Contributed by sean on from the notional security through obscurity dept.
In order to remove all those logs of people probing SSH, I keep PF configured to prevent access. A script looks for people accessing a specific page on the web service on the same machine. This script monitors the web logs, and when the specific page is accessed, it adds the source address to the table of addresses allowed to access port 22.bsdal writes as follows:
Conceptually similar to port knocking, but possibly more simple, I call this page knocking.
After trying to access the SSH service from behind a rather restrictive firewall, I thought that page knocking would allow for multiplexing a port. Those address not in the privileged table get an SSL web server when accessing port 443, while those in the table get access to an SSH service when accessing port 443, via PF redirects. A quick page knock adds your address to the table, and another page knock removes the address from the table. Keeping states means that once the SSH session is established, the address may be removed from the table while maintaining the SSH session and having all others coming from the same address given the regular service on port 443.How would you approach this problem or improve on this solution?
For those interested, a more through explanation is available at http://www.otterhole.ca/knock/.
What kinds of problems do you use OpenBSD to solve?
(Comments are closed)