Date: Sun, 2 Sep 2001 12:01:53 -0400 From: Hank Leininger <freebsd-security@progressive-comp.com> To: freebsd-security@FreeBSD.ORG Subject: Re: Possible New Security Tool For FreeBSD, Need Your Help. Message-ID: <200109021601.MAA30005@mailer.progressive-comp.com>
next in thread | raw e-mail | index | archive | help
On 2001-08-31, "Not Going to Tell You" <luckywolf19@hotmail.com> wrote: > I could close all the ports on my box except those needed to provide a > service (i.e. port 80), however, how can I remote manage it? So then I > would have to open a sshd port also. But this leads to a potential > security problem when scanned by a hacker. So, what if I had a program > that sent a type of "Key" to the box and the box recognized that the > key sequence order was from me, then opened the sshd port. After I was > finished with the sshd session, I would run another program to close > the port behind me? If you were to do this, "listen for a few packets that look like <this> in <that> order" would be a bad way to do it--completely open to sniffing, replay attacks, race conditions, etc. Perhaps you could generate a gpg-signed "open" request, where the signed payload included the incoming IP to allow, and a timestamp (encrypting this all with the server's public key would be a good idea, but not essential). Then whack this data into IP and TCP options fields of some set of packets you throw at the box. The server would listen for the right sequence of packets, reconstruct the payload stuffed in the options, check the signature, and open a temporary hole which would allow a single 3WHS (not just a single inbound SYN, which could be spoofed to DoS you) to complete before closing the hole again. But really, it hardly seems worth the bother. A whole lot of complexity (==places for your implementation to be buggy and open new security holes) and resource-consumption (==DoS opportunity) for little gain other than security through obscurity. Now, if there were a CGI that was POSTed to with this signed/encrypted request... or the box also received mail, and one mailbox was watched for a properly signed/encrypted email... -- Hank Leininger <hlein@progressive-comp.com> We could build a large, wooden badger... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200109021601.MAA30005>