Re: sshd / ftpd break-in attempts

On Sat, 01 Aug 2009, in the Usenet newsgroup comp.os.linux.misc, in article
<871vnvuxec.fsf@xxxxxxxxxxxxxxxxxx>, John Hasler wrote:

Moe Trin wrote:

]Briefly, you _attempt_ to connect to some _other_ port that doesn't
]have an actual service running there - an example might be port 123
](NTP). Your firewall system sees the connection attempt, and opens a
] hole to the actual SSH server location (which could be "hiding" on
]an obscure port like 22/tcp) FOR THAT ADDRESS ONLY for a short time
]- say one minute. You then connect, and when the firewall rule
]expires, the existing "ESTABLISHED" rule allows the conversation
]to continue.

Some people scream "Security Through Obscurity" because they are
to st00pid to realize that opening the hole through the firewall
temporarily in no way replaces what-ever existing authentication
scheme you have - whether username/password or certificate, or
what-ever.

It isn't just obscurity anyway. You don't just knock once. You
knock in a pattern on multiple ports. The pattern is a password.

Sorry John - re-read what I originally wrote. A single SYN to a
port is used to unlock the server port, and then the normal SSH
sequence of establishing a connection continues.

The reason for this simplification is the real world situation where
the place you are trying to connect FROM has a bunch of firewall
rules that block outbound attempts to ports/protocols that the
local admin deems risky or unneeded. One common example of this
is the savvy ISP who is blocking outbound to 25/tcp (except from the
designated ISP mail servers) to avoid getting his address block
listed on one of the many DNSBL because of eighty jillion zombies
on his network. Without revealing state secrets (or violating an
NDA), I can assure you that this mode of blocking is extremely common
in security sensitive sites. You might try an nmap scan of a tolerant
host from (example) a wifi hotspot.

Years ago, we used a knock sequence technique to gain access to the
telnet server (a hint of how long ago) at work. That procedure went
out of service when we discovered several of the sites we used this
technique from had put in explicit blocks.

The pattern knocking technique still works, but the number of usable
ports has declined drastically. You have to look at the port list
(http://www.iana.org/assignments/port-numbers) and ask yourself
"is that paranoid admin going to be blocking this too?". That's
why tcptraceroute and hping are part of our standard installs.

Old guy
.

Relevant Pages

  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Activesync / Airsync - Alternative Ports
    ... Setup a reverse HTTP proxy. ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to ...
    (microsoft.public.pocketpc.activesync)
  • Re: Activesync / Airsync - Alternative Ports
    ... "Chris De Herrera" wrote: ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to 8888 ...
    (microsoft.public.pocketpc.activesync)
Loading