 DanielPremium,MVM
join:2000-06-26
San Francisco, CA | reply to EGeezer
Re: Is Portknocking "Real" Security? said by EGeezer:Based on what I've read here, it appears that portknocking can be a useful part of an SSH implementation. While there were several general non-technical analogies presented, none seemed to address the methods a hacker might use to discover and obtain the port knocking sequence in a public network. I was hoping to see an answer to the scenario I referenced in my earlier post, but that appears not to be forthcoming. Perhaps there is no practical way. One question, though - how would one build an IP table for the IP authorization if the clients are road warriors using DHCP? Seems that option would not be useful in that case. Actually it does work for that. That's the whole point of the project -- to have it work for roaming, dynamic-source clients.
--
dmiessler.com -- grep understanding knowledge |
|
 EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7
 ·Callcentric
| Re: IP access rules and DHCP clients I'm sure I'm missing something - If the road warrior has a dynamically assigned IP, how would I build an access rule based on the client's IP? It could be anything depending on where and when the user connects.
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy... |
|
DanielPremium,MVM
join:2000-06-26
San Francisco, CA | That's the point of it: the user sends a cryptographic "knock" to the firewall that only it could have sent, at which point the firewall opens just the SSH port for just that one client (and just for a moment).
--
dmiessler.com -- grep understanding knowledge |
|
EGeezerSummertimePremium
join:2002-08-04
Midwest
kudos:7 Reviews:
·Callcentric
| I was trying to figure out Ghost's reply(»Re: Is Portknocking "Real" Security?)
... I was thinking more along the lines of a port being accessible by everyone whenever a single user entered the correct port sequence for access. Obviously I forgot that iptables can allow access to ports on a per IP address after a port knocking sequence. Hence, my previous questions do not apply. So it's possible to have thousands of users access a service remotely, but no indication to others that a remote service is listening on a certain port.
Based on that, I'm thinking that one would need a fixed client IP address to implement IP based rules. If the client is DHCP assigned, this IP rules layer wouldn't be in the picture. Hope that clarifies my curiosity.
--
03:14:07 UTC Tuesday, Jan. 19, 2038 - a date that will live in infamy... |
|
