Gentoo Archives: gentoo-security

From: Andrew Gaffney <agaffney@×××××××××××.com>
To: "Paweł Goleń" <pawel.golen@××××××××××××××.pl>
Cc: gentoo-security@l.g.o
Subject: Re: [gentoo-security] new ssh worm?
Date: Tue, 27 Jul 2004 20:21:42
Message-Id: 4106B7CC.2050800@skylineaero.com
In Reply to: Re: [gentoo-security] new ssh worm? by "Paweł Goleń"
1 Pawe³ Goleñ wrote:
2 > Gary Nichols wrote:
3 >
4 >> Another part of good strategy would be to use SSH on a different port
5 >> - most of the tools/scripts in use now do a quick scan on known
6 >> services and then move on if nothing is found. If someone is
7 >> directly targeting your box, this won't help much of course. :-)
8 >> Sometimes it's good to maintain a low profile on management services.
9 >
10 >
11 > Well, I use "port-knocking" for ssh:
12 >
13 > -A INPUT -i ppp0 -m recent --set --name IN_KNOCK_SSH -m icmp -p icmp
14 > --icmp-type echo-request -j DROP
15 >
16 > Drop echo-request, but update (create) IN_KNOCK_SSH table. When I recive
17 > a connection attempt another rule checks IN_KNOCK_SSH, and than
18 > optionally open port 22. Of course you can change first rule (for
19 > example icmp packet must be xxx in size).
20 >
21 > -A INPUT -i ppp0 -m recent --rcheck --hitcount 4 --seconds 30 --name
22 > IN_KNOCK_SSH -m state --state NEW -p tcp -m tcp --dport 2
23 > 2 -j ACCEPT
24 >
25 > No port is visible during normal portscans. Of course this is method is
26 > not perfect.
27
28 How exactly does this work? You have to send some packet to a certain port
29 (knocking on the door) and then it will allow you to connect to TCP port 22
30 within 30 seconds?
31
32 --
33 Andrew Gaffney
34 Network Administrator
35 Skyline Aeronautics, LLC.
36 636-357-1548
37
38
39 --
40 gentoo-security@g.o mailing list

Replies

Subject Author
Re: [gentoo-security] new ssh worm? Kurt Lieber <klieber@g.o>