[sslh] Port Knocking for SSLH
ondra+sslh at mistotebe.net
ondra+sslh at mistotebe.net
Mon Sep 16 21:17:35 CEST 2013
On Mon, Sep 16, 2013 at 06:35:38PM +0200, Yves Rutschle wrote:
> I think what Kai suggest is a wee bit different:
>
> That would make it almost impossible for an observer
> (someone who'd telnet regularly on 443) to ever notice both
> services are available on 443. That actually sounds like a
> good idea.
>
> > I would suggest your CGI script, at a minimum, simply write to a
> > specified file, eg /tmp/portknock/open with permissions set
> > appropriately.
>
> But then I suppose it might also be implemented with firewalling
> *after* sslh, blocking and opening connections from sslh to
> port 22.
If I understand the transparent forwarding well, could the following not
be used here? Something like this:
0. client knocks; in, the knock is recognized by knockd and whitelisted
(or not)
1. client connects to sslh, the probe forwards it to the guarded port
using transparent
2. iff the port is whitelisted, the connection succeeds
3. ???
4. profit!
But I have never really used knockd and I only know of the transparent
forwarding because of the sslh ML.
Ondra
More information about the sslh
mailing list