On Fri, Apr 20, 2007 at 12:47:20PM +0300, Nick Demou wrote: > The only service that listens to the internet on my pcs is sshd (on > port 80 or 443 [1]). Since neither me nor sshd is perfect I would like > to get rid of as much attackers as possible. My idea was to use port > knocking. So I tested knockd and it seems nice[2] except one minor > thing[3] and a major problem: if I am visiting some firewalled network > that only allows connections to port 80,443 (and if you are lucky 110) > there are hardly any ports to knock :( OT - but a lot of firewalls/proxies allow through 563 - nntps its is part of the rfc so by default 80 443 & 563 are allow through/proxied > > Any other idea of simple measures that will keep as many attackers > away from the one and only service that is listening to the Internet? > > I was thinking about some super-simple web server that as soon as it > takes a request like GET /let_me_in at port 80 adds a rule to allow > incoming connections to port 443 (where sshd will be listening). I > could modify some simple python web server but this will have to wait > for free time to visit me and will certainly be worse from a security > point of view than some tested daemon in C. > > Nick > ______________ > [1] Some times I visit places with firewalls that only allow outgoing > connections to port 80,443 so I prefer to set sshd to listen to those > ports. However I suppose that crackers are not idiots, they must have > noticed that a lot of admins set sshd on those ports, so they will be > routinely scanning ports 22,80,443 (even likely 1022,10022 also) for > ssh servers. > > [2] easy to setup and configure, easy to use even without specialized client > > [3] It doesn't automatically remove iptables rules after you close the > connection. So over time "allow" rules accumulate. > > > -- > To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmaster@lists.debian.org > >
Attachment:
signature.asc
Description: Digital signature