Marcus M|lb|sch wrote:
Hello all,
it occured to me that with a combination of some pass rules and
adding the address via overload to a sort of "whitelist" tables you
can implement a simple portknocking; using nothing but pf.
The rules would look like this:
pass in on $ext_if inet proto tcp from any to any port $knock1
synproxy state (max-src-conn 1 overload <knock1>)
pass in on $ext_if inet proto tcp from <knock1> to any port $knock2
synproxy state (max-src-conn 1 overload <knock2>)
pass in on $ext_if inet proto tcp from <knock2> to any port $knock3
synproxy state (max-src-conn 1 overload <knock3>)
pass in on $ext_if inet proto tcp from <knock2> to any port $knock3
synproxy state (max-src-conn 1 overload <knock3>)
pass in on $ext_if inet proto tcp from <knock3> to any port ssh
No port knocking daemeon is needed, and with an appropriate blocking
rule the ssh port is closed to all.
This works; all you have to do is to try to connect to each port
$knock<n> in order twice (since the max-src-conn is set to 1).
I have two questions:
1) Is there any problem with that setup? I don't see any, but then
again, it seems so simple and I didn't find any howtos on the web.
Either nobody else did think of it before, or there is something wrong
with my reasoning. If so, I'm happy if you tell me :-)
2) I would like to knock on each port only once. However, setting
"max-src-conn 0" does not change anything. I would expect that the
first connect will fill the appropriate table, but it doesn't. Is
there something I do not understand, or must the <number> that is
allowed be equal or greater to one?
Thanks for any pointers,
Marcus
I think this is an excessively complicated answer to what "usually"
is a pretty simple problem with simple bots.
From my pf.conf:
block in log quick on $ext_if proto tcp from any to any port 22
Unless you are subject to an advanced or deliberate attack on your
server personally, that will solve all problems.
aren't there 65k different ports?
Isn't there a setting to change ssh port number?
--
A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders,
give orders, cooperate, act alone, solve equations, analyze a new
problem, pitch manure, program a computer, cook a tasty meal, fight
efficiently, die gallantly. Specialization is for insects.
-- Robert Heinlein
