The 12 digits, are the numbers that make up your 4 octets of your IP address.
I'm going very low tech on this.
As you tcp-ping (or telnet as I used in my demo), the appropriate ports, the
shell scripts configured to run via xinet.d config files, write numbers, 1 per
line into a temporary file.
Once you've written all 12 digits (including leading zeros), then hit one of
the 2 command ports.
One command port reads the temp file, creates the IP address to use, then
opens a reverse tunnel to the IP address noted in the temp file. This
requires the use a public key (already configured in the client system as an
authorized key). The plus side to this, is that there are NO SSH daemons
running on the box ever.
The 2nd command port reads the temp file, modifies the iptables, spawns a
temporary sshd on an off port. Waits 30 seconds, then removes the iptables
entry, and kills the sshd process. The plus side to this, is that there are
NO ssh daemons running normally, nothing to see, nothing to probe.
Since it's all low tech, there's no packet vulnerabilities, no way for an
attacker to gain a foot hold into the system.
The shell scripts don't even talk to the ports, or the tcp stack. They just
write a number, appending to a temporary file.
One is a nice simple call back routine (like the old secure BBS days), while
the other allows a 30 second window to a specific IP address.
guyverdh@mchsi.com wrote:
Both versions use a series of scripts to write numerals into a temporary
file
via knocks on specific ports. This file is then read when one of two ports
are
knocked after having 12 digits written to the file.
expand on this, please - what are those 12 digits, where do you get them
from, ... ?
One port, reads the temporary file, builds the IP address, then creates an
iptables entry that allows the specified IP address to connect via SSH for
approximately 30 seconds. It then closes the SSHD daemon, and drops the
iptables entry.
Standard port knocking, well documented. What's the use of the tempfile ?
The second port, reads the temporary file, builds the IP address, then
causes
SSH to connect to the specified IP address with a backchannel defined. This
allows the remote client to ssh into the server via this backchannel.
If I understand this correctly, you're going to tunnel an SSH connection
over another SSH connection ? Why ?
--
You will gain money by a fattening action.
--
Public GPG key at blackhole.pca.dfn.de
GCS/IT d- s:+ a- C(+++)$ UL++++$ P+++(++++)$ L++(+++)$ !E- W+(+++)$
N+(++) o K w$ !O !M V PS(++)@ PE-(++)@ Y+ PGP++(+++) t(+) 5 X R tv--
b++(++++) DI++(++++) D++ G e++>+++++ h(+) r y+**
--- Begin Message ---
|
Subject: |
Re: SSHD and SSH Call-out via Port Knocking |
|
Date: |
Wed, 7 Sep 2005 09:06:12 +0000 |
signature.asc
Description: OpenPGP digital signature
--- End Message ---
