Monday, November 7, 2011

ssh - Knockin' on Heaven's Door

Using both: port knocking technology and trusted networks for secure ssh access:

The key feature of this method is using ssh daemon listening on 2 diff ports:
--sshd_config--

# What ports, IPs and protocols we listen for
Port 22
Port 3054

and iptables.

1. "Normal" ssh port (22) will be available only from trusted subnets
2.  "New"ssh port (3054) will be available on demand (well known port knocking technology )

How-to:

1. Create new chain:

iptables -N SSH

2.  add it as action to our 2 ssh ports and 1 knocking port

iptables -A INPUT -p tcp -m tcp --dport 22 --syn  -j SSH
iptables -A INPUT -p tcp -m tcp --dport 3054 --syn  -j SSH
iptables -A INPUT -p tcp -m tcp --dport 3055 --syn  -j SSH

3. add rules to our SSH chain
--- add rule for trusted subnet:
iptables -A SSH  -s 184.144.0.0/13 -p tcp -m tcp --dport 22 -j ACCEPT -m comment --comment "Trusted subnet"

---add rule for knock port using recent iptables module:  add packet source to "recent" :
iptables -A SSH -p tcp -m tcp --dport 3055 --syn -m recent --set     --name ssh --rsource -j REJECT --reject-with tcp-reset

--- allow to connect to "new" ssh port within 30 second interval from the IP used to knock
iptables -A SSH -p tcp -m tcp --dport 3054 --syn -m recent --rcheck --seconds 30 --name ssh --rsource -j ACCEPT

That's it. To knock knock simple use: telnet "IP" 3055 and after that you have 30 second to connect.



It will allow you to use ssh and ssh-based tools as usual from trusted location, always be able to connect to server from any location around the world and reduce amount of alerts getting form your HIDS.

PS. Not forget about turning on SSH public key based authentication  and switching PasswordAuthentication to "no".


inspired by  http://execbit.ru/2011/05/18/portknoking/


2 comments:

  1. никогда не задумывался, а ведь простое и изящное решение, зачёт!

    ReplyDelete
  2. :-)) На самом деле я перестраховался в этом решении,использовав 2-й порт ssh для дополнительной подстраховки от случайного открытия порта чужым порт сканером. Все можно сделать еще проще, открывая по стуку не дополнительный порт, а обычный порт 22

    ReplyDelete