-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hans Witvliet wrote:
hi,
On Mon, 2008-11-24 at 18:53 -0600, David C. Rankin wrote:
<snip>
Except for running ssh at another port (allready mentioned) you could do a "reversed port knocking" at your own door: (It's not mine idea, but a friend reminded me of it.) There are many versions of it but this schema i like most:
1) normally, all traffic on port 22 is plainly dropped 2) if you perform a ping on some high unpriv port, rule-set is reloaded and port 22 got opened. 3) After a succesful ssh-login, chang the ruleset that on port 22 only established tcp-connections are allowed, no new connecions. 4) after a predefined time (just short, to allow you to login) you go back to stage 1
From what i remember, it was just two slightly modified copies of your firewall-ruleset, two "at" commando's and a dozen perl-lines for listening on a dedicated ip-port.
hw
The main problem with the blacklisting approach is that it can be used to effectively create a DoS attack on legitimate users by getting them blacklisted from a service they need to use (IP addresses can be spoofed). As someone pointed out some time ago on this list there can be also some issues about how the addresses are tracked in the logs. The principle advantage of the approach is the relatively low administrative overhead as it is largely automated. White listing, by establishing that a machine (or user) has a legitimate right to connect, either via negotiation from a another port (as above), or some form of Radius style service authentication on the external domain boundary/firewall is an alternative approach. This has the disadvantages of a larger administrative overhead as the administrator has to explicitly setup user access (however on a DS based authentication mechanism this may be less of an issue), a possible further barrier to the user community of a further level of authentication (though this level of authentication can be certificate based), and precludes by definition open access (though you could have a DMZ for this). As this usually is performed on dedicated machine, servers should not normally be affected by such script kiddy attacks. The attack is blocked at the door not in the room. - -- ============================================================================== I have always wished that my computer would be as easy to use as my telephone. My wish has come true. I no longer know how to use my telephone. Bjarne Stroustrup ============================================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAkkry94ACgkQasN0sSnLmgJePwCffR46IA5HpLbhl8HfdLY7EfYY UGYAn3VFSfVm3Ye2jrUlyvleNYNKHLJg =HEK0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org