1 |
Pawe³ Goleñ wrote: |
2 |
> Gary Nichols wrote: |
3 |
> |
4 |
>> Another part of good strategy would be to use SSH on a different port |
5 |
>> - most of the tools/scripts in use now do a quick scan on known |
6 |
>> services and then move on if nothing is found. If someone is |
7 |
>> directly targeting your box, this won't help much of course. :-) |
8 |
>> Sometimes it's good to maintain a low profile on management services. |
9 |
> |
10 |
> |
11 |
> Well, I use "port-knocking" for ssh: |
12 |
> |
13 |
> -A INPUT -i ppp0 -m recent --set --name IN_KNOCK_SSH -m icmp -p icmp |
14 |
> --icmp-type echo-request -j DROP |
15 |
> |
16 |
> Drop echo-request, but update (create) IN_KNOCK_SSH table. When I recive |
17 |
> a connection attempt another rule checks IN_KNOCK_SSH, and than |
18 |
> optionally open port 22. Of course you can change first rule (for |
19 |
> example icmp packet must be xxx in size). |
20 |
> |
21 |
> -A INPUT -i ppp0 -m recent --rcheck --hitcount 4 --seconds 30 --name |
22 |
> IN_KNOCK_SSH -m state --state NEW -p tcp -m tcp --dport 2 |
23 |
> 2 -j ACCEPT |
24 |
> |
25 |
> No port is visible during normal portscans. Of course this is method is |
26 |
> not perfect. |
27 |
|
28 |
How exactly does this work? You have to send some packet to a certain port |
29 |
(knocking on the door) and then it will allow you to connect to TCP port 22 |
30 |
within 30 seconds? |
31 |
|
32 |
-- |
33 |
Andrew Gaffney |
34 |
Network Administrator |
35 |
Skyline Aeronautics, LLC. |
36 |
636-357-1548 |
37 |
|
38 |
|
39 |
-- |
40 |
gentoo-security@g.o mailing list |