On Fri, 20 Apr 2007, Nick Demou wrote:

The only service that listens to the internet on my pcs is sshd (on
port 80 or 443 [1]). Since neither me nor sshd is perfect I would like
to get rid of as much attackers as possible. My idea was to use port
knocking. So I tested knockd and it seems nice[2] except one minor
thing[3] and a major problem: if I am visiting some firewalled network
that only allows connections to port 80,443 (and if you are lucky 110)
there are hardly any ports to knock :(

Any other idea of simple measures that will keep as many attackers
away from the one and only service that is listening to the Internet?

I was thinking about some super-simple web server that as soon as it
takes a request like GET /let_me_in at port 80 adds a rule to allow
incoming connections to port 443 (where sshd will be listening). I
could modify some simple python web server but this will have to wait
for free time to visit me and will certainly be worse from a security
point of view than some tested daemon in C.

Nick
______________
[1] Some times I visit places with firewalls that only allow outgoing
connections to port 80,443 so I prefer to set sshd to listen to those
ports. However I suppose that crackers are not idiots, they must have
noticed that a lot of admins set sshd on those ports, so they will be
routinely scanning ports 22,80,443 (even likely 1022,10022 also) for
ssh servers.

[2] easy to setup and configure, easy to use even without specialized client

[3] It doesn't automatically remove iptables rules after you close the
connection. So over time "allow" rules accumulate.


I'm not sure if this fits what you are looking for or not:
http://www.cipherdyne.org/fwknop/

This does single packed authentication, you send a specially crafted packet to the server, through a client app though, and it opens up the firewall for you for a specified amount of time and closes it back up after you are done.

-+-
8 out of 10 Owners who Expressed a Preference said Their Cats Preferred Techno.


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to