On 11/17/2016 02:19 PM, Jo wrote: > Good day everyone! Howdy! > > I'm trying to secure a ssh hidden service with fwknop, the idea is to > send the fwknop packet to the .onion address and also to ssh to the > .onion address.
Ooh, cool concept. > > But I've encountered two problems. > > First of all I'm unable to set the default iptables rules to filter the > incomming traffic. > > The hidden service is configured as: > > HiddenServicePort 22 127.0.0.1:22 > > The only open port is TCP 80 where the fwknopd server is listening. > > I've tried using this two rules (in addition to the default INPUT policy): > > iptables -A INPUT -s 127.0.0.1 -p tcp --sport 22 -j DROP > iptables -A INPUT -d 127.0.0.1 -p tcp --dport 22 -j DROP I'd probably set a rule to allow ssh connections from the local network, and then drop everything else by default, rather than trying to match only the tor traffic. so something like... iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED -p tcp --dport 22 -j ACCEPT iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j DROP > > But I'm still able to ssh into the server :S > > > The second problem is using fwknop to send a packet to an .onion. If I > torify fwknop pointing to the IP address everything works flawlessly but > If I torify it pointing to the .onion, the fwknopd logs show that tor is > cutting the packet in several pieces, so the server takes it as several > packets instead of one. I had to think about this for a bit, but I believe I understand why this is happening. When you are sending a packet over tor to the IP address, the last tor node removes the last layer of tor encryption, and the SPA packet is sent in the clear from that tor node to your server. When you use a .onion address, the server *is* the last tor node. Fwknop can't inspect the packet because it still has a layer of tor encryption around the packet. (And potentially also splits it into multiple packets). The encryption is removed by the tor daemon running on that machine. It might actually work to tell fwknop to watch the loopback interface. An alternate solution might be the concept of a tor middlebox, as that seems to be a way to make tor work more like a virtual network interface, which should work as expected with fwknop. This is a hairier problem than I first thought it would be. Be sure to let us know if you get it working. In a few months I *might* be able to put some effort into this problem, if you don't get it sorted by then. --Jonathan Bennett > > If you could help me I'll be glad :) > > Cheers > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss >
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
