On Sat, Jun 18, 2005 at 11:15:25AM +0200, Vincent Lefevre wrote: > On 2005-06-16 11:51:01 -0500, Thomas Stivers wrote: > > I ended up going with port knocking and just installed knockd. Too > > cool, i always thought it was harder to set up than it is. I even > > have it playing nice with shorewall. Thanks for the suggestions. > > The problem with port knocking is that it doesn't allow to connect > from everywhere since some providers filter some ports. And you also > need a client that would know about port knocking, right? Is there > some package that would do the following, for instance: let port 22 > closed, but after a connection attempt, it is temporarily opened > after 5 seconds for this address (with a timeout of 1 minute). After > a successful connection, the address is whitelisted. > > This would not be difficult to implement, but I haven't had the time > yet... So, if there's something that already exists and does exactly > what I want, I'd be very interested. Successful TCP connection != Successful SSH connection This would be quite difficult to implement correctly and would require very tight coupling between your firewalling application and the daemons that make us of this. Iptables works at layer 2/3, SSH is much higher level. I can make a succesful TCP connection to any box out there that is listening on a TCP port. That is why I like the doorman approach. You send a specially crafted packet on the port to which you want to connect. Any other packet is ignored until after the special packet is received. There is no need to knock on different ports or to worry about ISP filtering. It also works at the same layer as iptables. -Roberto -- Roberto C. Sanchez http://familiasanchez.net/~sanchezr
Attachment:
pgp6uN1RS0xti.pgp
Description: PGP signature