Re: Limiting ssh access: by MAC Address?
On Wed, 4 Jan 2023, Jeffrey Walton wrote:
On Wed, Jan 4, 2023 at 2:20 PM Tim Woodall <debianuser@woodall.me.uk> wrote:
...
I've also thought about TOTP dns requests as a type of port knocking : a
dns request to <TOTP>.knock.example.com would open the ssh port for a
minute. Small local webpage to do the TOTP port knock in javascript
should work anywhere. Something else that has been on my todo list for
years.
That is kind of clever. Do you know of any papers that discuss it?
I don't know of any papers that discuss it and I certainly didn't write
one.
This is what I imagined:
<totp>.knock.example.com
bind (because that's what I use) configured to forward knock.example.com
to an internal address.
Small program listens and responds to all queries with 127.0.0.1 (just
found my c++ program to do this written in 2018 - I'd probably use
python now). Because this program is only hit from a trusted server,
it's unlikely to suffer exploitable issues. Malformed packets, for
example, will not make it past the bind instance.
program also checks totp and if it matches expected value (possibly with
a threshold) then update an ipset with a catchall address.
iptables rule something like
iptables -t filter -A INPUT -m set --match-set sshok src -m state --state NEW -j ACCEPT
(you probably don't want to open everything)
and some sort of cron job to delete the catchall address
You could, of course, also do the same by hitting a webserver that
checks the URL for the totp but DNS is more reliable - you can usually
get DNS packets through even where ISPs block running servers and that
can trigger constructing a tunnel to a server that can listen to
incoming connections. Also DNS better hides where you're connecting
from.
Finally, dns port knocking will work with anything that connects to a
dns name as the name lookup must happen before the connection although
in that case the returned address needs to be the target address, not
127.0.0.1
Reply to: