|
|
Otterhole :: pageknock
|
|
Introduction This utility dynamically adds a source address to be approved to access the SSH port on my home computer. It uses a property similar to "port knocking" that I will call "page knocking". For this example, a client accesses http:<site>/access.html and this causes the source address of the http page request to be added to an approved list. (Of course, the page 'access.html' is not the same as the page on my production computer). This client can then access my SSH port. While my web server is intentionally always available to the Internet, I also like to be able to SSH into my computer. I consider the SSH access a higher security risk due to the fact that SSH is not chrooted. Since the web server is accessible anyway, having more accessible interfaces just increased the targets available for attack. Finally, it may be policy in some places not to expose administrative interfaces directly to the Internet. While this last point could be called 'security by obscurity', it is still effective at managing any untargetted (worm, etc) attack directed to the SSH port at my site. History Jun 19, 2007
Example
Example 2: Here is how to multiplex (mux) a port in order to allow multiple services to be provided by the same address and port, at the same time, with the ability to dynamically choose which server you want access to: While using the earlier version of pageknock from one particular location, things failed. The proxy for SSH has a different source address than the proxy for HTTP/HTTPS, therefore the address entered into the <sshknock> table was unrelated to that used to actually access SSH, and this method did not work correctly. I fixed the 'problem' two ways, one by entering a static rule into pf to allow this particular address to access SSH. The second is much more interesting. The pf rules now look to see if the source address for an 443/TCP port connection is in the <sshknock> table, and if so, the connection is redirected to port 22, if not, then the connection is sent to the regular HTTPS service (if there is one). My motivation for this was merely to have pageknocking work, even from these odd ball locations, however, the result is a particularly effective means to bypass the intent of some firewall rules, which I certainly would not condone.
A neat aspect of this is that once removed from the
I think I explained it already.
The source is short it and quick, and lots of room for improvement, but
it works.
pageknock.pl
If anyone likes this, improves it, wants an updated version with my
improvements, has questions, please send a note to openbsd . at . otterhole.ca
|
|
Copyright Otterhole 2008 last updated: 2008/08/29 23:14 . |
|