[sslh] Port Knocking for SSLH
Kai
kai2 at blicke.de
Mon Sep 16 18:58:25 CEST 2013
Hello Jason and rest,
Port knocking was just an example for what is currently available. And a
CGI script that does port knocking instead of SSLH would indent be an
example of an implementation that does not need any change in SSLH. Also
maybe my HTTPS example is not a good one because it creates quite huge
amount of dependencies that all need to be configured and secured at
different levels.
So maybe it is better to start with a more lightweight approach.
Am 16.09.2013 17:06, schrieb Jason Cooper:
>> I know that SSLH is not able to terminate SSL and must forward it to
>> >- for example - Apache. But on Apache, I could for example run a CGI
>> >script that notifies in any way SSLH and tell "please open SSHd
>> >forwarding for 10 minutes".
> I would suggest your CGI script, at a minimum, simply write to a
> specified file, eg /tmp/portknock/open with permissions set
> appropriately.
>
> A separate process, with permission to change the firewall, polls for
> the existence of the file, notes current time when it sees it, opens
> the port, and sets a timer for itself to go close the port (and delete
> the file).
Two other examples would be:
I) that SSLH decides to forward an SSH request to the SSHd port set in
my SSLH configuration only if the request come the third time (something
like gray listing we currently know from mail servers)
II) or a certain "secret action" subsequent to the SSH request that
allows SSLH to determine whether the the source IP is allowed to access
to be forwarded to the SSH port. One example that can be externally
sniffed - yes, I know - is to send a HTTP request to
http://myserver:sshlport/mySecretURL and than SSHL knows that the next
subsequent SSH request from that IP can be forwarded to the SSLD port.
Off course using HTTPS would avoid that it is possible to sniff the
request but off course than SSHL can not read the request any more and
handling the request must be delegated to the web server that is gets
all HTTPS requests SSHL receives.
Ignoring the HTTPS + firewall examples for now and sticking with either
a gray listing algorithm (which would already be enough in my example)
or the secret HTTP GET string, there is still something to take care for
to ensure that it is not possible to DDOS SSHL:
1. Off course it should be optional to configure.
2. The table to look up whether a IP address is allowed to be forwarded
to SSH must have a fixed or configurable size in order to not blow up
and finally crash / show down the SSLH process. For example if the table
only has a size of 10 IPs by default but requests are made by 20 IPs,
the first 10 IPs are simply overwritten.
3. A timeout value is needed to allow only SSH connections if the last X
times knocking or sending of the secret URL was not longer than Y
seconds ago.
4. Off course implementing the HTTP secret URL would require the GET
request to be parsed.
5. I don't see the HTTP use case too critical because sniffing is only
allowed for parties actively participating as man in the middle, which
will still reduce the number of possible "port scanners" a lot and
script kids are not one of them any more. At the other hand, sniffing
the HTTP requests will only show how to get through SSLH to open a SSH
connection but than still, a valid SSH authentication is needed.
So even in case of HTTP knocking / multiple retries, it is still a
lightweight implementation and will not drop the overall security of SSLH.
Best regards,
Kai
More information about the sslh
mailing list