On Thu, Nov 17, 2016 at 8:21 PM, Jonathan Bennett <jbscienc...@gmail.com> wrote:
> On 11/17/2016 02:19 PM, Jo wrote: > > Good day everyone! > Howdy! > > > > I'm trying to secure a ssh hidden service with fwknop, the idea is to > > send the fwknop packet to the .onion address and also to ssh to the > > .onion address. > > Ooh, cool concept. > > > > But I've encountered two problems. > > > > First of all I'm unable to set the default iptables rules to filter the > > incomming traffic. > > > > The hidden service is configured as: > > > > HiddenServicePort 22 127.0.0.1:22 > > > > The only open port is TCP 80 where the fwknopd server is listening. > > > > I've tried using this two rules (in addition to the default INPUT > policy): > > > > iptables -A INPUT -s 127.0.0.1 -p tcp --sport 22 -j DROP > > iptables -A INPUT -d 127.0.0.1 -p tcp --dport 22 -j DROP > I'd probably set a rule to allow ssh connections from the local network, > and then drop everything else by default, rather than trying to match only > the tor traffic. so something like... > iptables -A INPUT -s 192.168.1.0/24 -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -m state --state ESTABLISHED -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -m state --state NEW -p tcp --dport 22 -j DROP > > > > But I'm still able to ssh into the server :S > > > > > > The second problem is using fwknop to send a packet to an .onion. If I > > torify fwknop pointing to the IP address everything works flawlessly but > > If I torify it pointing to the .onion, the fwknopd logs show that tor is > > cutting the packet in several pieces, so the server takes it as several > > packets instead of one. > I had to think about this for a bit, but I believe I understand why this > is happening. When you are sending a packet over tor to the IP address, > the last tor node removes the last layer of tor encryption, and the SPA > packet is sent in the clear from that tor node to your server. > When you use a .onion address, the server *is* the last tor node. Fwknop > can't inspect the packet because it still has a layer of tor encryption > around the packet. (And potentially also splits it into multiple > packets). The encryption is removed by the tor daemon running on that > machine. It > might actually work to tell fwknop to watch the loopback interface. > > An alternate solution might be the concept of a tor middlebox, as that > seems to be a way to make tor work more like a virtual network interface, > which should work as expected with fwknop. > Jo, Following up on Jonthan's note, the Tor encryption issue is likely the problem. Are you using GPG for SPA packet encryption before sending over Tor? Because you indicated that the SPA packets are getting split up, it might also be useful to try symmetric encryption for the SPA packet as well since they are on average on the order of about 200 bytes instead of about 1000 bytes for GPG. But, the "outer" Tor encryption will need to be stripped off first through normal Tor operations for SPA to work at all. Thanks, --Mike > > This is a hairier problem than I first thought it would be. Be sure to > let us know if you get it working. In a few months I *might* be able to > put some effort into this problem, if you don't get it sorted by then. > > --Jonathan Bennett > > > > > If you could help me I'll be glad :) > > > > Cheers > > > > > > > > ------------------------------------------------------------ > ------------------ > > _______________________________________________ > > Fwknop-discuss mailing list > > Fwknop-discuss@lists.sourceforge.net > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > > > > ------------------------------------------------------------ > ------------------ > > _______________________________________________ > Fwknop-discuss mailing list > Fwknop-discuss@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > -- Michael Rash | Founder http://www.cipherdyne.org/ Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
_______________________________________________ Fwknop-discuss mailing list Fwknop-discuss@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
