From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.50) id 1EMtN1-0006tc-Hx for garchives@archives.gentoo.org; Tue, 04 Oct 2005 20:26:39 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.13.5/8.13.5) with SMTP id j94KFN2I007840; Tue, 4 Oct 2005 20:15:23 GMT Received: from mail.ttk.ru (mail.ttk.ru [82.138.20.133]) by robin.gentoo.org (8.13.5/8.13.5) with ESMTP id j94KBPF5028491 for ; Tue, 4 Oct 2005 20:11:26 GMT Received: from BOGER (boger.ttk.ru [82.138.27.165]) by mail.ttk.ru (8.12.10/8.12.10) with ESMTP id j94KhBZ9008483 for ; Wed, 5 Oct 2005 00:43:11 +0400 Date: Wed, 5 Oct 2005 00:20:31 +0400 From: boger X-Priority: 3 (Normal) Message-ID: <1177286025.20051005002031@ttk.ru> To: Tobias Sager Subject: Re: [gentoo-security] Port knocking In-Reply-To: <4342DBEF.7050907@gmx.ch> References: <43404CB8.3@lunatic.net.nz> <20051002211923.GA3186@maxiez.national-net.com> <43412B8F.5040207@cs.utk.edu> <20051003141852.4cugwa2ic0ckkk0c@www.rnl.ist.utl.pt> <43416522.4010407@lenderlab.com> <366975610.20051004202554@ttk.ru> <4342B8DE.1010206@lenderlab.com> <4342DBEF.7050907@gmx.ch> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-security@gentoo.org Reply-to: gentoo-security@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Archives-Salt: d0e2b34f-3db0-49ab-a31e-3c24aebf7357 X-Archives-Hash: 08a04b5607dc7514e63a282ed551fdaa Hello Tobias, TS> That's a possibility I once saw on slashdot: TS> iptables -A INPUT -p tcp --dport 1000 -m recent --remove --name PART1 TS> iptables -A INPUT -p tcp --dport 2000 -m recent --remove --name PART2 TS> iptables -A INPUT -p tcp --dport 3000 -m recent --remove --name PART3 TS> iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PART1 TS> iptables -A INPUT -p tcp --dport 2000 -m recent --set --name PART2 TS> iptables -A INPUT -p tcp --dport 3000 -m recent --set --name PART3 TS> iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 \ TS> --name PART1 --name PART2 --name PART3 -j ACCEPT It's the best :) I'll add some protection from plain port scan. iptables -A INPUT -p tcp --dport 999 -m recent --remove --name PART1 iptables -A INPUT -p tcp --dport 1001 -m recent --remove --name PART1 ... TS> There are numerous knock, knock implementations listed at: TS> http://www.portknocking.org/view/implementations/implementations I've found this page not long ago, most promising temprules. I'm currently experimenting with them. TS> IMHO, the problem with "normal" port knocking tools is the dependency on TS> client software. I would prefer a solution which can be used without TS> (too much) hassle (eg. using telnet and then putty or such). TS> This evidently is not be possible when using more sophisticated port TS> knocking with timing or specially crafted / encrypted packages, unless TS> you have a really good feel for timing.. ;-) Same to me ;) or even a web browser: http://somehost:123 -- Best regards, boger mailto:boger@ttk.ru -- gentoo-security@gentoo.org mailing list