[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf port knocking



Hey all
I am getting tired of seeing the following popping up every day (with
various IPs) on my log server.
* ROOT FAILURES 
jasper ssh2(pw) @221.143.156.58(3) 
* User Failures 
admin ssh2(pw) jasper(2) 
andrew ssh2(pw) jasper(1) 
angel ssh2(pw) jasper(1) 
barbara ssh2(pw) jasper(1) 
ben ssh2(pw) jasper(1) 
betty ssh2(pw) jasper(1) 
billy ssh2(pw) jasper(1) 
black ssh2(pw) jasper(1) 
blue ssh2(pw) jasper(1) 
brandon ssh2(pw) jasper(1) 
brian ssh2(pw) jasper(1) 
buddy ssh2(pw) jasper(1) 
carmen ssh2(pw) jasper(1) 
charlie ssh2(pw) jasper(1) 
daniel ssh2(pw) jasper(1) 
david ssh2(pw) jasper(1) 
dog ssh2(pw) jasper(1) 
emily ssh2(pw) jasper(1) 
eric ssh2(pw) jasper(1) 
god ssh2(pw) jasper(1) 
green ssh2(pw) jasper(1) 
guest ssh2(pw) jasper(1) 
henry ssh2(pw) jasper(1) 
jane ssh2(pw) jasper(1) 
jason ssh2(pw) jasper(1) 
jeremy ssh2(pw) jasper(1) 
joe ssh2(pw) jasper(1) 
johnny ssh2(pw) jasper(1) 
jordan ssh2(pw) jasper(1) 
justin ssh2(pw) jasper(1) 
larisa ssh2(pw) jasper(1) 
lion ssh2(pw) jasper(1) 
lp ssh2(pw) jasper(1) 
lucy ssh2(pw) jasper(1) 
magic ssh2(pw) jasper(1) 
mail ssh2(pw) jasper(1) 
maria ssh2(pw) jasper(1) 
market ssh2(pw) jasper(1) 
matthew ssh2(pw) jasper(1) 
max ssh2(pw) jasper(1) 
michael ssh2(pw) jasper(1) 
nathan ssh2(pw) jasper(1) 
nicholas ssh2(pw) jasper(1) 
nicole ssh2(pw) jasper(1) 
operator ssh2(pw) jasper(1) 
pub ssh2(pw) jasper(1) 
red ssh2(pw) jasper(1) 
robin ssh2(pw) jasper(1) 
rose ssh2(pw) jasper(1) 
shell ssh2(pw) jasper(1) 
stephen ssh2(pw) jasper(1) 
steven ssh2(pw) jasper(1) 
system ssh2(pw) jasper(1) 
test ssh2(pw) jasper(2) 
tom ssh2(pw) jasper(1) 
user ssh2(pw) jasper(1) 
vampire ssh2(pw) jasper(1) 
william ssh2(pw) jasper(1) 
yellow ssh2(pw) jasper(1) 
Just script kiddies most probably. Plus, we use public/private keys on
"jasper" so it's not like people are going to get in that way. However,
having the port wide open does give the possibility that a bug in the
SSH daemon (if one pops up) could open the door for a hacker to get in.
Further, "jasper" is the only machine that is externally accessible via
SSH (the only other open ports are domain, web and mail on other
servers). I need to leave SSH open as a number of people work remotely
and tunnel through it to some of the services on the internal network. 
Additionally, we are about to setup a system to run a VPN between our
office and some contractors. I would like that box's IP to appear
offline/completely closed (until required) as well.
To sum up, apart from web, mail and domain (to specific servers), I
would much prefer that every port appear closed. To achieve this, I
would like to implement port knocking on the gateway firewall (runs
OBSD 3.4 and pf). For those unfamiliar with the technique, it is like
knocking a certain pattern/code on a door to open it. Here, you fire
connections at a server on designated ports to instruct the firewall to
open a port. So, if the firewall detects a connection on ports 14289,
32883, 1234 and 3428 (in that order), port 22 is opened for the
relevant IP address.
Has anyone heard of anyone working on a portknocking daemon for
OBSD/pf? There are a couple of basic setups over at
www.portknocking.org but thought I would check here before attempting a
port. 
If no work has begun, I think I will take the perl prototype script
they have at portknocking.org and see what I can do for pf. I would
imagine I will have to setup anchors in pf which I haven't done yet but
am sure I will get my head around it. Any pointers would be
appreciated! :)
I will also need to write a windows util to do the knocking for the
contractors - can Perl run on a Windows machine or will I have to dust
off my C compiler? :)
Andrew
Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com