Re: idea for improving security

To: debian-security@lists.debian.org
Subject: Re: idea for improving security
From: Jay Kline <list@slushpupie.com>
Date: Wed, 7 May 2003 07:54:34 -0500
Message-id: <200305070754.34274.list@slushpupie.com>
In-reply-to: <20030507012948.1f1d1a37.alain@onesite.org>
References: <3EB7F9DC.2000501@iit.edu> <20030507012948.1f1d1a37.alain@onesite.org>

On Tuesday 06 May 2003 06:29 pm, Alain Tesio wrote:
> On Tue, 06 May 2003 13:07:24 -0500
>
> Mark Edgington <edgimar@iit.edu> wrote:
> > it doesn't matter if others are
> > connecting to port 80, etc. while he is doing these connections, as long
> > as no-one else is trying to connect to any of the ports in the
> > trigger-sequence list -- this is the only thing which will invalidate the
> > sequence-recognition
>
> Hi,it seems you don't mention that the connection attempts can be memorized
> associated to the originating IP, and then the wanted port made available
> only for this IP.

I agree.  In fact, you could argue that this method is no more secure than 
just moving ssh to a different port. I have done that on boxes before- if 
sshd is listening on port 4321 or whatever you dont need to worry about the 
"hackers".  If someone has the ability to notice you connecting to specific 
ports, they can also watch what sequence you use.  

> It looks a bit complex to me, only useful for a private use of a port which
> is not publically available, which means only for ssh as other protocols
> can pass through a ssh tunnel.
>
> This authentification system won't be vulnerable to ssh exploits, but
> you're basically using port numbers as characters of an unencrypted
> password.
>
> A simplification of your idea with no loss of feature without using ssh may
> be to have incoming packets of an unique port appear as dropped from the
> outside and still processed (how ??) by a daemon waiting for a password in
> the packet body. Passwords can be OTP.

One problem with this is reinenting the wheel..  it sounds a lot like a VPN 
solution if you take it to this level. 

> (a bit dirty) is it possible to use snort with a special rule to detect
> such a traffic, eventually with another process reading snort log files ?

This is still prety complex, if the end result is just to allow access to port 
22. 

SSH is pretty secure, there have been very few problems with ssh that allow 
someone without an account to gain access to the system its on.  If you take 
all other precautions, your risk is pretty low.  If your data is so valuble 
that you still cant afford the risk, then you need to take measures farther 
by having a that box on a private network where only specific hosts can log 
in, and set up a secondary host just to authenticate in.

-- 
Jay Kline
http://www.slushpupie.com

Reply to:

Follow-Ups:
- Re: idea for improving security
  - From: Thomas Horsten <thomas@horsten.com>

References:
- idea for improving security
  - From: Mark Edgington <edgimar@iit.edu>
- Re: idea for improving security
  - From: Alain Tesio <alain@onesite.org>

Prev by Date: Please clarifiy: kernel-sources / ptracebug / debian security announcenments
Next by Date: Have I been hacked?
Previous by thread: Re: idea for improving security
Next by thread: Re: idea for improving security
Index(es):
- Date
- Thread