Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

If it wasn't for Newton, we wouldn't have to eat bruised apples.


computers / comp.os.linux.networking / Re: Connecting to an SSH server from the external world

SubjectAuthor
* Connecting to an SSH server from the external worldJohn Smith
+* Re: Connecting to an SSH server from the external worldWilliam Unruh
|`* Re: Connecting to an SSH server from the external worldJohn Smith
| +* Re: Connecting to an SSH server from the external worldPascal Hambourg
| |`- Re: Connecting to an SSH server from the external worldJohn Smith
| +* Re: Connecting to an SSH server from the external worldWilliam Unruh
| |`- Re: Connecting to an SSH server from the external worldGrant Taylor
| +- Re: Connecting to an SSH server from the external worldRichard Kettlewell
| `- Re: Connecting to an SSH server from the external worldpk
+* Re: Connecting to an SSH server from the external worldGrant Taylor
|`* Re: Connecting to an SSH server from the external worldJohn Smith
| +- Re: Connecting to an SSH server from the external worldMarc Haber
| `- Re: Connecting to an SSH server from the external worldGrant Taylor
+* Re: Connecting to an SSH server from the external worldHenning Hucke
|`* Re: Connecting to an SSH server from the external worldD. Stussy
| +* Re: Connecting to an SSH server from the external worldPascal Hambourg
| |`* Re: Connecting to an SSH server from the external worldGrant Taylor
| | `* Re: Connecting to an SSH server from the external worldPascal Hambourg
| |  `* Re: Connecting to an SSH server from the external worldGrant Taylor
| |   `* Re: Connecting to an SSH server from the external worldPascal Hambourg
| |    `* Re: Connecting to an SSH server from the external worldGrant Taylor
| |     `* Re: Connecting to an SSH server from the external worldPascal Hambourg
| |      `* Re: Connecting to an SSH server from the external worldGrant Taylor
| |       +- Re: Connecting to an SSH server from the external worldDavid W. Hodgins
| |       `* Re: Connecting to an SSH server from the external worldPascal Hambourg
| |        `* Re: Connecting to an SSH server from the external worldGrant Taylor
| |         `* Re: Connecting to an SSH server from the external worldPascal Hambourg
| |          +* Re: Connecting to an SSH server from the external worldGrant Taylor
| |          |`* Re: Connecting to an SSH server from the external worldPascal Hambourg
| |          | `- Re: Connecting to an SSH server from the external worldGrant Taylor
| |          `* Re: Connecting to an SSH server from the external worldWilliam Unruh
| |           `* Re: Connecting to an SSH server from the external worldPascal Hambourg
| |            `* Re: Connecting to an SSH server from the external worldGrant Taylor
| |             `* Re: Connecting to an SSH server from the external worldWilliam Unruh
| |              `- Re: Connecting to an SSH server from the external worldWilliam Unruh
| `- Re: Connecting to an SSH server from the external worldGrant Taylor
+- Re: Connecting to an SSH server from the external worldRichard Kettlewell
+* Re: Connecting to an SSH server from the external worldGiovanni
|`* Re: Connecting to an SSH server from the external worldMarc Haber
| +* Re: Connecting to an SSH server from the external worldGiovanni
| |+* Re: Connecting to an SSH server from the external worldWilliam Unruh
| ||+* Re: Connecting to an SSH server from the external worldRoger Blake
| |||`* Re: Connecting to an SSH server from the external worldJohann Beretta
| ||| `* Re: Connecting to an SSH server from the external worldPascal Hambourg
| |||  `* Re: Connecting to an SSH server from the external worldMarc Haber
| |||   `- Re: Connecting to an SSH server from the external worldJohann Beretta
| ||+* Re: Connecting to an SSH server from the external worldGrant Taylor
| |||`* Re: Connecting to an SSH server from the external worldWilliam Unruh
| ||| `* Re: Connecting to an SSH server from the external worldMarc Haber
| |||  `- Re: Connecting to an SSH server from the external worldWilliam Unruh
| ||`- Re: Connecting to an SSH server from the external worldMarc Haber
| |`- Re: Connecting to an SSH server from the external worldMarc Haber
| `* Re: Connecting to an SSH server from the external worldGrant Taylor
|  `- Re: Connecting to an SSH server from the external worldMarc Haber
`* Re: Connecting to an SSH server from the external worldCarlos E.R.
 `- Re: Connecting to an SSH server from the external worldGrant Taylor

Pages:123
Re: Connecting to an SSH server from the external world

<s8voeh$6sg$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=160&group=comp.os.linux.networking#160

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74bc86.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Sun, 30 May 2021 12:12:33 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <s8voeh$6sg$1@news1.tnib.de>
References: <s8rnfh$qp2$1@gioia.aioe.org> <s8svu8$96r$1@milena.home.net.it> <s8tr1m$h6i$1@news1.tnib.de> <s8tsps$mmb$1@milena.home.net.it> <s8u0mn$4ma$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 30 May 2021 10:12:33 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74bc86.versanet.de:92.116.188.134";
logging-data="7056"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Sun, 30 May 2021 10:12 UTC

William Unruh <unruh@invalid.ca> wrote:
>On 2021-05-29, Giovanni <lsodgf0@home.net.it> wrote:
>> On 05/29/2021 06:44 PM, Marc Haber wrote:
>>
>>>> To overcome this problem I installed openvpn both in the server and
>>>> on several clients. Each user has his own certificate and as long
>>>> You start the private connection You will be able to connect via
>>>> ssh from anywhere.
>>
>>> This is actually no better than having the ssh server accessible
>>> from the Outside. Just the keys are longer
>>
>> The OP said that he wants access only from authorized IP addresses but
>> he gets locked out if he uses foreign IP. That was exactly my problem
>> when trying to access my network when I was traveling.
>>
>> Well maybe a VPN isn't more secure than SSH, but while I see lots of
>> failed attempts on the ssh port, there are very few on the VPN port.
>> And when I connect the VPN I use SSH to login.
>
>Theeasiest way to get rid of the vast majority of ssh attacks isto
>simply put it on a different port. And setop your ssh_config to connect
>to that host on that port.
>Host donaldduck*
> Port 11823

Now read this Usenet Article: "I have moved my ssh server to Port
11823 to get rid of the net's backgound noise. Now I ABSOLUTELY NEED
to connect to this ssh server from a network that doesn't allow
outgoing connections to my port 11823. How can I access port 11823
when I can only access port 22 from the place I am?"

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: Connecting to an SSH server from the external world

<s8vogm$6st$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=161&group=comp.os.linux.networking#161

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74bc86.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Sun, 30 May 2021 12:13:42 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <s8vogm$6st$1@news1.tnib.de>
References: <s8rnfh$qp2$1@gioia.aioe.org> <s8svu8$96r$1@milena.home.net.it> <s8tr1m$h6i$1@news1.tnib.de> <s8ur1m$msu$5@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 30 May 2021 10:13:42 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74bc86.versanet.de:92.116.188.134";
logging-data="7069"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Sun, 30 May 2021 10:13 UTC

Grant Taylor <gtaylor@tnetconsulting.net> wrote:
>On 5/29/21 10:44 AM, Marc Haber wrote:
>> This is actually no better than having the ssh server accessible from
>> the Outside. Just the keys are longer
>
>I disagree.
>
>The biggest difference I see is the scope and complexity of the
>different systems.
>
>OpenSSH is a LOT of lines of code and is quite complex. Conversely,
>WireGuard is many fewer lines of code and purportedly quite a bit
>simpler. From a security standpoint, this is a HUGE difference.

We need to agree to disagree then. WireGuard might be easier, but it
runs in the Kernel. Way more dangerous.

>There is also some security benefit on having the VPN and the SSH server
>on different devices.

Yes, again, we seem not to be talking professional IT here.

--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: Connecting to an SSH server from the external world

<60b36e50$0$21617$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=162&group=comp.os.linux.networking#162

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.niel.me!news.gegeweb.eu!gegeweb.org!usenet-fr.net!proxad.net!feeder1-2.proxad.net!cleanfeed1-b.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: Connecting to an SSH server from the external world
Newsgroups: comp.os.linux.networking
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Sun, 30 May 2021 12:51:59 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <s8v14o$c2g$1@server.snarked.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 8
Message-ID: <60b36e50$0$21617$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 30 May 2021 12:52:00 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622371920 news-2.free.fr 21617 213.41.155.166:35904
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Sun, 30 May 2021 10:51 UTC

Le 30/05/2021 à 05:34, D. Stussy a écrit :
> One doesn't need to run a program to do port knocking if one has a
> stateful firewall.  For Linux and similar unices, iptables with a recent
> list (using a timeout) can be configured to work.

This only allows basic port knocking which is vulnerable to replay and
brute force attacks.
And it still requires a program on the client side to send the packets.

Re: Connecting to an SSH server from the external world

<60b370d9$0$21599$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=163&group=comp.os.linux.networking#163

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.niel.me!news.gegeweb.eu!gegeweb.org!usenet-fr.net!proxad.net!feeder1-2.proxad.net!cleanfeed2-b.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: Connecting to an SSH server from the external world
Newsgroups: comp.os.linux.networking
References: <s8rnfh$qp2$1@gioia.aioe.org> <s8svu8$96r$1@milena.home.net.it>
<s8tr1m$h6i$1@news1.tnib.de> <s8tsps$mmb$1@milena.home.net.it>
<s8u0mn$4ma$1@dont-email.me> <20210529172613@news.eternal-september.org>
<s8v6aj$ch8$1@dont-email.me>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Sun, 30 May 2021 13:02:49 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <s8v6aj$ch8$1@dont-email.me>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 17
Message-ID: <60b370d9$0$21599$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 30 May 2021 13:02:49 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622372569 news-2.free.fr 21599 213.41.155.166:35906
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Sun, 30 May 2021 11:02 UTC

Le 30/05/2021 à 07:03, Johann Beretta a écrit :
> On 5/29/21 2:28 PM, Roger Blake wrote:
>>
>>  and use the firewall to limit the number
>> of connection attempts permitted per minute.
>
> That could easily lead to you being denied access.  A bad actor would
> only have to keep attempting to connect, rapidly.

Indeed. This can be mitigated by limiting the rate of connections per
source IP address, but this is still vulnerable to "blind" (one way)
spoofing attacks if you count only the TCP SYN packets. To protect
against this you must count TCP connections with complete handshake (SYN
- SYN/ACK - ACK). This is still vulnerable to an attacker able to do
two-way spoofing (i.e. receive the packets you send to the spoofed
address) but then I guess you have bigger concerns.

Re: Connecting to an SSH server from the external world

<87h7ikwd73.fsf@LkoBDZeT.terraraq.uk>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=164&group=comp.os.linux.networking#164

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!paganini.bofh.team!news.dns-netz.com!news.freedyn.net!nntp.terraraq.uk!.POSTED.nntp.terraraq.uk!not-for-mail
From: inva...@invalid.invalid (Richard Kettlewell)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Sun, 30 May 2021 14:42:08 +0100
Organization: terraraq NNTP server
Message-ID: <87h7ikwd73.fsf@LkoBDZeT.terraraq.uk>
References: <s8rnfh$qp2$1@gioia.aioe.org> <s8rqq6$gq$1@dont-email.me>
<s8tjko$1fld$1@gioia.aioe.org>
Mime-Version: 1.0
Content-Type: text/plain
Injection-Info: mantic.terraraq.uk; posting-host="nntp.terraraq.uk:2a00:1098:0:86:1000:3f:0:2";
logging-data="9872"; mail-complaints-to="usenet@mantic.terraraq.uk"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
Cancel-Lock: sha1:PiUvt03YgnfSO01OuVcT8PKIILM=
X-Face: h[Hh-7npe<<b4/eW[]sat,I3O`t8A`(ej.H!F4\8|;ih)`7{@:A~/j1}gTt4e7-n*F?.Rl^
F<\{jehn7.KrO{!7=:(@J~]<.[{>v9!1<qZY,{EJxg6?Er4Y7Ng2\Ft>Z&W?r\c.!4DXH5PWpga"ha
+r0NzP?vnz:e/knOY)PI-
X-Boydie: NO
 by: Richard Kettlewell - Sun, 30 May 2021 13:42 UTC

John Smith <12345@whatismyemailaddress.xyz> writes:
> On Fri, 28 May 2021 22:28:22 +0000, William Unruh wrote:
>> On 2021-05-28, John Smith <12345@whatismyemailaddress.xyz> wrote:
>>> I have the following problem:
>>>
>>> I would like to be able to connect from my laptop to my SSH
>>> server in my internal network, no matter where the laptop may be.
>>> However, my SSH server accepts connections from specific IP addresses -
>>> those to do with work - and rejects all others.
>>
>> Lets see, that ssh server (Is it really yours-- ie do you own it-- or is
>> it your company's) has security on it to only accept connections from
>> the company network and you want instead to connect from anywhere, which
>> means that anyone can connect from anywhere.
>> Remove the condition that ssh can only connect from work IP
>> addresses. Or would this be against company policy?
>
> The server is my own - I can modify it as I wish.

So remove the restriction that you find inconvenient. You are currently
locking your own door and then asking how to open it.

> What I am asking is whether things could be arranged so that
> specific clients - as in running on specific hardware - could connect
> from anywhere, whereas any other clients cannot, unless they come from
> specific IP addresses. I guess that ome could use the client's MAC
> address, but I don't know how.

SSH authenticates by key or password. Keys seem like a good fit for you
here.

--
https://www.greenend.org.uk/rjk/

Re: Connecting to an SSH server from the external world

<s907jm$2ent$1@neodome.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=165&group=comp.os.linux.networking#165

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.neodome.net!.POSTED!not-for-mail
From: pk...@pk.invalid (pk)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Sun, 30 May 2021 16:31:18 +0200
Organization: Neodome
Message-ID: <s907jm$2ent$1@neodome.net>
References: <s8rnfh$qp2$1@gioia.aioe.org>
<s8rqq6$gq$1@dont-email.me>
<s8tjko$1fld$1@gioia.aioe.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 30 May 2021 14:31:18 -0000 (UTC)
Injection-Info: neodome.net; mail-complaints-to="abuse@neodome.net"
 by: pk - Sun, 30 May 2021 14:31 UTC

On Sat, 29 May 2021 14:38:16 +0000 (UTC), John Smith
<12345@whatismyemailaddress.xyz> wrote:

> On Fri, 28 May 2021 22:28:22 +0000, William Unruh wrote:
>
> > On 2021-05-28, John Smith <12345@whatismyemailaddress.xyz> wrote:
> >> I have the following problem:
> >>
> >> I would like to be able to connect from my laptop to my SSH
> >> server in my internal network, no matter where the laptop may be.
> >> However, my SSH server accepts connections from specific IP addresses -
> >> those to do with work - and rejects all others.
> >
> > Lets see, that ssh server (Is it really yours-- ie do you own it-- or is
> > it your company's) has security on it to only accept connections from
> > the company network and you want instead to connect from anywhere, which
> > means that anyone can connect from anywhere.
> > Remove the condition that ssh can only connect from work IP
> > addresses. Or would this be against company policy?
>
> The server is my own - I can modify it as I wish.
>
> What I am asking is whether things could be arranged so that
> specific clients - as in running on specific hardware - could connect
> from anywhere, whereas any other clients cannot, unless they come from
> specific IP addresses.

If you can accept the connecting username as identifier (admittedly a weak
security model difficult to enforce and easy to bypass; you can make it
slightly better if you use pubkey authentication only and users are not
allowed to copy other users' keys), then you can use openssh server's
"Match" directives in sshd_config to filter based on that and/or source IP
address and deny or permit access accordingly.

Eg (adapt as needed):

PasswordAuthentication no
PubKeyAuthentication no

# allow user bob and alice only from host 1.2.3.4
Match User alice,bob Address 1.2.3.4
PasswordAuthentication yes # or whatever
PubKeyAuthentication yes

# allow user charlie from anywhere
Match User charlie Address *
PasswordAuthentication yes
PubKeyAuthentication yes

Or directly use the AllowUsers option:

AllowUsers bob@1.2.3.4 alice@1.2.3.4 charlie@*

(Going by memory here, the syntax for all the above might not be 100%
correct, but those options do definitely exist.)

As mentioned, this is a very low-security solution, but depending on your
specific environment and use case it might be enough for your needs.

Re: Connecting to an SSH server from the external world

<s908b9$8nr$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=166&group=comp.os.linux.networking#166

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Sun, 30 May 2021 14:43:53 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 24
Message-ID: <s908b9$8nr$1@dont-email.me>
References: <s8rnfh$qp2$1@gioia.aioe.org> <s8svu8$96r$1@milena.home.net.it>
<s8tr1m$h6i$1@news1.tnib.de> <s8tsps$mmb$1@milena.home.net.it>
<s8u0mn$4ma$1@dont-email.me>
<s8uqkv$msu$2@tncsrv09.home.tnetconsulting.net>
Injection-Date: Sun, 30 May 2021 14:43:53 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="72b9d0856b0e3791b0f4468a762a3137";
logging-data="8955"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+TZ/zk/MhcCfxBeBRPEbjo"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:nskIB+wLHbYLRs2lapt1qmUWz9c=
 by: William Unruh - Sun, 30 May 2021 14:43 UTC

On 2021-05-30, Grant Taylor <gtaylor@tnetconsulting.net> wrote:
> On 5/29/21 12:21 PM, William Unruh wrote:
>> Theeasiest way to get rid of the vast majority of ssh attacks isto
>> simply put it on a different port.
>
> The operative phrase is "the vast majority". There will still be plenty
> of attacks even on non-standard port.
>
> Obscurity, by itself, is not security.

Nothing "by itself" is security. Obsurity is however one of many
invaluable layers of security. I went from 100 (or more) attacks per day to maybe one per
month by altering the port. The fewer the number of attacks the smaller
the chance that one will breach the real defences.
>
> Obscurity can be one of many layers of a security solution.
>
>> And setop your ssh_config to connect to that host on that port.
>
> I absolutely endorse the /client/ ssh configuration files, either
> individual (~/.ssh/config) or system wide (/etc/ssh/ssh_config).
>
>
>

Re: Connecting to an SSH server from the external world

<s90idj$lqo$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=167&group=comp.os.linux.networking#167

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74bc86.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Sun, 30 May 2021 19:35:47 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <s90idj$lqo$1@news1.tnib.de>
References: <s8rnfh$qp2$1@gioia.aioe.org> <s8svu8$96r$1@milena.home.net.it> <s8tr1m$h6i$1@news1.tnib.de> <s8tsps$mmb$1@milena.home.net.it> <s8u0mn$4ma$1@dont-email.me> <20210529172613@news.eternal-september.org> <s8v6aj$ch8$1@dont-email.me> <60b370d9$0$21599$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 30 May 2021 17:35:48 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74bc86.versanet.de:92.116.188.134";
logging-data="22360"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Sun, 30 May 2021 17:35 UTC

Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
>Le 30/05/2021 à 07:03, Johann Beretta a écrit :
>> On 5/29/21 2:28 PM, Roger Blake wrote:
>>>
>>>  and use the firewall to limit the number
>>> of connection attempts permitted per minute.
>>
>> That could easily lead to you being denied access.  A bad actor would
>> only have to keep attempting to connect, rapidly.
>
>Indeed. This can be mitigated by limiting the rate of connections per
>source IP address, but this is still vulnerable to "blind" (one way)
>spoofing attacks if you count only the TCP SYN packets. To protect
>against this you must count TCP connections with complete handshake (SYN
>- SYN/ACK - ACK). This is still vulnerable to an attacker able to do
>two-way spoofing (i.e. receive the packets you send to the spoofed
>address) but then I guess you have bigger concerns.

jftr, I am running a couple of servers with no access list, but a TCP
SYN Rate Limit on Port 22 (I think it's like 10 SYN packets per
minute) with acceptable results and no complaints from the users.

My other machines have an access list making port 22 only available
from my own IPv6 address range.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: Connecting to an SSH server from the external world

<s926cc$4l2$1@news1.tnib.de>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=168&group=comp.os.linux.networking#168

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!news1.tnib.de!feed.news.tnib.de!news.tnib.de!.POSTED.i5c74903f.versanet.de!not-for-mail
From: mh+usene...@zugschl.us (Marc Haber)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Mon, 31 May 2021 10:22:36 +0200
Organization: private site, see http://www.zugschlus.de/ for details
Message-ID: <s926cc$4l2$1@news1.tnib.de>
References: <s8rnfh$qp2$1@gioia.aioe.org> <s8svu8$96r$1@milena.home.net.it> <s8tr1m$h6i$1@news1.tnib.de> <s8tsps$mmb$1@milena.home.net.it> <s8u0mn$4ma$1@dont-email.me> <s8uqkv$msu$2@tncsrv09.home.tnetconsulting.net> <s908b9$8nr$1@dont-email.me>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Injection-Date: Mon, 31 May 2021 08:22:36 -0000 (UTC)
Injection-Info: news1.tnib.de; posting-host="i5c74903f.versanet.de:92.116.144.63";
logging-data="4770"; mail-complaints-to="abuse@tnib.de"
X-Newsreader: Forte Agent 6.00/32.1186
 by: Marc Haber - Mon, 31 May 2021 08:22 UTC

William Unruh <unruh@invalid.ca> wrote:
>I went from 100 (or more) attacks per day to maybe one per
>month by altering the port. The fewer the number of attacks the smaller
>the chance that one will breach the real defences.

On a machine with password logins disabled (or reasonably secure
passwords), an occasional ssh connect (yes, five digit numbers of
attempts per day do still count as occasional) is only called an
"attack" by people who want to impress.

It's actually just Internet Background Noise.

Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

Re: Connecting to an SSH server from the external world

<s936eb$t0v$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=169&group=comp.os.linux.networking#169

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Mon, 31 May 2021 17:29:47 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 22
Message-ID: <s936eb$t0v$1@dont-email.me>
References: <s8rnfh$qp2$1@gioia.aioe.org> <s8svu8$96r$1@milena.home.net.it>
<s8tr1m$h6i$1@news1.tnib.de> <s8tsps$mmb$1@milena.home.net.it>
<s8u0mn$4ma$1@dont-email.me>
<s8uqkv$msu$2@tncsrv09.home.tnetconsulting.net>
<s908b9$8nr$1@dont-email.me> <s926cc$4l2$1@news1.tnib.de>
Injection-Date: Mon, 31 May 2021 17:29:47 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="3812b66f0f80a964e2adb8c3a9973589";
logging-data="29727"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19FZwif0tuRdURVDFBnQLlM"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:IvuvmGRzL9yn1OOot5tiTr2zNPI=
 by: William Unruh - Mon, 31 May 2021 17:29 UTC

On 2021-05-31, Marc Haber <mh+usenetspam1118@zugschl.us> wrote:
> William Unruh <unruh@invalid.ca> wrote:
>>I went from 100 (or more) attacks per day to maybe one per
>>month by altering the port. The fewer the number of attacks the smaller
>>the chance that one will breach the real defences.
>
> On a machine with password logins disabled (or reasonably secure
> passwords), an occasional ssh connect (yes, five digit numbers of
> attempts per day do still count as occasional) is only called an
> "attack" by people who want to impress.

A reduction by a factor of over a 1000 is what the point was.
Note that the latest tactic is to attack from a bunch of different
taken-over machines, to get around the blacklisting of attacks from a single
IP.
(And attack is a technical term, having to do with intent, not number. A
single attempt is an attack if the intent is to break into the machine.)
>
> It's actually just Internet Background Noise.
>
> Greetings
> Marc

Re: Connecting to an SSH server from the external world

<s94e6b$1os$3@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=171&group=comp.os.linux.networking#171

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Mon, 31 May 2021 22:45:36 -0600
Organization: TNet Consulting
Message-ID: <s94e6b$1os$3@tncsrv09.home.tnetconsulting.net>
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Tue, 1 Jun 2021 04:48:11 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="1820"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <s8v14o$c2g$1@server.snarked.org>
Content-Language: en-US
 by: Grant Taylor - Tue, 1 Jun 2021 04:45 UTC

On 5/29/21 9:34 PM, D. Stussy wrote:
> One doesn't need to run a program to do port knocking if one has a
> stateful firewall.  For Linux and similar unices, iptables with a recent
> list (using a timeout) can be configured to work.

Salute! to someone else that knows about IPTable's recent match
extension and finds creative uses for it. :-D

--
Grant. . . .
unix || die

Re: Connecting to an SSH server from the external world

<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=172&group=comp.os.linux.networking#172

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Mon, 31 May 2021 22:48:20 -0600
Organization: TNet Consulting
Message-ID: <s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 1 Jun 2021 04:50:54 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="1820"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <60b36e50$0$21617$426a74cc@news.free.fr>
Content-Language: en-US
 by: Grant Taylor - Tue, 1 Jun 2021 04:48 UTC

On 5/30/21 4:51 AM, Pascal Hambourg wrote:
> This only allows basic port knocking which is vulnerable to replay and
> brute force attacks.

Yes in a basic sense.

No in that it's possible, all be it complicated, to code things such
that different knocks are needed from different IPs.

Technically, it can be replayed for the same IP. But it can't be
replayed for different IPs.

There's also the fact that the IPTables rule set could be periodically
changed thus thwarting replay for even the same IP.

> And it still requires a program on the client side to send the packets.

Depending on what protocol and port is used, it may be possible to use a
web browser or telnet or ping.

Does using Bash's built in ability to send TCP & UDP packets count as a
program in the manner you are describing?

}:-)

--
Grant. . . .
unix || die

Re: Connecting to an SSH server from the external world

<60b66393$0$32499$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=174&group=comp.os.linux.networking#174

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.uzoreto.com!goblin1!goblin.stu.neva.ru!proxad.net!feeder1-2.proxad.net!cleanfeed3-a.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: Connecting to an SSH server from the external world
Newsgroups: comp.os.linux.networking
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Tue, 1 Jun 2021 18:42:59 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 23
Message-ID: <60b66393$0$32499$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 01 Jun 2021 18:42:59 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622565779 news-3.free.fr 32499 213.41.155.166:60296
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Tue, 1 Jun 2021 16:42 UTC

Le 01/06/2021 à 06:48, Grant Taylor a écrit :
> On 5/30/21 4:51 AM, Pascal Hambourg wrote:
>> This only allows basic port knocking which is vulnerable to replay and
>> brute force attacks.
>
> Yes in a basic sense.
>
> No in that it's possible, all be it complicated, to code things such
> that different knocks are needed from different IPs.

How do you do this with iptables for any IP address ?
I am not asking for the complete solution, only the basic principle.

>> And it still requires a program on the client side to send the packets.
>
> Depending on what protocol and port is used, it may be possible to use a
> web browser or telnet or ping.
>
> Does using Bash's built in ability to send TCP & UDP packets count as a
> program in the manner you are describing?

No more than the other programs you mentioned. It may be used by a port
knocking client script, but none is a port knocking program by itself.

Re: Connecting to an SSH server from the external world

<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=175&group=comp.os.linux.networking#175

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Tue, 1 Jun 2021 14:46:41 -0600
Organization: TNet Consulting
Message-ID: <s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Tue, 1 Jun 2021 20:49:17 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="17132"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <60b66393$0$32499$426a74cc@news.free.fr>
Content-Language: en-US
 by: Grant Taylor - Tue, 1 Jun 2021 20:46 UTC

On 6/1/21 10:42 AM, Pascal Hambourg wrote:
> How do you do this with iptables for any IP address ?
> I am not asking for the complete solution, only the basic principle.

In short, you add additional rule sets for different source IPs.

You obviously don't want to explode the multiple rules for each set by
the number of IPs that are out there.

But, I could see how someone might duplicate the multiple rules for
different networks / ASNs.

Note: I'm speaking to a technical possibility, not the practicality of
doing something.

--
Grant. . . .
unix || die

Re: Connecting to an SSH server from the external world

<60b8b3fd$0$32507$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=176&group=comp.os.linux.networking#176

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!212.27.60.64.MISMATCH!cleanfeed3-b.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: Connecting to an SSH server from the external world
Newsgroups: comp.os.linux.networking
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Thu, 3 Jun 2021 12:50:37 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 15
Message-ID: <60b8b3fd$0$32507$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 03 Jun 2021 12:50:37 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622717437 news-3.free.fr 32507 213.41.155.166:52730
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Thu, 3 Jun 2021 10:50 UTC

Le 01/06/2021 à 22:46, Grant Taylor a écrit :
> On 6/1/21 10:42 AM, Pascal Hambourg wrote:
>> How do you do this with iptables for any IP address ?
>> I am not asking for the complete solution, only the basic principle.
>
> In short, you add additional rule sets for different source IPs.
>
> You obviously don't want to explode the multiple rules for each set by
> the number of IPs that are out there.
>
> But, I could see how someone might duplicate the multiple rules for
> different networks / ASNs.

IIUC it is not applicable to connect from any random IP address, only
from specific IP addresses or networks known in advance.

Re: Connecting to an SSH server from the external world

<s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=177&group=comp.os.linux.networking#177

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Thu, 3 Jun 2021 22:53:07 -0600
Organization: TNet Consulting
Message-ID: <s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
<60b8b3fd$0$32507$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Fri, 4 Jun 2021 04:55:47 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="1139"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <60b8b3fd$0$32507$426a74cc@news.free.fr>
Content-Language: en-US
 by: Grant Taylor - Fri, 4 Jun 2021 04:53 UTC

On 6/3/21 4:50 AM, Pascal Hambourg wrote:
> IIUC it is not applicable to connect from any random IP address, only
> from specific IP addresses or networks known in advance.

It depends on how the knock is configured.

If it's a static knock on port A, then not on port Blue, and finally
knock on port triangle, then someone could do that A -> blue -> triangle
from any IP. Conversely if the source IP was part of the knock, as in
data for identifying the sequence, a simple replay wouldn't work.

--
Grant. . . .
unix || die

Re: Connecting to an SSH server from the external world

<60bbb36f$0$27424$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=178&group=comp.os.linux.networking#178

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!cleanfeed2-a.proxad.net!nnrp1-2.free.fr!not-for-mail
Subject: Re: Connecting to an SSH server from the external world
Newsgroups: comp.os.linux.networking
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
<60b8b3fd$0$32507$426a74cc@news.free.fr>
<s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Sat, 5 Jun 2021 19:25:03 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 14
Message-ID: <60bbb36f$0$27424$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 05 Jun 2021 19:25:03 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1622913903 news-3.free.fr 27424 213.41.155.166:33258
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Sat, 5 Jun 2021 17:25 UTC

Le 04/06/2021 à 06:53, Grant Taylor a écrit :
> On 6/3/21 4:50 AM, Pascal Hambourg wrote:
>> IIUC it is not applicable to connect from any random IP address, only
>> from specific IP addresses or networks known in advance.
>
> It depends on how the knock is configured.
>
> If it's a static knock on port A, then not on port Blue, and finally
> knock on port triangle, then someone could do that A -> blue -> triangle
> from any IP.  Conversely if the source IP was part of the knock, as in
> data for identifying the sequence, a simple replay wouldn't work.

How do you configure iptables to do this for all IP addresses ?

Re: Connecting to an SSH server from the external world

<s9gui7$773$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=179&group=comp.os.linux.networking#179

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Sat, 5 Jun 2021 16:38:27 -0600
Organization: TNet Consulting
Message-ID: <s9gui7$773$1@tncsrv09.home.tnetconsulting.net>
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
<60b8b3fd$0$32507$426a74cc@news.free.fr>
<s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>
<60bbb36f$0$27424$426a74cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 5 Jun 2021 22:41:11 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="7395"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <60bbb36f$0$27424$426a74cc@news.free.fr>
Content-Language: en-US
 by: Grant Taylor - Sat, 5 Jun 2021 22:38 UTC

On 6/5/21 11:25 AM, Pascal Hambourg wrote:
> How do you configure iptables to do this for all IP addresses ?

It depends on what how you're doing port knocking.

But in essence, you configure whatever you're using to use a different
sequence based on the different source IP (or network). E.g.

1/8 = A -> blue -> triangle
2/8 = green -> square -> B
3/8 = oval -> C -> orange
....

Pick how granular you want things to be.

You can encode this purely as iptables rules with the recent match
extension. It will just take a fair number of rules and some thought to
make it work.

I've never used port knocking software, so I have no idea how to go
about configuring it.

The other catch is that the client will need to know the public IP
address that the world sees it connecting from so that it can pick the
proper sequence.

--
Grant. . . .
unix || die

Re: Connecting to an SSH server from the external world

<op.04jd3dyaa3w0dxdave@hodgins.homeip.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=180&group=comp.os.linux.networking#180

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: dwhodg...@nomail.afraid.org (David W. Hodgins)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Sat, 05 Jun 2021 18:58:15 -0400
Organization: A noiseless patient Spider
Lines: 28
Message-ID: <op.04jd3dyaa3w0dxdave@hodgins.homeip.net>
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
<60b8b3fd$0$32507$426a74cc@news.free.fr>
<s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>
<60bbb36f$0$27424$426a74cc@news.free.fr>
<s9gui7$773$1@tncsrv09.home.tnetconsulting.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes
Content-Transfer-Encoding: 8bit
Injection-Info: reader02.eternal-september.org; posting-host="136d7ad43e4543a9d46bf80d839fbe90";
logging-data="28336"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18kcBkgMc44rCd8e81wbKEDlb29Pxipd0U="
User-Agent: Opera Mail/12.16 (Linux)
Cancel-Lock: sha1:S76J23eA/bhFx4Glq1tVp1KSE54=
 by: David W. Hodgins - Sat, 5 Jun 2021 22:58 UTC

On Sat, 05 Jun 2021 18:38:27 -0400, Grant Taylor <gtaylor@tnetconsulting.net> wrote:
> I've never used port knocking software, so I have no idea how to go
> about configuring it.

See https://www.zeroflux.org/projects/knock/ for one implementation.

On Mageia 8 ...
# urpmq -i knock
Name : knock
Version : 0.7
Release : 3.mga8
Group : Networking/Other
Size : 90001 Architecture: x86_64
Source RPM : knock-0.7-3.mga8.src.rpm
URL : http://www.zeroflux.org/knock/
Summary : Open connection through firewall on specified signal
Description :
knock is a server/client set that implements the idea known as port-
knocking. Port-knocking is a method of accessing a backdoor to your
firewall through a special sequence of port hits. This can be useful
for opening up temporary holes in a restrictive firewall for SSH
access or similar.

Regards, Dave Hodgins

--
Change dwhodgins@nomail.afraid.org to davidwhodgins@teksavvy.com for
email replies.

Re: Connecting to an SSH server from the external world

<60c47b5d$0$3709$426a34cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=181&group=comp.os.linux.networking#181

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!news.niel.me!news.gegeweb.eu!gegeweb.org!usenet-fr.net!proxad.net!feeder1-2.proxad.net!cleanfeed1-b.proxad.net!nnrp1-1.free.fr!not-for-mail
Subject: Re: Connecting to an SSH server from the external world
Newsgroups: comp.os.linux.networking
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
<60b8b3fd$0$32507$426a74cc@news.free.fr>
<s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>
<60bbb36f$0$27424$426a74cc@news.free.fr>
<s9gui7$773$1@tncsrv09.home.tnetconsulting.net>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Sat, 12 Jun 2021 11:16:13 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <s9gui7$773$1@tncsrv09.home.tnetconsulting.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 23
Message-ID: <60c47b5d$0$3709$426a34cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 12 Jun 2021 11:16:13 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1623489373 news-4.free.fr 3709 213.41.155.166:42516
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Sat, 12 Jun 2021 09:16 UTC

Le 06/06/2021 à 00:38, Grant Taylor a écrit :
> On 6/5/21 11:25 AM, Pascal Hambourg wrote:
>> How do you configure iptables to do this for all IP addresses ?
>
> It depends on what how you're doing port knocking.
>
> But in essence, you configure whatever you're using to use a different
> sequence based on the different source IP (or network).  E.g.
>
> 1/8 = A -> blue -> triangle
> 2/8 = green -> square -> B
> 3/8 = oval -> C -> orange
> ...
>
> Pick how granular you want things to be.

Granularity is one single address.

> You can encode this purely as iptables rules with the recent match
> extension.  It will just take a fair number of rules and some thought to
> make it work.

I doubt this scales well with billions of addresses.

Re: Connecting to an SSH server from the external world

<sa2pu8$1ve$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=182&group=comp.os.linux.networking#182

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Sat, 12 Jun 2021 11:12:31 -0600
Organization: TNet Consulting
Message-ID: <sa2pu8$1ve$1@tncsrv09.home.tnetconsulting.net>
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
<60b8b3fd$0$32507$426a74cc@news.free.fr>
<s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>
<60bbb36f$0$27424$426a74cc@news.free.fr>
<s9gui7$773$1@tncsrv09.home.tnetconsulting.net>
<60c47b5d$0$3709$426a34cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sat, 12 Jun 2021 17:12:40 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="2030"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <60c47b5d$0$3709$426a34cc@news.free.fr>
Content-Language: en-US
 by: Grant Taylor - Sat, 12 Jun 2021 17:12 UTC

On 6/12/21 3:16 AM, Pascal Hambourg wrote:
> Granularity is one single address.

Okay.

The next (snarky) question is how many of those fine granular single
addresses do you want to support. Supporting a few networks of that and
lumping the rest could be done.

> I doubt this scales well with billions of addresses.

Agreed.

But I hope we can agree that scalability is different than technical
possibility. As is should something be done or not.

If I wanted to do this to */32 on the Internet, I would not try to
implement this in /just/ IPTables+Recent. I would be far more likely to
do this in IPTables+Recent+<something in user space>. Where the
something in user space is likely NFQUEUE or quite similar. Keep the
bulk of the filtering in IPTables+Recent and only punt to user space for
things that don't qualify with the known good connections (dynamic)
kernel space.

--
Grant. . . .
unix || die

Re: Connecting to an SSH server from the external world

<60c5f22b$0$27428$426a34cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=183&group=comp.os.linux.networking#183

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!aioe.org!news.mixmin.net!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!212.27.60.64.MISMATCH!cleanfeed3-b.proxad.net!nnrp1-2.free.fr!not-for-mail
Subject: Re: Connecting to an SSH server from the external world
Newsgroups: comp.os.linux.networking
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
<60b8b3fd$0$32507$426a74cc@news.free.fr>
<s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>
<60bbb36f$0$27424$426a74cc@news.free.fr>
<s9gui7$773$1@tncsrv09.home.tnetconsulting.net>
<60c47b5d$0$3709$426a34cc@news.free.fr>
<sa2pu8$1ve$1@tncsrv09.home.tnetconsulting.net>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Sun, 13 Jun 2021 13:55:22 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <sa2pu8$1ve$1@tncsrv09.home.tnetconsulting.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 26
Message-ID: <60c5f22b$0$27428$426a34cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 13 Jun 2021 13:55:23 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1623585323 news-4.free.fr 27428 213.41.155.166:42012
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Sun, 13 Jun 2021 11:55 UTC

Le 12/06/2021 à 19:12, Grant Taylor a écrit :
> On 6/12/21 3:16 AM, Pascal Hambourg wrote:
>> Granularity is one single address.
>
> Okay.
>
> The next (snarky) question is how many of those fine granular single
> addresses do you want to support.  Supporting a few networks of that and
> lumping the rest could be done.

Supporting a few networks only has been out of the scope from the
beginning of this thread. The OP wrote "no matter where the laptop may
be", which means from ANY assigned public unicast address.

>> I doubt this scales well with billions of addresses.
>
> Agreed.
>
> But I hope we can agree that scalability is different than technical
> possibility.  As is should something be done or not.

Scalability makes its tecnhically possible - or not. Even the simplest
port knocking algorithm (one packet) requires at least two iptables
rules per address, so it accounts for about 8 billion rules. Even if
iptables can handle so many rules, storing them requires more memory
than most systems have.

Re: Connecting to an SSH server from the external world

<sa5cf6$bo6$1@tncsrv09.home.tnetconsulting.net>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=184&group=comp.os.linux.networking#184

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alpha.home.tnetconsulting.net!not-for-mail
From: gtay...@tnetconsulting.net (Grant Taylor)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Sun, 13 Jun 2021 10:40:59 -0600
Organization: TNet Consulting
Message-ID: <sa5cf6$bo6$1@tncsrv09.home.tnetconsulting.net>
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
<60b8b3fd$0$32507$426a74cc@news.free.fr>
<s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>
<60bbb36f$0$27424$426a74cc@news.free.fr>
<s9gui7$773$1@tncsrv09.home.tnetconsulting.net>
<60c47b5d$0$3709$426a34cc@news.free.fr>
<sa2pu8$1ve$1@tncsrv09.home.tnetconsulting.net>
<60c5f22b$0$27428$426a34cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 13 Jun 2021 16:41:10 -0000 (UTC)
Injection-Info: tncsrv09.home.tnetconsulting.net; posting-host="alpha.home.tnetconsulting.net:198.18.18.251";
logging-data="12038"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
Thunderbird/78.9.0
In-Reply-To: <60c5f22b$0$27428$426a34cc@news.free.fr>
Content-Language: en-US
 by: Grant Taylor - Sun, 13 Jun 2021 16:40 UTC

On 6/13/21 5:55 AM, Pascal Hambourg wrote:
> Supporting a few networks only has been out of the scope from the
> beginning of this thread. The OP wrote "no matter where the laptop may
> be", which means from ANY assigned public unicast address.

My experience is that just about every time someone says "no matter
where", they actually mean "no matter where I'm likely to use it from".
The latter is almost guaranteed to be a significantly smaller number.

> Scalability makes its tecnhically possible - or not.

I'm not entirely sure what you're trying to say.

But something can easily be technically possible without being scalable.
There are companies that hand build cars at the rate of a single digit
per year. That is more than technically possible. But it's decidedly
not scalable.

> Even the simplest port knocking algorithm (one packet) requires at
> least two iptables rules per address,

Why does it require /two/ iptables rules /per/ address?

I can easily see /one/ iptables rule /per/ address with a small number
of additional rules that are shared across addresses.

1) If the source IP is in the recent list then allow it. (Shared)
2) If the source IP is A.B.C.D then jump to OpenDoor. (Per IP)
3) If the source IP is W.X.Y.Z then jump to OpenDoor. (Per IP)
4) OpenDoor: Add source IP to the recent list and allow.

That's very crude with one rule per address and two rules shared with
other IPs.

> so it accounts for about 8 billion rules.

I seriously question that number.

> Even if iptables can handle so many rules, storing them requires more
> memory than most systems have.

"most systems" doesn't rule out all systems. There may very well be
some systems that can handle it.

I agree that such a method is not practical. But it's still technically
possible.

--
Grant. . . .
unix || die

Re: Connecting to an SSH server from the external world

<sa5gqs$rfr$1@dont-email.me>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=185&group=comp.os.linux.networking#185

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!eternal-september.org!reader02.eternal-september.org!.POSTED!not-for-mail
From: unr...@invalid.ca (William Unruh)
Newsgroups: comp.os.linux.networking
Subject: Re: Connecting to an SSH server from the external world
Date: Sun, 13 Jun 2021 17:55:41 -0000 (UTC)
Organization: A noiseless patient Spider
Lines: 37
Message-ID: <sa5gqs$rfr$1@dont-email.me>
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
<60b8b3fd$0$32507$426a74cc@news.free.fr>
<s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>
<60bbb36f$0$27424$426a74cc@news.free.fr>
<s9gui7$773$1@tncsrv09.home.tnetconsulting.net>
<60c47b5d$0$3709$426a34cc@news.free.fr>
<sa2pu8$1ve$1@tncsrv09.home.tnetconsulting.net>
<60c5f22b$0$27428$426a34cc@news.free.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 13 Jun 2021 17:55:41 -0000 (UTC)
Injection-Info: reader02.eternal-september.org; posting-host="4429fc4e40f2224bb9e6f6cd5f9a37da";
logging-data="28155"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18lhuXfvg5qtMZrMCXV+PT6"
User-Agent: slrn/1.0.3 (Linux)
Cancel-Lock: sha1:1rCI01Eri1SwBC7fXAJTcv92REg=
 by: William Unruh - Sun, 13 Jun 2021 17:55 UTC

On 2021-06-13, Pascal Hambourg <pascal@plouf.fr.eu.org> wrote:
> Le 12/06/2021 à 19:12, Grant Taylor a écrit :
>> On 6/12/21 3:16 AM, Pascal Hambourg wrote:
>>> Granularity is one single address.
>>
>> Okay.
>>
>> The next (snarky) question is how many of those fine granular single
>> addresses do you want to support.  Supporting a few networks of that and
>> lumping the rest could be done.
>
> Supporting a few networks only has been out of the scope from the
> beginning of this thread. The OP wrote "no matter where the laptop may
> be", which means from ANY assigned public unicast address.

Except that each of those does not need individual attention. You can
just lump them together. Of course that opens you up to ssh attacks so
you need something else (eg port knocking) to get in while still
preventing ssh attacks. Of course one of the easiest, not safe from a
determined attacker but very effective against script kiddies, is just
to use a non-standard port.

>
>>> I doubt this scales well with billions of addresses.
>>
>> Agreed.
>>
>> But I hope we can agree that scalability is different than technical
>> possibility.  As is should something be done or not.
>
> Scalability makes its tecnhically possible - or not. Even the simplest
> port knocking algorithm (one packet) requires at least two iptables
> rules per address, so it accounts for about 8 billion rules. Even if
Why? you can have one rule for a range of addresses.

> iptables can handle so many rules, storing them requires more memory
> than most systems have.

Re: Connecting to an SSH server from the external world

<60c767ae$0$6183$426a74cc@news.free.fr>

 copy mid

https://www.novabbs.com/computers/article-flat.php?id=186&group=comp.os.linux.networking#186

 copy link   Newsgroups: comp.os.linux.networking
Path: i2pn2.org!i2pn.org!weretis.net!feeder8.news.weretis.net!proxad.net!feeder1-2.proxad.net!212.27.60.64.MISMATCH!cleanfeed3-b.proxad.net!nnrp1-2.free.fr!not-for-mail
Subject: Re: Connecting to an SSH server from the external world
Newsgroups: comp.os.linux.networking
References: <s8rnfh$qp2$1@gioia.aioe.org>
<slrnsb3ql0.9a0.h_hucke+spam.news@romulus.aeon.icebear.cloud>
<s8v14o$c2g$1@server.snarked.org> <60b36e50$0$21617$426a74cc@news.free.fr>
<s94ebe$1os$4@tncsrv09.home.tnetconsulting.net>
<60b66393$0$32499$426a74cc@news.free.fr>
<s966gd$gnc$1@tncsrv09.home.tnetconsulting.net>
<60b8b3fd$0$32507$426a74cc@news.free.fr>
<s9cboj$13j$1@tncsrv09.home.tnetconsulting.net>
<60bbb36f$0$27424$426a74cc@news.free.fr>
<s9gui7$773$1@tncsrv09.home.tnetconsulting.net>
<60c47b5d$0$3709$426a34cc@news.free.fr>
<sa2pu8$1ve$1@tncsrv09.home.tnetconsulting.net>
<60c5f22b$0$27428$426a34cc@news.free.fr>
<sa5cf6$bo6$1@tncsrv09.home.tnetconsulting.net>
From: pas...@plouf.fr.eu.org (Pascal Hambourg)
Date: Mon, 14 Jun 2021 16:29:01 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:78.0) Gecko/20100101
Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <sa5cf6$bo6$1@tncsrv09.home.tnetconsulting.net>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Lines: 46
Message-ID: <60c767ae$0$6183$426a74cc@news.free.fr>
Organization: Guest of ProXad - France
NNTP-Posting-Date: 14 Jun 2021 16:29:02 CEST
NNTP-Posting-Host: 213.41.155.166
X-Trace: 1623680942 news-2.free.fr 6183 213.41.155.166:38222
X-Complaints-To: abuse@proxad.net
 by: Pascal Hambourg - Mon, 14 Jun 2021 14:29 UTC

Le 13/06/2021 à 18:40, Grant Taylor a écrit :
> On 6/13/21 5:55 AM, Pascal Hambourg wrote:
>
>> Even the simplest port knocking algorithm (one packet) requires at
>> least two iptables rules per address,
>
> Why does it require /two/ iptables rules /per/ address?
>
> I can easily see /one/ iptables rule /per/ address with a small number
> of additional rules that are shared across addresses.

You are right. I have always used the recent match in pairs and did not
think that one rule could be shared.

>> so it accounts for about 8 billion rules.
>
> I seriously question that number.

You are right again, only 4 billion rules (one per address). A bit less
if you remove the reserved ranges (multicast, private...) but that's
still the order of magnitude.

>> Even if iptables can handle so many rules, storing them requires more
>> memory than most systems have.
>
> "most systems" doesn't rule out all systems.  There may very well be
> some systems that can handle it.
>
> I agree that such a method is not practical.  But it's still technically
> possible.

In an attempt to gather real figures, I did some tests on Debian 10
amd64, with 8 GiB memory. iptables-nft-restore (nftables compatibility
flavour) failed after adding ~300k rules, iptables-legacy-restore
(original flavour) failed after adding ~1,3M rules. The used memory was
much lower than the available memory and I got the same results after
limiting the usable memory to 2 GiB, so these limits do not seem
memory-related. So it seems that iptables cannot hande more than 1,3M
rules, which is very far from 4G.

I also estimated by comparison of the output of free that each rule
consumes ~500 bytes (iptables-legacy) to ~670 bytes (iptables-nft), much
more than I expected. So even if iptables could handle 4G rules, they
would consume at least 2 TB of memory.

HTH

Pages:123
server_pubkey.txt

rocksolid light 0.9.7
clearnet tor