search for: fwknop

...*nix, but i have used CentOS 4.4 installed on a VM (vmware workstation build 36983) SELinux Disabled Firewall enabled, no services allowed. "Minimal" installation performed. IP=10.1.1.8 =================== Setup the server Optional : Update the server; #yum -y update #reboot Install fwknop #cd /tmp #wget http://www.cipherdyne.org/fwknop/download/fwknop-1.0.1-1.i386.rpm #rpm -i fwknop-1.0.1-1.i386.rpm Backup fwknop's access.conf file and make our own. #mv /etc/fwknop/access.conf /etc/fwknop/access.conf.orig #access=/etc/fwknop/access.conf #echo "SOURCE: ANY;">>$a...

Jochen Bern <Jochen.Bern at binect.de> writes: > (And since you mention "port knocking", I'd like to repeat how fond I > am of upgrading that original concept to a single-packet > crypto-armored implementation like fwknop.) I am reluctantly considering to use some kind of port knocking mechanism on some machines, however I really don't want to carry around shared symmetric keys or setup yet another public/private key infrastructure for that purpose. I already have a working infrastructure for SSH authenticatio...

I've seen pam_shield recommended several times for protecting against malicious login attempts; but I'm not quite clear if this requires one to be already running some pam-based software? Also, I'm running shorewall, and would prefer a shorewall based protection, but the advice I read on googling for this seemed excessively complicated. -- Timothy Murphy e-mail: gayleard /at/

...10.06.23 11:19, Carsten Andrich wrote: > For the time being, I've deployed a quasi-knocking KISS solution that > sends an unencrypted secret via a single UDP packet. Server side is ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > realized entirely with nftables ... frankly, for that reason, I like fwknop (in my case, straight from OS repos) better ... I'd still have to see fwknopd exit unexpectedly, which is where a host-firewall-only mechanism on the server side would have an advantage ... http://www.cipherdyne.org/fwknop/ > ~# cd /etc/fwknop > fwknop# diff access.conf.orig access....

...x - after all, the backdoor of CVE-2024-3094 allowed the attacker to bypass *some* of the normal crypto routines, too. (And since you mention "port knocking", I'd like to repeat how fond I am of upgrading that original concept to a single-packet crypto-armored implementation like fwknop.) Kind regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-uni...

...rote in <87jzi1fg24.fsf at kaka.sjd.se>: |Jochen Bern <Jochen.Bern at binect.de> writes: |> (And since you mention "port knocking", I'd like to repeat how fond I |> am of upgrading that original concept to a single-packet |> crypto-armored implementation like fwknop.) | |I am reluctantly considering to use some kind of port knocking mechanism |on some machines, however I really don't want to carry around shared |symmetric keys or setup yet another public/private key infrastructure |for that purpose. I already have a working infrastructure for SSH |a...

And if you're really security conscious consider using port knocking (knock server - amazingly easy to set up. Or use fwknop, a little more difficult to set up but not much. Finally, for the hard core who really like pain - write the iptables rules yourself). ----- Original Message ----- From: "Pete Biggs" <pete at biggs.org.uk> To: "centos" <centos at centos.org> Sent: Monday, November...

...n | <87jzi1fg24.fsf at kaka.sjd.se>: ||Jochen Bern <Jochen.Bern at binect.de> writes: ||> (And since you mention "port knocking", I'd like to repeat how fond I ||> am of upgrading that original concept to a single-packet ||> crypto-armored implementation like fwknop.) || ||I am reluctantly considering to use some kind of port knocking mechanism ||on some machines, however I really don't want to carry around shared ||symmetric keys or setup yet another public/private key infrastructure ||for that purpose. I already have a working infrastructure for SS...

My LAN is behind a Netgear router, which does NAT. On the CentOS server I have fail2ban running. This morning my router reported 3 different IPs attempting to send UDP packets to port 38950, Since each address is only seen 4-5 times, I presume that fail2ban took over after that. GRC reports that ports are stealthed (port 143 was open, but is now closed), but then: Unsolicited Packets:

Dear Christian, >How is this different to configuring /etc/securetty and tunnelling >Telnet over SSH Port Forwarding which I don't recommend BTW? In case your SSH is remotely attackable for instance - because your LDAP is configured wrongly, - your run into some problem like CVE-2008-0166 - some users private keys are lost And you want to lock down the sshd and investigate and

I haven't been keeping up with the internals, I'm afraid. Does OpenSSH have support for Port Knocking? I might be interested in looking into that, as a way of reacquainting myself with the current code base. --- Scott Neugroschl | XYPRO Technology Corporation 4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

Hi, (I'm not subscribed to the list, so please CC me on reply.) I'd like to request adding a feature to OpenSSH: Task: ~~~~~ It is quite sometime useful to invoke a program prior to connecting to an ssh server. The most common use case will probably be port knocking. That is a small program sends certain packets to a server and the server reacts to this by unlocking the ssh port, which

...<87jzi1fg24.fsf at kaka.sjd.se>: |||Jochen Bern <Jochen.Bern at binect.de> writes: |||> (And since you mention "port knocking", I'd like to repeat how fond I |||> am of upgrading that original concept to a single-packet |||> crypto-armored implementation like fwknop.) ||| |||I am reluctantly considering to use some kind of port knocking mechanism |||on some machines, however I really don't want to carry around shared ... |||Does anyone know of any implementation that allows me to configure a |||PGP/SSH/FIDO/TPM/whatever public key on the server side,...

hi All, I happened to login to one of my servers today and saw 96000 failed login attempts. shown below is the address its coming from. I added it to my firewall to drop. Failed password for root from 123.183.209.135 port 14299 ssh2 FYI - others might be seeing it also. Jerry