[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Limiting ssh access: by MAC Address?

On Wed, Jan 4, 2023 at 5:45 PM Tim Woodall <debianuser@woodall.me.uk> wrote:
>
> On Wed, 4 Jan 2023, Jeffrey Walton wrote:
>
> > On Wed, Jan 4, 2023 at 2:20 PM Tim Woodall <debianuser@woodall.me.uk> wrote:
> >> ...
> >>
> >> I've also thought about TOTP dns requests as a type of port knocking : a
> >> dns request to <TOTP>.knock.example.com would open the ssh port for a
> >> minute. Small local webpage to do the TOTP port knock in javascript
> >> should work anywhere. Something else that has been on my todo list for
> >> years.
> >
> > That is kind of clever. Do you know of any papers that discuss it?
>
> I don't know of any papers that discuss it and I certainly didn't write
> one.
>
> This is what I imagined:
>
> <totp>.knock.example.com
>
> bind (because that's what I use) configured to forward knock.example.com
> to an internal address.
>
> Small program listens and responds to all queries with 127.0.0.1 (just
> found my c++ program to do this written in 2018 - I'd probably use
> python now). Because this program is only hit from a trusted server,
> it's unlikely to suffer exploitable issues. Malformed packets, for
> example, will not make it past the bind instance.
>
> program also checks totp and if it matches expected value (possibly with
> a threshold) then update an ipset with a catchall address.
>
> iptables rule something like
> iptables -t filter -A INPUT -m set --match-set sshok src -m state --state NEW -j ACCEPT
> (you probably don't want to open everything)
>
> and some sort of cron job to delete the catchall address
>
> You could, of course, also do the same by hitting a webserver that
> checks the URL for the totp but DNS is more reliable - you can usually
> get DNS packets through even where ISPs block running servers and that
> can trigger constructing a tunnel to a server that can listen to
> incoming connections. Also DNS better hides where you're connecting
> from.
>
> Finally, dns port knocking will work with anything that connects to a
> dns name as the name lookup must happen before the connection although
> in that case the returned address needs to be the target address, not
> 127.0.0.1

I was talking to Peter Gutmann about SSH hardening. He shared a recent
RFC pro SSH preauth:
https://datatracker.ietf.org/doc/draft-gutmann-ssh-preauth/ .

The preauth scheme does not hide the service like your TOTP scheme.
However, it looks like both schemes achieve the same thing - they both
avoid the costly key exchange. Avoiding the key exchange is a big win
since those public key operations are so costly.

Jeff
Reply to: