Re: idea for improving security

To: debian-security@lists.debian.org
Cc: Horst Pflugstaedt <Pfaedt@Uni-Duisburg.de>
Subject: Re: idea for improving security
From: Alexander Reelsen <ref@tretmine.org>
Date: Wed, 7 May 2003 12:57:05 +0200
Message-id: <20030507105705.GC9627@tretmine.org>
Mail-followup-to: debian-security@lists.debian.org, Horst Pflugstaedt <Pfaedt@Uni-Duisburg.de>
In-reply-to: <20030506212635.GA1777@home>
References: <3EB7F9DC.2000501@iit.edu> <20030506212635.GA1777@home>

Hi

On Tue, May 06, 2003 at 11:26:35PM +0200, Horst Pflugstaedt wrote:
> On Tue, May 06, 2003 at 01:07:24PM -0500, Mark Edgington wrote:
> > 2) the port(s) to make available upon receiving this trigger sequence
> > 3) whether the ports to be made available are available for a) the next n 
> > connections only, 
> what if someone else tries to connect exactly this one time?
You can always differentiate between different source ips.

> > and/or b) the next n minutes
> what happens if you need more(tm) time?
You configure it with greater timeout values?

> > 3) how long to disable watching for the sequence after an invalid sequence 
> > has been detected.
> how do you define an invalid sequence? how would you determine wether
> someone else tries to trigger your port or is simply scanning you?
If you have a combination and 80% of that combination were guessed
correctly (by say, 5 different ip packets, it would be quite a strange
coincidence), you could define an invalid sequence.

> I'd rather work with some other mechanism like granting acces to/from
> one single IP/Port. you migth for example realize this with two
> encrypted Emails where the server-generated Mail includes some random
> Data (for extra security) and the Client-generated Mail includes the
> Clients IP...
Who said you need listening ports for that? Just use libpcap, open up a
raw socket and catch the packets before they are processed. So you
don't need any listening service but still can evaluate the packets.

> > makes a connection to 4385, this would invalidate the sequence) -- if these 
> > trigger-sequence ports are all connected to in order (and the 
> > disable-sequence-listen timeout has elapsed), then port 22 becomes open to 
> > connect to.
> You'll have to rely on many people not trying to connect to your magic
> ports while you don't want them to...
Who said ports? Specially crafted IP packets are absolutely sufficient :)

I think the main goal of this question was not that end users can connect
to the services, but only administrators. If you have 100 machines on the
net placed at customers it might be pretty handy, if you dont have to
worry about ssh auto rooters after the new 0day exploit, because they
don't try the magic-ip-packet-sequence. This adds another layer of security
against dumb attacks, not against directed attacks.


MfG/Regards, Alexander

-- 
Alexander Reelsen   http://tretmine.org
ref@tretmine.org

Reply to:

References:
- idea for improving security
  - From: Mark Edgington <edgimar@iit.edu>
- Re: idea for improving security
  - From: Horst Pflugstaedt <Pfaedt@uni-duisburg.de>

Prev by Date: Re: idea for improving security
Next by Date: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
Previous by thread: Re: idea for improving security
Next by thread: Re: idea for improving security
Index(es):
- Date
- Thread