[clug] mc-root anyone?

[Kim Holburn]

On 2009/Jun/19, at 9:33 AM, Michael Cohen wrote:

> On Fri, Jun 19, 2009 at 1:21 PM, Daniel Pittman<daniel at rimspace.net>  
> wrote:
>> You would do just as well using another, more standard, protocol to  
>> exchange a
>> password with the client before opening your firewall; "port  
>> knocking" is
>> absolutely no more secure than anything else, and is less widely  
>> used, so less
>> widely tested.
>
> What is a secure protocol to use to control firewall rules?

I've used ipt_recent and there are probably userland targets or you  
can use scripts.

> Upnp or
> something? Note i am not using it as a form of security by itself,
> just as a way of hiding the ssh port so its not visible to the general
> internet - once the port is opened you still need to auth via ssh
> public key.  I use some common ports which are normally allowed by
> outbound firewalls like port 80 or 443. I suppose you can extend the
> idea to write a cgi script which opens up the port so you can auth to
> your web server (if its on the fw) and pop the ssh port open - has the
> same effect.
>
> knockd is very well tested, and very small indeed (lines of code) -
> considering how simple the whole program is (i looked at the code) its
> pretty unlikely to have bugs. All it does is look at the traffic using
> raw sockets (i.e. it doesnt listen to any connections itself) and
> count up the sequence. I suggest it is fairly well used (dont have
> actual usage figures though).

But all that action happens in the clear and is interruptible and  
duplicable by a listener ie an MITM attack.

>> Something like authpf (ssh based, non-Linux) or an HTTPS secured page
>> exchanging username and password would be a better choice.
>
> Again looking the lines of code in ssh or openssl its quite
> significant and the protocols are fairly complex.

And it's been thought through and tested for security by experts.

> Its far more secure
> to have a simple knockd in front any of the complex protocols as the
> hacker needs to get past first base even to launch any kind of ssh or
> ssl attacks.

It might make you feel more secure.

Take out passwords and use RSA keys, it's built-in to ssh.  It can't  
be attacked like passwords and it's "very" secure, to quite large  
values of "very".

It's also easy to break a well constructed security system by adding  
stuff the original authors never thought you would and it's happened  
with ssh several times.  The startup protocols are critical to setting  
up ssh securely.  Be careful.

> Its basically a multilayered approach with the first
> layer moderately secure but really simple - then the hacker needs to
> attack SSH - thats the next layer and is much tougher.
>
>> You could use the ProxyCommand stuff to tunnel for you, using  
>> something like:
>>
>>    ProxyCommand ~/bin/ssh-proxy %h %p
>>
>>    ~/bin/ssh-proxy:
>>    #!/bin/sh
>>    /usr/bin/knock # or whatever
>>    /usr/bin/nc "$1" "$2"
>
> Thanks to you and to earlier posters for explaining this idea. I
> wanted to avoid writing a shell script so I used this in the end:
>
> ProxyCommand bash -i "knock .....; nc %h %p"
>
> Works great, thanks.
>
>> You lose the direct IP to ssh key binding check, thanks to the  
>> proxy command,
>> but you gain the ability to do more complicated things to establish  
>> the
>> connection.
>
> Yeah i had not thought of that side effect - thanks for bringing it
> up.  It might not be a big problem because I think the hostname to key
> mapping will still be the same. Its like connecting to a host behind
> dynamic IP.
>
> Thanks,
> Michael.
> --
> linux mailing list
> linux at lists.samba.org
> https://lists.samba.org/mailman/listinfo/linux

-- 
Kim Holburn
IT Network & Security Consultant
Ph: +39 06 855 4294  M: +39 3494957443
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request