iptables +block country

Tue Aug 17 16:05:18 UTC 2010

jordon at envygeeks.com wrote:
>> NoOp, you should consider port knocking for access you your machine.
>> I've not used it so I don't have further details. Basically until
>> you 'knock' on certain port, in a certain order the port you wish
>> to access remains closed. One of my other preferences is to use
>> SSH tunnels. I can then access anything on my home system from
>> the machine I'm on. This allows me to only open up SSH but still
>> have full access. Finally I moved the SSH access to another port
>> for better signal to noise ratio.
>>     
>
> Port knocking is just security by obscurity in my book, and it can unless
> you were smart enough to monitor for scans a simple scan can possibly
> unlock that port unless you design the knock a specific way.
>
> Perhaps try: http://www.debian-administration.org/articles/518
>
> Personally, I prefer to use Limit to limit connections so they can't
> bruteforce (not that they can since) I also require a key to login and
> don't let people know their passwords and don't allow password based login
> (only key based as implied).  Fail2ban is also good for banning people, it
> will ban them from everything using multi-port but there are some quirks
> on Debian based distros (not any that made it worthless but mainly it can
> only poll reliably).
>
>
>
>   
This was the message that I posted earlier.  fwknop started out as port 
knocking, however it is well beyond that now.  I would not consider it 
to be security through obscurity.  The authentication is through gpg 
keys and there is no listener.  In particular, if there is a bug in ssh 
or other daemon, which creates a vulnerability, that bug will not be 
exploitable by anyone who cannot authenticate with fwknop.

fwknop is in the ubuntu repository for Lucid and possibly other releases.
http://packages.ubuntu.com/lucid/fwknop-server
http://packages.ubuntu.com/lucid/admin/fwknop-client

I would look at http://www.cipherdyne.org/fwknop/

With fwknop, you completely block your services.  Then when you remotely 
authenticate to fwknopd, it adds iptables rules to open up the ports previously
that you request access to, only from your ip address.  fwknopd uses 
promiscuous mode to sniff the network for udp authentication packets, so 
a remote attacker has no idea that it is running since there is no 
listener.  Remote users simply don't see the services that are blocked.  
The fwknop client uses gpg keys for authentication, so if you set your 
keyrings and timeouts up correctly, you won't have to keep typing a 
password to reauthenticate.  Newer versions, I believe, will support 
enabliing keeping the ports open as long as you have an open connection.

This works well in cases where the users are willing to run the 
authentication client.  Obviously, it won't work for a public resources 
or could be too inconvenient for inexperienced users that don't want to 
deal with an authentication client.  I have been running fwknop for 
several years and have found it to be quite solid and reliable.

Nataraj