[Otterhole]


Otterhole

Personal
 Wedding

Security
 List
 Tools

Career
 Tips
Otterhole :: pageknock
 

Introduction

This utility dynamically adds a source address to be approved to access the SSH port on my home computer. It uses a property similar to "port knocking" that I will call "page knocking". For this example, a client accesses http:<site>/access.html and this causes the source address of the http page request to be added to an approved list. (Of course, the page 'access.html' is not the same as the page on my production computer). This client can then access my SSH port.

While my web server is intentionally always available to the Internet, I also like to be able to SSH into my computer. I consider the SSH access a higher security risk due to the fact that SSH is not chrooted. Since the web server is accessible anyway, having more accessible interfaces just increased the targets available for attack. Finally, it may be policy in some places not to expose administrative interfaces directly to the Internet. While this last point could be called 'security by obscurity', it is still effective at managing any untargetted (worm, etc) attack directed to the SSH port at my site.

History

Jun 19, 2007

  • Added basic syslog functionality
May 26, 2007
  • Added the ability to remove an address, and not just add.
  • Added another example, which shows how to multiplex (mux) a port in order to allow multiple services to be provided by the same address and port, at the same time, with the ability to dynamically choose which server you want access to.
Apr 16, 2007
  • Initial release
Example

  1. The pageknock program is run at boot up.
  2. pf is configured similar to the following table and rule: 
     table <sshknock> persist
 pass in log quick on $ext_if inet proto tcp from <sshknock> to ($ext_if) port 22 flags S/SA synproxy state
  3. Apache is running and logging to /var/www/logs/access_log, and a page http:<site>/access.html exists. (The page exists in this example, but it is not necessary for the page to exists, as long as you look for the right log entry in the right log file).
  4. The pageknock program reads the Apache log, adds the source address into the <sshknock> table, and now the client can access the SSH port.

Example 2:

Here is how to multiplex (mux) a port in order to allow multiple services to be provided by the same address and port, at the same time, with the ability to dynamically choose which server you want access to:

While using the earlier version of pageknock from one particular location, things failed. The proxy for SSH has a different source address than the proxy for HTTP/HTTPS, therefore the address entered into the <sshknock> table was unrelated to that used to actually access SSH, and this method did not work correctly.

I fixed the 'problem' two ways, one by entering a static rule into pf to allow this particular address to access SSH. The second is much more interesting.

The pf rules now look to see if the source address for an 443/TCP port connection is in the <sshknock> table, and if so, the connection is redirected to port 22, if not, then the connection is sent to the regular HTTPS service (if there is one). My motivation for this was merely to have pageknocking work, even from these odd ball locations, however, the result is a particularly effective means to bypass the intent of some firewall rules, which I certainly would not condone.

A neat aspect of this is that once removed from the table, regular port 443 service is restored for the client address, but existing SSH via port 443 sessions continue due to the state table. Enough fluff, here is the example

  1. The pageknock program is run at boot up.
  2. pf is configured similar to the following table and rule: 
     table <sshknock> persist
 rdr pass on $ext_if inet proto tcp from <sshknock> to ($ext_if) port 443 -> 127.0.0.1 port 22
  3. Apache is running and logging to /var/www/logs/access_log, and a page http:<site>/access.html exists. (The page exists in this example, but it is not necessary for the page to exists, as long as you look for the right log entry in the right log file).
  4. The pageknock program reads the Apache log, adds the source address into the <sshknock> table, and now the client can access the SSH via the 443/TCP port. Note that:
    • everyone else accessing the 443/TCP port will be provided with an HTTPS server, a failure; whatever is intended to be on that port,
  5. the client may then choose to remove their source address from the <sshknock> table. ("pageknocking", manually running the command 'pfctl -t sshknock -Tdelete ADDRESS', or having cron remove the addresses from the table regularly)
    • once the source address is removed from the <sshknock> table, existing SSH via port 443 sessions will continue to operate correctly due to their states being held in memory, while future connections from the same address will be provided access to whatever service is found by default on the 443/TCP port.
    • this could be particularly desirable if you are a single individual who needs access to an SSH port at a site, while others behind the same address (proxy) may want access to the regular HTTPS service at the same site.
Explanation

I think I explained it already.

Source

The source is short it and quick, and lots of room for improvement, but it works. pageknock.pl
pageknock.02old version w/o syslogging or modules

If anyone likes this, improves it, wants an updated version with my improvements, has questions, please send a note to openbsd . at . otterhole.ca

 Copyright Otterhole 2008    last updated: 2008/08/29 23:14  .