The sysadmin always knocks twice
I finally got started reading the security issue of ;login: on the plane to and from Arkansas, and ran across an article about a splendid little bit of paranoia.
The theory runs like this: most packet-filtering firewalls log rejected attempts. So why not do something with that log data?
- Close the
sshport in the firewall. - Install a utility,
fwknop, which monitors logging of rejected connections at the firewall. - Have that utility briefly open the
sshport (long enough for a connection to be established—maybe thirty seconds) for a specific IP address, only in response to a specific combination of failed connection attempts (or “knocks”) at various closed ports, using different protocols.
So, for example, if this utility sees the firewall rejecting packets at 668/tcp, 345/udp, icmp, 228/udp and 973/tcp, in that order, from a particular external IP, it opens 22/tcp to that IP address for thirty seconds. A connection is established, and the firewall is closed again (with the established connection remaining open.)
It’s like having a secret knock. In fact, it is having a secret knock. And the rest of the time, sshd is off-limits for all the brute-force scanners we’ve been seeing lately.
I admit I find this so cool, I’d install it. Except that it would undoubtedly be exasperating to my (small) user pool, which is already essentially humoring me in my insistence on only using SFTP and SSH for any connection requiring authentication.
I had a whole bunch of good headlines for this, too. “Knock, knock, knocking on the server’s door?”
Now Playing: Don’t Get Your Back Up from You Were Here by Sarah Harmer
![[Swinging off a dragger, Cundy's Harbor, Maine, July 4th, 2003]](/images/cundys_harbor.jpg)