SN1030: IP FIltering Alternative

[excel]

In SN1030, Steve suggested IP Filtering (blocking all incoming traffic except for whitelisted IPs) as an excellent way to lock down external exposure. This sounds great, but I'm not sure how this would work if the incoming traffic is from a provider that does not provide static IPs. For example, If I want to be able to ssh into a network from another location with rotating IP addresses, the filter would need constant updating.

As an alternative, would using a sequence of port accesses be a robust way to filter access? For example, by default no incoming traffic would be passed through. But if a sequence of attempted port accesses matched "key", then access would be opened for a specified period of time.

Example: "key" port sequence: 22222, 55555, 33333. If an incoming IP address attempted ssh on these ports in this order within 10 seconds, then connections from that IP would be passed through for 10 minutes. Requests to 22222 and 55555 would be logged but not accepted. Otherwise no access. The 10 seconds/10 minutes windows would be specified with the key.

I am not sure how easy this would to implement on a router or linux server, but it seems like it would be as robust as IP filtering and it does not require preset fixed IP whitelists.

If others agree, what would be the simplest way to implement this - ideally on a gateway or gateway adjacent router? And not just for ssh, but for various types of traffic.

 

[miquelfire]

You're asking about port knocking.

 

[excel]

Thanks much!. I have heard that term but did not know what it referred to. Seems like it viewed as being less secure than other approaches and not widely used.

 

[PHolder]

viewed as being less secure

But less secure than what? If you're always in deny by default, and if there is SSH security when you open up with a port knock, then you're only worried that some middle person could memorize your port knock sequence to get it to open up, but they still would need to then attack your SSH key. (Don't use passwords for SSH, use keys only, and then disable passwords in the server.)

And also, your port knock sequence could incorporate the source IP which would make is useless to an attacker than couldn't spoof your source IP. (And there are also port knocking with password challenges like a TOTP.)

 

[MichaelRSorg]

Port knocking is not a common feature on routers. Another solution is to use a small VPN company and then make note of all their servers in one city. This should allow a small number of IPs access to your open port. IVPN, for example, has a presence in a number of cities where they have from 1 to 5 servers. Not a perfect scheme, but fairly easy to do with a router that supports incoming firewall rules.

I used to leave a port open for remote access and trust me, the Russians will find it even if the port number is between 2,000 and 65,000. I know this because my router can not only limit incoming IPs, it can also log every successful attempt to connect into the open port. The activity logging is just as important as limiting the source IP address.

 

[a viewer]

port knocking has a flaw. You might be able to get it working on your router, however the isp's modem would need to have those ports open. So you open a bunch of extra ports, or use their dmz. Not like those modems firewall is any good to begin with

 

[PHolder]

however the isp's modem would need to have those ports open

No. At least not in the traditional sense of open. You use UDP, and there doesn't need to be an invitation or a listener for the packets to arrive. You normally implement port knocking in the firewall. Now if you're saying you're double NATed or something, then that could be a problem.