[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [Solved]: Re: stopping ssh attacks



On Sat, Jun 18, 2005 at 11:15:25AM +0200, Vincent Lefevre wrote:
> On 2005-06-16 11:51:01 -0500, Thomas Stivers wrote:
> > I ended up going with port knocking and just installed knockd. Too
> > cool, i always thought it was harder to set up than it is. I even
> > have it playing nice with shorewall. Thanks for the suggestions.
> 
> The problem with port knocking is that it doesn't allow to connect
> from everywhere since some providers filter some ports. And you also
> need a client that would know about port knocking, right? Is there
> some package that would do the following, for instance: let port 22
> closed, but after a connection attempt, it is temporarily opened
> after 5 seconds for this address (with a timeout of 1 minute). After
> a successful connection, the address is whitelisted.
> 
> This would not be difficult to implement, but I haven't had the time
> yet... So, if there's something that already exists and does exactly
> what I want, I'd be very interested.

Successful TCP connection != Successful SSH connection

This would be quite difficult to implement correctly and would require
very tight coupling between your firewalling application and the daemons
that make us of this.

Iptables works at layer 2/3, SSH is much higher level.  I can make a
succesful TCP connection to any box out there that is listening on a TCP
port.  That is why I like the doorman approach.  You send a specially
crafted packet on the port to which you want to connect.  Any other
packet is ignored until after the special packet is received.  There is
no need to knock on different ports or to worry about ISP filtering.  It
also works at the same layer as iptables.

-Roberto
-- 
Roberto C. Sanchez
http://familiasanchez.net/~sanchezr

Attachment: pgptIC_RTCbyf.pgp
Description: PGP signature


Reply to: