: debian-security@lists.debian.org
Subject: Re: idea for improving security
From: Horst Pflugstaedt <Pfaedt@uni-duisburg.de>
Date: Tue, 6 May 2003 23:26:35 +0200
Message-id: <20030506212635.GA1777@home>
Mail-followup-to: Horst Pflugstaedt <Pfaedt@Uni-Duisburg.de>, debian-security@lists.debian.org
In-reply-to: <3EB7F9DC.2000501@iit.edu>
References: <3EB7F9DC.2000501@iit.edu>

On Tue, May 06, 2003 at 01:07:24PM -0500, Mark Edgington wrote:
> Hi,
>   I'm not sure whether this idea has been considered or implemented 
>   anywhere, but I have been thinking about it, and believe it would provide a 
> fairly high-level of security for systems which only run a few public 
> services.  The gist of it is this:
> incorporate functionality into inetd/xinetd/rinetd which listens for a 
> predefined sequence of connection attempts on certain ports.  Upon noticing 
> the correct sequence (as specified somewhere in the config file), it opens 
> up certain ports (i.e. SSH) for a specified amount of time or for the next 
> connection attempt only.  The parameters which could be set in the config 
> file would be:
> 1) the "trigger" sequence (an ordered list of port numbers)

what happens if another port is being connected during your
transmission of the 'trigger-connects'?

> 2) the port(s) to make available upon receiving this trigger sequence
> 3) whether the ports to be made available are available for a) the next n 
> connections only, 

what if someone else tries to connect exactly this one time?

> and/or b) the next n minutes

what happens if you need more(tm) time?

> 3) how long to disable watching for the sequence after an invalid sequence 
> has been detected.

how do you define an invalid sequence? how would you determine wether
someone else tries to trigger your port or is simply scanning you?

I'd rather work with some other mechanism like granting acces to/from
one single IP/Port. you migth for example realize this with two
encrypted Emails where the server-generated Mail includes some random
Data (for extra security) and the Client-generated Mail includes the
Clients IP...
The attacker would have to spoof the client-IP and would have to have
access to the clients ssh-keys _and_ pgp/gnupg-keys...
I guess you'd have to be quite paranoid to see this unsafe...

> makes a connection to 4385, this would invalidate the sequence) -- if these 
> trigger-sequence ports are all connected to in order (and the 
> disable-sequence-listen timeout has elapsed), then port 22 becomes open to 
> connect to.

You'll have to rely on many people not trying to connect to your magic
ports while you don't want them to...

> 
> Unless the hacker is on the same subnet that you (or your gateway) are on, 
> it would seem a very difficult task for him/her to determine what the magic 
> port-connection sequence is, and with appropriately chosen 
> disable-sequence-listen timeouts, brute force techniques would seem pretty 
> impractical.

Yes Brute-Force cracs will be faily inefficient, bit a simple DNS will
keep you off that machine as well.

Another solution might be even better... some spare hardware granted
you might want to take a dial-in solution.

just my few cents.
Horst.
(no security expert at all. so read and think twice before you agree to my
opinion.)

-- 
Have you noticed the way people's intelligence capabilities decline
sharply the minute they start waving guns around?
                -- Dr. Who

Reply to:

Follow-Ups:
- Re: idea for improving security
  - From: Alexander Reelsen <ref@tretmine.org>

References:
- idea for improving security
  - From: Mark Edgington <edgimar@iit.edu>

Prev by Date: Re: idea for improving security
Next by Date: Re: idea for improving security
Previous by thread: Re: idea for improving security
Next by thread: Re: idea for improving security
Index(es):
- Date
- Thread