Jochen Bern
2023-Jun-11 08:30 UTC
Minimize sshd log clutter/spam from unauthenticated connections
On 10.06.23 11:19, Carsten Andrich wrote:> For the time being, I've deployed a quasi-knocking KISS solution that > sends an unencrypted secret via a single UDP packet. Server side is^^^^^^^^^^^^^^^^^^^^^^^^^^^^> realized entirely with nftables... frankly, for that reason, I like fwknop (in my case, straight from OS repos) better ... I'd still have to see fwknopd exit unexpectedly, which is where a host-firewall-only mechanism on the server side would have an advantage ... http://www.cipherdyne.org/fwknop/> ~# cd /etc/fwknop> fwknop# diff access.conf.orig access.conf | sed -e '/> .*KEY/s/\t.*/\t.../' > 204,206c204,211 > < SOURCE ANY > < KEY_BASE64 __CHANGEME__ > < HMAC_KEY_BASE64 __CHANGEME__ > --- >> SOURCE ANY >> KEY_BASE64 ... >> HMAC_KEY_BASE64 ... >> REQUIRE_SOURCE_ADDRESS Y >> # fwknopd fiddles with iptables, we need to have nftables modified. >> CMD_CYCLE_OPEN /usr/local/sbin/fwknop2nftables $IP $PORT >> CMD_CYCLE_CLOSE NONE >> CMD_CYCLE_TIMER 30s> fwknop# diff fwknopd.conf.orig fwknopd.conf > 40a41 >> PCAP_INTF enp0s25> fwknop# cat /usr/local/sbin/fwknop2nftables > #!/bin/sh > > # Syntax: $0 SRC_IP PORT > > NFT="/usr/sbin/nft" > SET="fwkn" > # Note that we are ignoring everything from the accepted fwknop > # requests except the src IP and tgt port to be allowed ... > > PREP=`$NFT list chain inet firewalld filter_IN_public_allow | grep -c "@${SET}_$2"` > > if [ $PREP -eq 0 ]; then > $NFT add set inet firewalld "${SET}_$2" '{ type ipv4_addr ; timeout 30s ; size 32 ; }' > $NFT add rule inet firewalld filter_IN_public_allow ip saddr "@${SET}_$2" tcp dport "$2" accept > fi > > $NFT add element inet firewalld "${SET}_$2" { $1 }> ~$ tail -8 .fwknoprc | sed -e '/^[SKH]/s/\t.*/\t.../' -e '/^\[/s/[a-z][a-z]*/.../g' > [...] > ACCESS tcp/22 > SPA_SERVER ... > #ALLOW_IP TBD > KEY_BASE64 ... > HMAC_KEY_BASE64 ... > USE_HMAC Y > RESOLVE_IP_HTTPS NKind regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230611/90969535/attachment.p7s>