Mailing List Archive

On Thu, 31 Mar 2005, Luis Diaz wrote:

> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

Port knocking.

http://www.portknocking.org/


--
gentoo-security@gentoo.org mailing list

The concept of watching a port or ports for connections or combination
of connections has been implemented in Port Knocking. You can read all
about it here:
http://www.portknocking.org

Brian

On Thu, 2005-03-31 at 11:42, dan wrote:

> You could write a script to listen for mail messages so that
> start@example.com will start up the sshd and stop@example.com will
> stop the sshd. Or even something along the lines of ssh@example.com
> "Subject start" and ... you get the idea.
>
> later,
> dan
>
>
>
> On Thu, 31 Mar 2005 13:32:12 -0300, Luis Diaz <diazluis@gmail.com> wrote:
> > Some one may have my root password using a keylogger, so even after
> > change the password from other place i would like to make REALLY
> > secure my ssh connection, i already thinked on changing the port from
> > 22 to something like 8080, but i would like to do something like a
> > "trigger" so if a connect to some port then sshd is started...any
> > ideas???
> >
> > --
> > Luis Diaz - Un obsesivo con proyectos! :oP
> > --
> > gentoo-security@gentoo.org mailing list
> >
> >
> --
> gentoo-security@gentoo.org mailing list
>
>

You could write a script to listen for mail messages so that
start@example.com will start up the sshd and stop@example.com will
stop the sshd. Or even something along the lines of ssh@example.com
"Subject start" and ... you get the idea.

later,
dan



On Thu, 31 Mar 2005 13:32:12 -0300, Luis Diaz <diazluis@gmail.com> wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>
> --
> Luis Diaz - Un obsesivo con proyectos! :oP
> --
> gentoo-security@gentoo.org mailing list
>
>
--
gentoo-security@gentoo.org mailing list

Luis Diaz wrote:

>Some one may have my root password using a keylogger, so even after
>change the password from other place i would like to make REALLY
>secure my ssh connection, i already thinked on changing the port from
>22 to something like 8080, but i would like to do something like a
>"trigger" so if a connect to some port then sshd is started...any
>ideas???
>
>
>
See http://www.portknocking.org
That is exactly what you are looking for.
--
gentoo-security@gentoo.org mailing list

Try something like port knocking. Do a google search on the term and you
will find several articles.

On Thu, 2005-03-31 at 13:32 -0300, Luis Diaz wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>

--
gentoo-security@gentoo.org mailing list

Check out port knocking, for that extra layer :-)
http://gentoo-wiki.com/HOWTO_Port_Knocking


Luis Diaz wrote:

>Some one may have my root password using a keylogger, so even after
>change the password from other place i would like to make REALLY
>secure my ssh connection, i already thinked on changing the port from
>22 to something like 8080, but i would like to do something like a
>"trigger" so if a connect to some port then sshd is started...any
>ideas???
>
>
>

--
gentoo-security@gentoo.org mailing list

On Thu, 31 Mar 2005 13:32:12 -0300, Luis Diaz <diazluis@gmail.com> wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

Google for "port knocking"...it basically allows you to specify a set
sequence of ports that you need to hit in a certain order before ssh
will accept connections.
--
gentoo-security@gentoo.org mailing list

On Thu, 31 Mar 2005 13:32:12 -0300, Luis Diaz <diazluis@gmail.com> wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

Google for "port knocking"...it basically allows you to specify a set
sequence of ports that you need to hit in a certain order before ssh
will accept connections.
--
gentoo-security@gentoo.org mailing list

On Thu, 2005-03-31 at 13:32 -0300, Luis Diaz wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

www.portknocking.org

HTH

--
trepo

--
gentoo-security@gentoo.org mailing list

On Thursday 31 March 2005 11:32 am, Luis Diaz wrote:
> i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

`emerge knock`
-mike
--
gentoo-security@gentoo.org mailing list

Am Donnerstag, 31. März 2005 18:32 schrieb Luis Diaz:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

Some day I had a .procmailrc and some scripts running for triggering specific
actions on receive of a mail with a distinct subject line. The actions were
encoded inside the mail in a sort of modified shell script.

Finally I used the mechanism a few times for most getting glad to have such a
"intelligent" moloch and left it down in the dark of some harddisk ;-)

Kind regards - Eckard

--
gentoo-security@gentoo.org mailing list

Sounds like you want to implement "Port Knocking"...
http://www.portknocking.org/
http://www.linuxjournal.com/article/6811

Luis Diaz wrote:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>
--
gentoo-security@gentoo.org mailing list

Moving sshd to another port is helpful but I would also disable
interactive login (passwd) and rely on certificates secured with
passphrases. As far as port knocking, this is relatively well
documented with numerous solutions. Hell someone's even created a site
dedicated to it. http://www.portknocking.org/

http://cryptknock.sourceforge.net/

-jeff

-----Original Message-----
From: Luis Diaz [mailto:diazluis@gmail.com]
Sent: Thursday, March 31, 2005 11:32 AM
To: gentoo-security@robin.gentoo.org
Subject: [gentoo-security] Protect SSH

Some one may have my root password using a keylogger, so even after
change the password from other place i would like to make REALLY
secure my ssh connection, i already thinked on changing the port from
22 to something like 8080, but i would like to do something like a
"trigger" so if a connect to some port then sshd is started...any
ideas???

--
Luis Diaz - Un obsesivo con proyectos! :oP
--
gentoo-security@gentoo.org mailing list


--
gentoo-security@gentoo.org mailing list

Moving sshd to another port is helpful but I would also disable
interactive login (passwd) and rely on certificates secured with
passphrases. As far as port knocking, this is relatively well
documented with numerous solutions. Hell someone's even created a site
dedicated to it. http://www.portknocking.org/

http://cryptknock.sourceforge.net/

-jeff

-----Original Message-----
From: Luis Diaz [mailto:diazluis@gmail.com]
Sent: Thursday, March 31, 2005 11:32 AM
To: gentoo-security@robin.gentoo.org
Subject: [gentoo-security] Protect SSH

Some one may have my root password using a keylogger, so even after
change the password from other place i would like to make REALLY
secure my ssh connection, i already thinked on changing the port from
22 to something like 8080, but i would like to do something like a
"trigger" so if a connect to some port then sshd is started...any
ideas???

--
Luis Diaz - Un obsesivo con proyectos! :oP
--
gentoo-security@gentoo.org mailing list


--
gentoo-security@gentoo.org mailing list

On Thursday 31 March 2005 18:32, Luis Diaz wrote:

> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

This technique is called "port knocking" (dynamic opening of filtered ports
based on tcp port-knocking-sequences)

Just have a look at http://portknocking.org/view/implementations
Maybe this is what you're looking for...

cu,
Helmut

--
Helmut Wuensch, Dompfaffstr. 140, 91056 Erlangen
PGP/GPG public key available at http://www.helmut-wuensch.de
fingerprint: 20B7 519F 8912 4606 F516 FF2D 417E EF82 5C9E 235A

On 31.03.2005, at 18:32, Luis Diaz wrote:
> Some one may have my root password using a keylogger,
I'm not familiar with those things. But, if someone is able to install a
keylogger on your maschine he may installed rootkits too.

> i already thinked on changing the port from 22 to something like 8080
imho, that's "security through obscurity" and a waste of time.

Disabling password and root-logins and therefor using a public-key
authentication should be one of the easiest ideas.
--
Daniel Martin

--
gentoo-security@gentoo.org mailing list

On Thursday 31 March 2005 18:32 CET Luis Diaz wrote:
> [...] i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???

http://www.portknocking.org/

Cheers,
Malte
--
gentoo-security@gentoo.org mailing list

"Port knocking" is bad, very, very bad (as long as it's implemented on the
same box that's running sshd, that is). There is no extra layer. "Port
knocking" at first looks like an additional layer of protection before
one gets to SSH, but that's only when everything works right. When
things go wrong, i.e. if the (root)exploit is in the "port knocking"
daemon itself, well then ... game over, owned. The bad guys are in - on
just one layer; an entryway into your system that didn't even exist
previously. (Note that the "port knocking" usually adjusts filter rules,
that's typically a root level task.)

I'd think about bastion hosts and tcpwrapping ... my 2 cents.

--
Andreas Waschbuesch, GAUniversity KG MA FNZ FK01
eMail: awaschb@gwdg.de

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel Martin a écrit :

>
> Disabling password and root-logins and therefor using a public-key
> authentication should be one of the easiest ideas.

In most cases this is probably true. But what if you use OTP to login
to your server from a non-trustable box? Will you then use sudo and
have all your efforts gone in case of a keylogger on the potentially
affected machine? So I prefer disabling passwords and use skey leaving
root-login enabled. I have hundreds of ssh attempts per day and just
in case my paranoïa is not satisfied enough, a trigger in the database
logs (PostgreSQL) would send me an sms if someone succeded from an
unhauthorized IP.

My 0.2 ¤

- --
Christophe Garault
Take your marks:
Gen too three: Emerge!


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCTDolJ5Nh3YMYAQsRAuMpAJwLu49zzQKUcmYwXi1NYiJvvWbYdwCfWneZ
pPLXF/i7vmCzEjbY6DvZnS4=
=EeTy
-----END PGP SIGNATURE-----


--
gentoo-security@gentoo.org mailing list

2005-03-31, cs keltezéssel 13.32-kor Luis Diaz ezt írta:
> Some one may have my root password using a keylogger, so even after
> change the password from other place i would like to make REALLY
> secure my ssh connection, i already thinked on changing the port from
> 22 to something like 8080, but i would like to do something like a
> "trigger" so if a connect to some port then sshd is started...any
> ideas???
>

Use smartcard / USB token. If it is in your pocket, nobody can use your
account. You can get one about 30 euros.

--
Ãœdv:
Jo-Hans

--
gentoo-security@gentoo.org mailing list

Why are you not using key pairs and disallow root access to ssh?

/Uwe

Luis Diaz wrote:

>Some one may have my root password using a keylogger, so even after
>change the password from other place i would like to make REALLY
>secure my ssh connection, i already thinked on changing the port from
>22 to something like 8080, but i would like to do something like a
>"trigger" so if a connect to some port then sshd is started...any
>ideas???
>
>
>

On Thursday 31 March 2005 19:49, Andreas Waschbuesch wrote:

> one gets to SSH, but that's only when everything works right. When
> things go wrong, i.e. if the (root)exploit is in the "port knocking"
> daemon itself, well then ... game over, owned.

True, but why do we have to use a portknock-daemon with root-privileges?

One could just setup a (for example iptables-) firewall with some LOG-targets
rules, and a non-root perl-skript parses this logentries.
If there is a specific signature in the logfile, the script could start a
ssh-service on a high-port, so there will be no much need of
root-privileges....

btw, never tested it. Only kind of play of thought :)

> I'd think about bastion hosts and tcpwrapping ... my 2 cents.

Very recommended, of course!


cu,
Helmut

--
Helmut Wuensch, Dompfaffstr. 140, 91056 Erlangen
PGP/GPG public key available at http://www.helmut-wuensch.de
fingerprint: 20B7 519F 8912 4606 F516 FF2D 417E EF82 5C9E 235A

On Thu, 2005-03-31 at 20:35 +0200, Helmut Wuensch wrote:
> One could just setup a (for example iptables-) firewall with some LOG-targets
> rules, and a non-root perl-skript parses this logentries.
> If there is a specific signature in the logfile, the script could start a
> ssh-service on a high-port, so there will be no much need of
> root-privileges....

In that scheme, you have to be root to start sshd. Somewhere you will
have to gain priviledges. Even if you can get around that, it still
smacks of security through obscurity.

--
gentoo-security@gentoo.org mailing list

Another question under same topic.

Is it possible to automatically add hosts that try to login as root to
hosts.deny? If so, how? And also how would I get that to happen on
everyone who fail to login after certain number of tries?

Thanks.


--
gentoo-security@gentoo.org mailing list