[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH Cracking Attempts



On Wed, 29 Sep 2004 23:10:11 +0200, Jacob S <stormspotter@6Texans.net>
wrote:

> On Wed, 29 Sep 2004 21:55:59 +0200
> Matthijs <vanaalten@hotmail.com> wrote:
> 
> > It's not really what you're asking, but:
> > In the dutch computer magazine C't, I read an article a few months ago
> > about protecting your computer using a port knocking system. If I
> > remember correctly, you can close a port (your SSH port, for example)
> > and only open it when a pre-defined pattern of access attempts on a
> > pre-defined port (unused for applications) is applied. The SSH port
> > can then be set to open in your firewall, perhaps only for the
> > IP-adress that performed the knocking sequence.
> 
> hmm... You're right, it's not what I'm looking for, but it still sounds
> like a good concept. I'd be interested in learning more about that, if
> not for this use with ssh, I have a couple other applications it could
> work with on servers.

Short note in advance: I've only read the article, I use neither this
portknocking stuff nor the iptables firewall (well, at least not that
I'm really aware of). So I can't be held responsible for mistakes in
the article that I've copied below...

OK, here's some info from the article (Dutch C't september 2004, page
112-114):

Port knocking project by Martin Krzywinski:
http://www.portknocking.org

Portknocking uses a predefined range of 255 ports to receive TCP
connection attempts ('knocks'). These ports do not need to be open for
incoming connections, the messages written by iptables in the system
log is enough to activate the portknocking software.

The portknocking package consists of two scripts, one for the client
and the other for the server. According to the article, a C, Python
and Perl version of the scripts exists but the focus of the article is
on the Perl version.

The firewall needs to guard a port range that is used for the
portknocking system and write connection attempts to a log file. A
command like:
iptables -I INPUT -p tcp -s 0/0 -d 0/0 dport 55000:55255 -j LOG
should do this.

The installation of the portknocking software itself is not well
described. I did notice that there is a debian package 'knockd', which
I think might be the same portknocking daemon described in the
article.

Configuration is done in the file knockdaemon.conf. The most important
part is the part that defines the knocking sequence. The default is an
8-part sequence where the first 4 values specify the IP-address of the
knocker, followed by a variable which could for instance indicate the
port to be opened, followed by some other random number. After this
sequence, the knocker should also send a checksum for verification.
There is a lot more possible including date-functions. With all the
possibilities, it should be possible to prevent a replay attack
(someone listening to the knocking sequence and replaying it to open a
port for themselves).

Also, it is possible to specify a closing sequence so you can close a
port after you're done with it.

The <template> directive specifies the action to perform for a correct
knocking sequence. Normally that would be a command to open a port in
the firewall, but other not firewall related commands are also
possible.

Most important in the configuration is to specify the correct
portrange to scan in the logfile for knocking sequences. Look for the
attribute 'portspan'. The portknocking package is password protected,
but it may be wise to change the default password 'password'.

After configuration, the daemon can be started and will check every
500ms if something has been knocking on some ports.

The portknocking client is also written in Perl. The file
'knockclient.conf' needs to be modified before first use. The IP
address of the server with the knock daemon should be specified
(variable 'remote'). The knocking sequence should of course be
specified and be identical to the specification in the daemon's
configuration file. 

Variable 'client' should specify the IP address of the client (which
will be knocked to the server); variable 'port' specifies the port
that must be opened.

Executing the knocking client should then sent a series of knocks to
the server's IP address. These will be written by iptables to a log
file. The portknocking daemon will read this log file and, if the
knocking sequence is correct, execute the required action like opening
the SSH port.

Of course this system is only an additional security layer and is not
a substitute for keeping your system up-to-date. Nevertheless, it is
recommended by cryptography expert Bruce Schneier:
http://www.schneier.com/crypto-gram-0403.html

Well, that's about it, really. Hope this stuff is helpful for you or
anyone else reading this thread!

-- 
Matthijs
vanaalten@hotmail.com



Reply to: