[sslh] Port Knocking for SSLH

[Kai]

Hello Jason and rest,

Port knocking was just an example for what is currently available. And a 
CGI script that does port knocking instead of SSLH would indent be an 
example of an implementation that does not need any change in SSLH. Also 
maybe my HTTPS example is not a good one because it creates quite huge 
amount of dependencies that all need to be configured and secured at 
different levels.

So maybe it is better to start with a more lightweight approach.

Am 16.09.2013 17:06, schrieb Jason Cooper:
>> I know that SSLH is not able to terminate SSL and must forward it to
>> >- for example - Apache. But on Apache, I could for example run a CGI
>> >script that notifies in any way SSLH and tell "please open SSHd
>> >forwarding for 10 minutes".
> I would suggest your CGI script, at a minimum, simply write to a
> specified file, eg /tmp/portknock/open with permissions set
> appropriately.
>
> A separate process, with permission to change the firewall, polls for
> the existence of the file, notes current time when it sees it, opens
> the port, and sets a timer for itself to go close the port (and delete
> the file).

Two other examples would be:

I) that SSLH decides to forward an SSH request to the SSHd port set in 
my SSLH configuration only if the request come the third time (something 
like gray listing we currently know from mail servers)

II) or a certain "secret action" subsequent to the SSH request that 
allows SSLH to determine whether the the source IP is allowed to access 
to be forwarded to the SSH port. One example that can be externally 
sniffed - yes, I know - is to send a HTTP request to 
http://myserver:sshlport/mySecretURL and than SSHL knows that the next 
subsequent SSH request from that IP can be forwarded to the SSLD port. 
Off course using HTTPS would avoid that it is possible to sniff the 
request but off course than SSHL can not read the request any more and 
handling the request must be delegated to the web server that is gets 
all HTTPS requests SSHL receives.

Ignoring the HTTPS + firewall examples for now and sticking with either 
a gray listing algorithm (which would already be enough in my example) 
or the secret HTTP GET string, there is still something to take care for 
to ensure that it is not possible to DDOS SSHL:

1. Off course it should be optional to configure.

2. The table to look up whether a IP address is allowed to be forwarded 
to SSH must have a fixed or configurable size in order to not blow up 
and finally crash / show down the SSLH process. For example if the table 
only has a size of 10 IPs by default but requests are made by 20 IPs, 
the first 10 IPs are simply overwritten.

3. A timeout value is needed to allow only SSH connections if the last X 
times knocking or sending of the secret URL was not longer than Y 
seconds ago.

4. Off course implementing the HTTP secret URL would require the  GET 
request to be parsed.

5. I don't see the HTTP use case too critical because sniffing is only 
allowed for parties actively participating as man in the middle, which 
will still reduce the number of possible "port scanners" a lot and 
script kids are not one of them any more. At the other hand, sniffing 
the HTTP requests will only show how to get through SSLH to open a SSH 
connection but than still, a valid SSH authentication is needed.

So even in case of HTTP knocking / multiple retries, it is still a 
lightweight implementation and will not drop the overall security of SSLH.

Best regards,
Kai