[sslh] Port Knocking for SSLH
Yves Rutschle
yves at naryves.com
Mon Sep 16 18:35:38 CEST 2013
On Mon, Sep 16, 2013 at 11:06:31AM -0400, Jason Cooper wrote:
> I'm against this. Port knocking [1] is, by it's nature, a function of
> the firewall. No process has any business performing this function,
> especially because changing the firewall necessarily requires root
> privileges, and you do have sslh configured to drop privileges, right?
I think what Kai suggest is a wee bit different:
* sslh listens on 443 and only directs to httpd
* user goes somewhere to https://example.org/open_ssh.cgi
* open_ssh.cgi tells sslh
* sslh starts checking if incoming connections are ssh, and
if they are, forward to sshd
* 10 minutes later, sslh stops forwarding to ssh
That would make it almost impossible for an observer
(someone who'd telnet regularly on 443) to ever notice both
services are available on 443. That actually sounds like a
good idea.
> I would suggest your CGI script, at a minimum, simply write to a
> specified file, eg /tmp/portknock/open with permissions set
> appropriately.
But then I suppose it might also be implemented with firewalling
*after* sslh, blocking and opening connections from sslh to
port 22.
Y.
More information about the sslh
mailing list