portknocking question

Hi there,

I have really specific needs and wondering if somebody has written a
port knocker out there already that fits the criteria of what I am
looking for.

Portknocker capabilities:

1) User needs to telnet to specific port and/or log into a website.
2) Learns the IP address that the user is coming from in step 1.
3) Opens ssh port to specifically to the IP address grabbed in step 1
but also keeps ssh port open to statically defined IPs in
/etc/rc.firewall .
4) As soon as the user disconnects from the ssh port the IP address in
step 1 no longer can access the ssh port unless they log back in like
the procedure in step 1.

I reviewed two programs doorman and knock (found in FreeBSD
/usr/ports/security)

Doorman Review:
I am unable to figure out how to configure the ability to capture the
IP address of where the UDP packet was sent. Therefore this program
does not completely match what I am looking for, or I do not
understanding how to configure it.

Knock Review:
This is nice but still requires closing the port as a step when done.
It would be nice to automatically close the ssh port when the user
disconnects from the ssh port. Also I am not clear but I don't think
there is a way to grab the source IP address, right?

Anybody know of other programs I could check out?

Cheers,

Noah

Re: portknocking question

On Sat Oct 7 2006, in the Usenet newsgroup comp.os.linux.networking in article
<1160242129.034214.149420@b28g2000cwb.googlegroups.com>, AND IN the Usenet
newsgroup comp.security.firewalls in article
<1160241983.357893.136210@b28g2000cwb.googlegroups.com>, Noah Garrett Wallach
wrote:

[Please don't post the same article to multiple newsgroups. If you must,
put up to five newsgroup names, comma separated as I've done here, and set
the Followup-To: header - which I haven't done here because I've no idea
where you are reading]

>I have really specific needs and wondering if somebody has written a
>port knocker out there already that fits the criteria of what I am
>looking for.

Well, let's stop for a moment and ask what _Operating_System_ you are using?
You posted to a Linux newsgroup, but your headers say Mac OSX, and you
mention FreeBSD below. That really does make a difference.

>1) User needs to telnet to specific port and/or log into a website.
>2) Learns the IP address that the user is coming from in step 1.
>3) Opens ssh port to specifically to the IP address grabbed in step 1
>but also keeps ssh port open to statically defined IPs in
>/etc/rc.firewall .

The normal technique is to attempt to telnet to an otherwise closed port,
and let your firewall react by opening a different port for perhaps one
minute to that address from where you attempted the telnet. If you don't mind
being accused of "Security By Obscurity", this _could_be_ some something like

Telnet remote.host 25096
Connection Refused
SSH remote.host 9629
Login:

In this example, you can also put traps at ports 9625 and 9635 that _close_
the firewall access to 9629. This catches port scanners. OBVIOUSLY, USE
RANDOM NUMBERS FOR THOSE PORTS. I happen to have chosen those by looking
at the size of a file in my home directory that was 2509629 bytes.

>4) As soon as the user disconnects from the ssh port the IP address in
>step 1 no longer can access the ssh port unless they log back in like
>the procedure in step 1.

Normal routine is to open the SSH port for NEW connections for a minute. The
firewall rule that allows _establisted_ connections handles the connection
after the one minute.

>I reviewed two programs doorman and knock (found in FreeBSD
>/usr/ports/security)

You should also be able to do it directly with your firewall rules, but it's
highly dependent on which operating system you are using.

>Anybody know of other programs I could check out?

You are posting from a search engine. Did you think to try searching there
for the terms "port+knocking" and the name of your O/S ?

Web Results 1 - 10 of about 592,000 for port+knocking Linux. (0.15
seconds)

Web Results 1 - 10 of about 267,000 for port+knocking OSX. (0.21
seconds)

Web Results 1 - 10 of about 148,000 for port+knocking FreeBSD. (0.15
seconds)

Web Results 1 - 10 of about 79,000 for port+knocking OpenBSD. (0.15
seconds)

Web Results 1 - 10 of about 66,200 for port+knocking NetBSD. (0.25
seconds)

Notice - it varies by O/S. Who would have thought?

Old guy