Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cryptographically Hiding TCP Ports

Posted by CmdrTaco on from the can't-see-the-ones-for-the-zeros dept.

JohnGrahamCumming writes "The shimmer project implements a cryptographically-based system for hiding important (e.g. SSH) open ports in plain sight. By automatically forwarding from a range of ports all but one of which are honeypots and by changing the ports every minute only a user knowing a shared secret can determine the location of the real SSH server."

10 of 206 comments (clear)

  1. Re:Neat in theorey, imho. by JohnGrahamCumming · · Score: 3, Informative

    Clock drift is an issue, hence the fact that three overlapping minutes are kept active at once.

  2. Re:Neat in theorey, imho. by egomaniac · · Score: 3, Informative

    I saw that, but I agree with GP that this won't fly in practice. Even with NTP servers it's too easy to have your systems end up out of clock sync, so now you're blacklisted and don't know why or how to fix it.

    --
    ZFS: because love is never having to say fsck
  3. Re:"Obscurity" tag is misleading by Loibisch · · Score: 2, Informative

    [...] and any mistake automatically blacklists you. Sounds ridiculously impractical IMHO. Yup, anything that would potentially that easily deny me access to my own machine won't get installed.
    It's all fun and games till you've locked yourself out from an only remotely accessible server...
  4. Re:Isn't this port knocking by AndyST · · Score: 2, Informative

    And you send UDP packets, so there's no indication from the server that the machine is even powered up unless you are successful. Except for the missing dst host unreachable from the last hop before the target. "Stealth"/DROP instead of "Closed"/REJECT add nothing to security. Same with not replying to pings. People listen to Steve Gibson way to often.
  5. Re:Obscurity? by bugs2squash · · Score: 2, Informative

    This will probably stop "john" trying to log in from Istanbul as he seems to try 100s of times each day, and I like the C3PO acronym - cute. So far, port knocking has also stopped 'john' and his friends.

    It seems too easy to get locked out as one slip blacklists you.

    I was shocked to read that even with NTP, some servers' clocks drift so far - I thought it could keep them +/- a fraction of a second worst case (ah, when reality bites)

    --
    Nullius in verba
  6. Re:Obscurity? by jmodule · · Score: 2, Informative

    matt4077: "Passwords are security by obscurity, too."

    No, no, no! A password is a *key* and has nothing to do with obscurity. The quote you refer to is using obscurity to mean enhancing an algorithm by "keeping its process a secret." That is not the case here.

    See Security through obsecurity is no security and Security through obscurity

    --
    The jModule
  7. not as good as port knocking by vrmlguy · · Score: 2, Informative

    There are 16 ports being listened to, so an attacker has a 1-in-16 chance of finding the correct port. Knocking, using 16 ports and just three knocks, gives an attacker a 1-in-4096 chance of getting through. If you changed the knock pattern every minute, then I could see something like this being useful, but as presented it seems less secure.

    --
    Nothing for 6-digit uids?
  8. Re:Neat in theorey, imho. by spun · · Score: 2, Informative

    If your ntp-enabled systems are drifting 15 seconds out of whack with each other, you have bigger problems than additional SSH security. Yes, it's called Linux on VMWare. There are workarounds, but they involve recompiling the kernel, setting boot options, and VMWare tools settings. Without the workarounds, even with ntp enabled, clocks can skew on the order of seconds every minute. I've seen systems get a minute out of whack in under ten minutes. With some settings, ntp actually makes it worse, as ntp and VMware perform dueling clock-skews.
    --
    - None can love freedom heartily, but good men; the rest love not freedom, but license. -- John Milton
  9. Re:Newbie Question about SSH Security ... by KillerBob · · Score: 4, Informative

    The only truly secure method is to make it terminal access only and accessible only by passcard or some other physical means. (IOW, to turn SSH off) Not exactly feasible for something you want to access remotely.

    Passkeys can be relatively secure, or they can be relatively insecure. It depends on the level of security you're implementing in them. Another really easy way to secure it is to make it more trouble than it's worth to break into it. I have my SSH on the standard port of 22 on my server, and am not worried about security at all. I subscribe to the mailing list and it's kept up to date every time a new release comes out. More importantly, my SSH server is configured to only allow one user ID to log in, and to only allow one password attempt before disconnecting. It also doesn't disconnect until after you've entered the password, and will give the same error message no matter what, so you've got no way of knowing why it is that you're not getting through. Finally, the user name in particular that's allowed to log in through SSH doesn't have an e-mail account or home directory, and isn't published anywhere.

    No, that isn't going to secure it entirely. It is, however, going to make breaking into it incredibly time consuming and generally not worth it unless you have a personal vendetta or other reason to go after me specifically. Security through obscurity. In this case, get away from Default Pass, and towards Default Reject security model.

    --
    If you believe everything you read, you'd better not read. - Japanese proverb
  10. Re:"Obscurity" tag is misleading by russotto · · Score: 2, Informative

    To someone without the key, frequency hopping "looks like" random noise.


    No, it doesn't. It looks pretty much like you'd expect -- spikes in power more-or-less uniformly (but discretely, not continuously) distributed over some part of the spectrum.

    Check this link for pictures:

    http://www.metageek.net/docs/sample-recordings/video-baby-monitor