[sslh] Port Knocking for SSLH
Jason Cooper
sslh at lakedaemon.net
Mon Sep 16 17:06:31 CEST 2013
Hi Kai,
On Mon, Sep 16, 2013 at 11:36:07AM +0200, Kai wrote:
> Hello all,
>
> I guess it is not implemented but I have the following question of a
> feature that might be interesting to implement:
>
> There is something called Port Knocking where I can for example
> access the SSH port after I knocked on another port before.
>
> My question is now whether and how it would be possible to implement
> this in SSLH.
I'm against this. Port knocking [1] is, by it's nature, a function of
the firewall. No process has any business performing this function,
especially because changing the firewall necessarily requires root
privileges, and you do have sslh configured to drop privileges, right?
;-)
> For example if I call something like an specific secret URL and than
> I am able to be forwarded to the SSH port for the next 10 seconds.
>
> I know that SSLH is not able to terminate SSL and must forward it to
> - for example - Apache. But on Apache, I could for example run a CGI
> script that notifies in any way SSLH and tell "please open SSHd
> forwarding for 10 minutes".
I would suggest your CGI script, at a minimum, simply write to a
specified file, eg /tmp/portknock/open with permissions set
appropriately.
A separate process, with permission to change the firewall, polls for
the existence of the file, notes current time when it sees it, opens
the port, and sets a timer for itself to go close the port (and delete
the file).
I don't think any changes to sslh are necessary to accomplish this.
thx,
Jason.
[1] http://en.wikipedia.org/wiki/Port_knocking
More information about the sslh
mailing list