On Wed, Jan 4, 2023 at 5:45 PM Tim Woodall <debianu...@woodall.me.uk> wrote: > > On Wed, 4 Jan 2023, Jeffrey Walton wrote: > > > On Wed, Jan 4, 2023 at 2:20 PM Tim Woodall <debianu...@woodall.me.uk> wrote: > >> ... > >> > >> I've also thought about TOTP dns requests as a type of port knocking : a > >> dns request to <TOTP>.knock.example.com would open the ssh port for a > >> minute. Small local webpage to do the TOTP port knock in javascript > >> should work anywhere. Something else that has been on my todo list for > >> years. > > > > That is kind of clever. Do you know of any papers that discuss it? > > I don't know of any papers that discuss it and I certainly didn't write > one. > > This is what I imagined: > > <totp>.knock.example.com > > bind (because that's what I use) configured to forward knock.example.com > to an internal address. > > Small program listens and responds to all queries with 127.0.0.1 (just > found my c++ program to do this written in 2018 - I'd probably use > python now). Because this program is only hit from a trusted server, > it's unlikely to suffer exploitable issues. Malformed packets, for > example, will not make it past the bind instance. > > program also checks totp and if it matches expected value (possibly with > a threshold) then update an ipset with a catchall address. > > iptables rule something like > iptables -t filter -A INPUT -m set --match-set sshok src -m state --state NEW > -j ACCEPT > (you probably don't want to open everything) > > and some sort of cron job to delete the catchall address > > You could, of course, also do the same by hitting a webserver that > checks the URL for the totp but DNS is more reliable - you can usually > get DNS packets through even where ISPs block running servers and that > can trigger constructing a tunnel to a server that can listen to > incoming connections. Also DNS better hides where you're connecting > from. > > Finally, dns port knocking will work with anything that connects to a > dns name as the name lookup must happen before the connection although > in that case the returned address needs to be the target address, not > 127.0.0.1
I was talking to Peter Gutmann about SSH hardening. He shared a recent RFC pro SSH preauth: https://datatracker.ietf.org/doc/draft-gutmann-ssh-preauth/ . The preauth scheme does not hide the service like your TOTP scheme. However, it looks like both schemes achieve the same thing - they both avoid the costly key exchange. Avoiding the key exchange is a big win since those public key operations are so costly. Jeff