[clug] mc-root anyone?

Daniel Pittman daniel at rimspace.net
Fri Jun 19 13:08:37 GMT 2009 

Michael Cohen <scudette at gmail.com> writes:
> On Fri, Jun 19, 2009 at 1:21 PM, Daniel Pittman<daniel at rimspace.net> wrote:
>
>> You would do just as well using another, more standard, protocol to
>> exchange a password with the client before opening your firewall; "port
>> knocking" is absolutely no more secure than anything else, and is less
>> widely used, so less widely tested.
>
> What is a secure protocol to use to control firewall rules?

SSH, or HTTP over SSL.  (Anything widely used over SSL, actually, but HTTP is
the most common example.  XMPP might do, actually.  IM a password and IP
address to your firewall-bot, with appropriate authentication. ;)

[...]

> Note i am not using it as a form of security by itself, just as a way of
> hiding the ssh port so its not visible to the general internet - once the
> port is opened you still need to auth via ssh public key.

*nod*  In that regard, it does help.  It is just that the knock "protocol"
itself is provides (at best) the same security as a password over HTTPS, and
probably worse.

> I use some common ports which are normally allowed by outbound firewalls
> like port 80 or 443. I suppose you can extend the idea to write a cgi script
> which opens up the port so you can auth to your web server (if its on the
> fw) and pop the ssh port open - has the same effect.

*nod*  Except, unlike...

> knockd is very well tested, and very small indeed (lines of code) -
> considering how simple the whole program is (i looked at the code) its
> pretty unlikely to have bugs.

...knockd, HTTP over SSL with OpenSSL is ... well.  I can't quote you a
figure, but I would lay good money that there has been a lot more auditing and
care put into the OpenSSL case than knockd. ;)

> All it does is look at the traffic using raw sockets (i.e. it doesnt listen
> to any connections itself) and count up the sequence.

Aside from the objection that listening to traffic on a raw socket *is*
listening to a connection, that is true.

> I suggest it is fairly well used (dont have actual usage figures though).

*nod*  Which is why I am not saying "don't use it", as I would for (as an
example) vtun or n2n as a VPN client: they have a protocol so broken that any
current claim to security is a joke.

Instead, I say that in my opinion you are better off with a more tested and
audited protocol. :)

>> Something like authpf (ssh based, non-Linux) or an HTTPS secured page
>> exchanging username and password would be a better choice.
>
> Again looking the lines of code in ssh or openssl its quite significant and
> the protocols are fairly complex.

Yes, they are.  They are also well tested and carefully designed to resist
external attacks, and proved in the field every day.

> Its far more secure to have a simple knockd in front any of the complex
> protocols as the hacker needs to get past first base even to launch any kind
> of ssh or ssl attacks.

Perhaps.  That really depends on the threat model.  However...

> Its basically a multilayered approach with the first layer moderately secure
> but really simple - then the hacker needs to attack SSH - thats the next
> layer and is much tougher.

...this is absolutely true, and knockd does that.  In truth, given the
relative importance of most of our networks at home (eg: not important to
anyone but us, really) improvements beyond what knockd provides are probably
gilding the lily. ;)

>> You could use the ProxyCommand stuff to tunnel for you, using something like:

[...]

> Thanks to you and to earlier posters for explaining this idea. I wanted to
> avoid writing a shell script so I used this in the end:
>
> ProxyCommand bash -i "knock .....; nc %h %p"

Heh.  Well, an inline shell script is just as good. ;)

>> You lose the direct IP to ssh key binding check, thanks to the proxy
>> command, but you gain the ability to do more complicated things to
>> establish the connection.
>
> Yeah i had not thought of that side effect - thanks for bringing it up.  It
> might not be a big problem because I think the hostname to key mapping will
> still be the same. Its like connecting to a host behind dynamic IP.

I use a proxy connection for most of the machines I log into for reasons too
annoying to go into.  I have no real concern about the IP changing without
being detected, since the hostname to key binding is sufficient for my needs.

Regards,
        Daniel

More information about the linux mailing list