Re: pf port knocking
My heartfelt thanks for all the assistance there. ffs, you speak like some sort of lord who cannot be bothered assisting the peasants. I get an inkling you eminate for from such lofty heights. Now, I admit I am not on the main bsd list (even if I was, I don't have time to even skim the headers from all the postings it gets) but I have been on the pf list for about 6 months and thought this was a relevant topic for discussion. Now, I don't think port knocking the latest fad (how it would add to liability is beyond me). Rather, I think it a relevant security implementation for my situation. From the sounds, we will be getting a large number of external contractors, many of whom will be travelling, so this seemed a good fit. Surely you would agree that if a service appears closed, that provides increased security. Additionally, it seems pretty straight forward to implement (even to me who hasn't programmed in about 2 years); so a time vs reward analysis stacks up. I don't see the problem; a simple addition to give additional security. Simply changing the ssh port isn't good enough. Source IP filtering won't cut the mustard as I don't know which IPs people will get when they are using global roaming dial-up services. So, where does that leave me? Either just leave it as is, add a VPN (that I would still like to appear closed) or implement some system to hide the port. Now, leaving it as is will probably be absolutely fine provided the service is kept up to date. Installing a VPN is planned. Adding this extra layer of port security seems prudent and cost effective. So, yeah, whatever, it seems I will go it alone. Cheers Andrew --- jared r r spiegel [EMAIL PROTECTED] wrote: On Fri, Dec 17, 2004 at 06:05:39PM -0500, Roy Morris wrote: If you want to knock off most of the port pounding twits, stop allowing ssh from 'any', filter instead by source. If you can't do that, because you MUST have access from your remote laptop, then maybe try using a ssh rule that says use OS type =my remote OS. that would probably work for most intents and purposes, but i know the pf.conf(5) specifically cautions against using OS fingerprints for security enforcement. it suggests they're for policy implementation at best. rather than allowing for your laptop like that, i'd probably go the route of starting a second sshd listening on whatever port ( where reserved is likely better than not ) for the purposes of authpf(8) to allow a hole into tcp:22. jared -- [ openbsd 3.6 GENERIC ( nov 4 ) // i386 ] Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: pf port knocking
I'm wondering, wouldn't port knocking be fairly simple to attack, with a systematic knock on random ports? I'm just a newbie, but that seems like a real concern to me... On Sunday 19 December 2004 3:29 am, you wrote: [EMAIL PROTECTED] My heartfelt thanks for all the assistance there. ffs, you speak like some sort of lord who cannot be bothered assisting the peasants. I get an inkling you eminate for from such lofty heights. Now, I admit I am not on the main bsd list (even if I was, I don't have time to even skim the headers from all the postings it gets) but I have been on the pf list for about 6 months and thought this was a relevant topic for discussion. Now, I don't think port knocking the latest fad (how it would add to liability is beyond me). Rather, I think it a relevant security implementation for my situation. From the sounds, we will be getting a large number of external contractors, many of whom will be travelling, so this seemed a good fit. Surely you would agree that if a service appears closed, that provides increased security. Additionally, it seems pretty straight forward to implement (even to me who hasn't programmed in about 2 years); so a time vs reward analysis stacks up. I don't see the problem; a simple addition to give additional security. Simply changing the ssh port isn't good enough. Source IP filtering won't cut the mustard as I don't know which IPs people will get when they are using global roaming dial-up services. So, where does that leave me? Either just leave it as is, add a VPN (that I would still like to appear closed) or implement some system to hide the port. Now, leaving it as is will probably be absolutely fine provided the service is kept up to date. Installing a VPN is planned. Adding this extra layer of port security seems prudent and cost effective. So, yeah, whatever, it seems I will go it alone. Cheers Andrew --- jared r r spiegel [EMAIL PROTECTED] wrote: On Fri, Dec 17, 2004 at 06:05:39PM -0500, Roy Morris wrote: If you want to knock off most of the port pounding twits, stop allowing ssh from 'any', filter instead by source. If you can't do that, because you MUST have access from your remote laptop, then maybe try using a ssh rule that says use OS type =my remote OS. that would probably work for most intents and purposes, but i know the pf.conf(5) specifically cautions against using OS fingerprints for security enforcement. it suggests they're for policy implementation at best. rather than allowing for your laptop like that, i'd probably go the route of starting a second sshd listening on whatever port ( where reserved is likely better than not ) for the purposes of authpf(8) to allow a hole into tcp:22. jared -- [ openbsd 3.6 GENERIC ( nov 4 ) // i386 ] Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com -- Glenn Gaetz 604-628-2401 515 West 63rd Avenue Vancouver BC V6P 2G7
Re: pf port knocking
On Sun, Dec 19, 2004 at 10:29:49PM +1100, A wrote: My heartfelt thanks for all the assistance there. ffs, you speak like some sort of lord who cannot be bothered assisting the peasants. I get an inkling you eminate for from such lofty heights. Now, I admit I am not on the main bsd list (even if I was, I don't have time to even skim the headers from all the postings it gets) but I have been on the pf list for about 6 months and thought this was a relevant topic for discussion. skim headers? ffs: http://marc.theaimsgroup.com/?l=openbsd-pfw=2r=1s=port+knockingq=b http://marc.theaimsgroup.com/?l=openbsd-miscw=2r=1s=port+knockingq=b jared -- [ openbsd 3.6 GENERIC ( nov 4 ) // i386 ]
Re: pf port knocking
For those unfamiliar with the technique, it is like knocking a certain pattern/code on a door to open it. anyone unfamiliar with the technique hasn't read the archives whatsoever and thus is not going to garner favour from anyone here at all. Has anyone heard of anyone working on a portknocking daemon for OBSD/pf? There are a couple of basic setups over at www.portknocking.org but thought I would check here before attempting a port. i would venture to guess, probably not. portknocking topic shows up in pf@ or misc@ once every three months it seems, and someone comes in all full of stars and hope, but the blinding majority of code-contributing members, as well as at least the regular majority of list members don't really seem to want anything to do with it... some people seem to think it's cool and hip and stealthy while others think it is cumbersome, increases liability, and is essentially energy better spent elsewhere. they have at portknocking.org and see what I can do for pf. I would imagine I will have to setup anchors in pf which I haven't done yet but am sure I will get my head around it. Any pointers would be appreciated! :) anchors are cake. spend some time with authpf(8) and you can get to know anchors very quickly. instead of motioning to start a discussion about something that will probably want to make people jump down your throat, perhaps just use LogLevel QUIET or FATAL for sshd? if you think that sshd is a loose end that needs to be tied up, why not just do something far simpler and clearer like setup isakmpd or whatever vpn setup you need and only let sshd listen on the internal iface or otherwise filter the rest out? far less crappy voodoo to break or setup wrong. I will also need to write a windows util to do the knocking for the contractors - can Perl run on a Windows machine or will I have to dust off my C compiler? :) i think there are perl interpreters for windows. jared -- [ openbsd 3.6 GENERIC ( nov 4 ) // i386 ]
RE: pf port knocking
change your ssh port to like 30222 or something .. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of A Sent: December 17, 2004 12:12 AM To: [EMAIL PROTECTED] Subject: pf port knocking Hey all I am getting tired of seeing the following popping up every day (with various IPs) on my log server. * ROOT FAILURES jasper ssh2(pw) @221.143.156.58(3) * User Failures admin ssh2(pw) jasper(2) andrew ssh2(pw) jasper(1) angel ssh2(pw) jasper(1) barbara ssh2(pw) jasper(1) ben ssh2(pw) jasper(1) betty ssh2(pw) jasper(1) billy ssh2(pw) jasper(1) black ssh2(pw) jasper(1) blue ssh2(pw) jasper(1) brandon ssh2(pw) jasper(1) brian ssh2(pw) jasper(1) buddy ssh2(pw) jasper(1) carmen ssh2(pw) jasper(1) charlie ssh2(pw) jasper(1) daniel ssh2(pw) jasper(1) david ssh2(pw) jasper(1) dog ssh2(pw) jasper(1) emily ssh2(pw) jasper(1) eric ssh2(pw) jasper(1) god ssh2(pw) jasper(1) green ssh2(pw) jasper(1) guest ssh2(pw) jasper(1) henry ssh2(pw) jasper(1) jane ssh2(pw) jasper(1) jason ssh2(pw) jasper(1) jeremy ssh2(pw) jasper(1) joe ssh2(pw) jasper(1) johnny ssh2(pw) jasper(1) jordan ssh2(pw) jasper(1) justin ssh2(pw) jasper(1) larisa ssh2(pw) jasper(1) lion ssh2(pw) jasper(1) lp ssh2(pw) jasper(1) lucy ssh2(pw) jasper(1) magic ssh2(pw) jasper(1) mail ssh2(pw) jasper(1) maria ssh2(pw) jasper(1) market ssh2(pw) jasper(1) matthew ssh2(pw) jasper(1) max ssh2(pw) jasper(1) michael ssh2(pw) jasper(1) nathan ssh2(pw) jasper(1) nicholas ssh2(pw) jasper(1) nicole ssh2(pw) jasper(1) operator ssh2(pw) jasper(1) pub ssh2(pw) jasper(1) red ssh2(pw) jasper(1) robin ssh2(pw) jasper(1) rose ssh2(pw) jasper(1) shell ssh2(pw) jasper(1) stephen ssh2(pw) jasper(1) steven ssh2(pw) jasper(1) system ssh2(pw) jasper(1) test ssh2(pw) jasper(2) tom ssh2(pw) jasper(1) user ssh2(pw) jasper(1) vampire ssh2(pw) jasper(1) william ssh2(pw) jasper(1) yellow ssh2(pw) jasper(1) Just script kiddies most probably. Plus, we use public/private keys on jasper so it's not like people are going to get in that way. However, having the port wide open does give the possibility that a bug in the SSH daemon (if one pops up) could open the door for a hacker to get in. Further, jasper is the only machine that is externally accessible via SSH (the only other open ports are domain, web and mail on other servers). I need to leave SSH open as a number of people work remotely and tunnel through it to some of the services on the internal network. Additionally, we are about to setup a system to run a VPN between our office and some contractors. I would like that box's IP to appear offline/completely closed (until required) as well. To sum up, apart from web, mail and domain (to specific servers), I would much prefer that every port appear closed. To achieve this, I would like to implement port knocking on the gateway firewall (runs OBSD 3.4 and pf). For those unfamiliar with the technique, it is like knocking a certain pattern/code on a door to open it. Here, you fire connections at a server on designated ports to instruct the firewall to open a port. So, if the firewall detects a connection on ports 14289, 32883, 1234 and 3428 (in that order), port 22 is opened for the relevant IP address. Has anyone heard of anyone working on a portknocking daemon for OBSD/pf? There are a couple of basic setups over at www.portknocking.org but thought I would check here before attempting a port. If no work has begun, I think I will take the perl prototype script they have at portknocking.org and see what I can do for pf. I would imagine I will have to setup anchors in pf which I haven't done yet but am sure I will get my head around it. Any pointers would be appreciated! :) I will also need to write a windows util to do the knocking for the contractors - can Perl run on a Windows machine or will I have to dust off my C compiler? :) Andrew Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
Re: pf port knocking
On Friday 17 December 2004 15:45, Roy Morris wrote: change your ssh port to like 30222 or something .. That's dumb. Choose a port 1024.
Re: pf port knocking
On Friday 17 December 2004 06:11, A wrote: Further, jasper is the only machine that is externally accessible via SSH (the only other open ports are domain, web and mail on other servers). I need to leave SSH open as a number of people work remotely and tunnel through it to some of the services on the internal network. Try to reduce the access with options like OS-fingerprinting, src-IP, src-port.
Re: pf port knocking
Ed White [EMAIL PROTECTED] wrote: | On Friday 17 December 2004 15:45, Roy Morris wrote: | change your ssh port to like 30222 or something .. | | That's dumb. why? Choose a port 1024. why?
Re: pf port knocking
On Fri, 2004-12-17 at 15:51, Peter GILMAN wrote: Ed White [EMAIL PROTECTED] wrote: | On Friday 17 December 2004 15:45, Roy Morris wrote: | change your ssh port to like 30222 or something .. | | That's dumb. why? Choose a port 1024. why? not trying to speak for ed, but IMHO...it's dumb because any yahoo with a local account on a machine can create a listening socket on a port = 1024. running a daemon on a port 1024 requires privilege (thus the name)...sshd deserves the VIP treatment. if it doesn't conflict with an ssl httpd...443 is an awfully remote-side-firewall-friendly choice for an alternate sshd port... -j -- I hope I didn't brain my damage. --The Simpsons
RE: pf port knocking
not trying to speak for ed, but IMHO...it's dumb because any yahoo with a local account on a machine can create a listening socket on a port = 1024. Anyone can create a socket above 1024 anyway, regardless .. this has nothing to do with ssh. If you are running a server, full of users with shell access, you must have a completely different security model. If this is a gateway then ... I don't want to beat this to death, so let me say this is my opinion. If you want to knock off most of the port pounding twits, stop allowing ssh from 'any', filter instead by source. If you can't do that, because you MUST have access from your remote laptop, then maybe try using a ssh rule that says use OS type =my remote OS. Cheers Rm