View previous topic :: View next topic |
Author |
Message |
jannis Guru
Joined: 05 Dec 2004 Posts: 340 Location: Germany / Bavaria / Aschaffenburg
|
Posted: Tue Nov 06, 2012 11:55 am Post subject: [CLOSED] Hiding open ports (ssh) via virtual interface (and |
|
|
Hi there,
yesterday I had some funny idea: I'm running a dedicated hosted server with a static, public IPv4-address and use ssh to administer it. If you don't want port 22 to be seen as "open" from the outside there are some possibilities:
- Move sshd to another port
- Use port-knocking so that the port will be opened only for a short while (or one connection) when a specific connect-sequence has reached the server
And my idea now is:
- create a virtual network interface on the server (ip tuntap add mode tun)
- set any non-public (not routed on the internet) IPv4-address on that interface (ip addr add 192.168.123.1/24 dev tun0)
- activate that interface (ifconfig tun0 up)
- config sshd to only bind to that IP-address of the virtual interface and restart/reload sshd
- On the machines you want to connect to the server, add a new route (route add -net 192.168.123.0/24 gw <PUBLIC IP or DOMAIN/HOSTNAME>)
Then you can connect to the server using the virtual IP-address (ssh user@192.168.123.1) and the port won't be seen while port scanning
Initially I expected to configure as masquerading NAT from the physical interface of the server (eth0) to the virtual one (tun0) but that doesn't seem to be necessary.
Now a question to all network/firewalling/security-pros out there: Do I open up any security-hole that way? How do you like the idea?
Last edited by jannis on Tue Nov 06, 2012 5:04 pm; edited 1 time in total |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Tue Nov 06, 2012 2:20 pm Post subject: |
|
|
You don't necessarily have root on all machines you want to connect from, and routers will not necessarily know how to route packets properly to a private net unless you happen to be on the same net - and thus don't need to route?
You might well just firewall everything off and use VPN to connect.
I just leave sshd open and let the storm pass. Just hoping people all have good passwords... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
py-ro Veteran
Joined: 24 Sep 2002 Posts: 1734 Location: Velbert
|
Posted: Tue Nov 06, 2012 2:28 pm Post subject: |
|
|
Most routers will ignore your provided route and just discard your packages. |
|
Back to top |
|
|
jannis Guru
Joined: 05 Dec 2004 Posts: 340 Location: Germany / Bavaria / Aschaffenburg
|
Posted: Tue Nov 06, 2012 5:03 pm Post subject: |
|
|
Okay, you are both correct, I didn't really think about the routers in between my client machine and the server. Thanks for your clarification |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Tue Nov 06, 2012 8:52 pm Post subject: |
|
|
VPN should be what you want. It basically does exactly that, transfers from your machine to the server in a tunnel without worrying about the network. The server has its own private address space associated with the VPN, on which the server only listens to ssh on. So if the attacker has no VPN access=no ssh access either. Plus it's an encrypted tunnel, to boot!
Again I just let ssh do what it does. But I also have VPN that I can use, and it uses a certificate system that I can revoke access to if I lose a key. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
|