Protecting SSH Servers with Single Packet Authorization
Suppose that the SPA packet from the first example above was sniffed off the wire en route by a crafty individual on the system labeled attacker in the network diagram in Figure 1. The SPA packet always can be placed back on the wire in an effort to gain the same access as the original packet—this is known as a replay attack. There are several ways to acquire the packet data and replay it. One of the most common is to use tcpdump to write a pcap file (in this case tcpdump -i eth0 -l -nn -s 0 -w SPA.pcap port 62201 would work) and then use tcpreplay (see tcpreplay.synfin.net/trac) to copy the SPA packet back onto the wire. Another method, after the packet has been captured, is to use the echo command along with netcat:
[attacker]$ echo "U2FsdGVkX1+BvzxXj5Zv6gvfCFXwJ+iJGKP \ qe2whdYzyigkerSp2WtvON/xTd8t6V6saxbg1v4zsK+YNt53BE8EI \ nxVCgpD7y/gEBIg8sd+AvU1ekQh9vwJJduseVx \ DxjmAHx3oNnClo2wckBqd8zA" |nc -u 188.8.131.52 62201
On the fwknopd server, the duplicate SPA packet is monitored, but because the MD5 sum matches that of the original SPA packet, no access is granted, and the following message is written to syslog on the spa_server system:
Feb 10 14:14:24 spa_server fwknopd: attempted \ message replay from: 184.108.40.206
Single Packet Authorization provides an additional layer of security for services such as SSHD, and this layer strikes at the first step that an attacker must accomplish when trying to compromise a system: reconnaissance. By using iptables in a default-drop stance and fwknop to sniff the wire for specially constructed (that is, encrypted and non-replayed) packets, it is difficult even to tell that a service is listening, let alone communicate with it. The end result is that it is significantly harder to exploit any vulnerabilities a protected service might have.
An excellent source of additional theoretical information about both port knocking and Single Packet Authorization can be found in Sebastien Jeanquier's Master's thesis at the Royal Holloway College, University of London. The thesis can be downloaded from web.mac.com/s.j, and it includes an excellent argument for why SPA is not “security through obscurity”.
The Rijndael cipher was selected in 2001 for the Advanced Encryption Standard (AES) as the successor to the aging Data Encryption Standard (DES). A good writeup can be found at en.wikipedia.org/wiki/Advanced_Encryption_Standard.
GnuPG is the GNU Privacy Guard, and is an open-source implementation of the OpenPGP standard. More information can be found at www.gnupg.org.
Michael Rash holds a Master's Degree in applied mathematics with a concentration in computer security from the University of Maryland. Michael is the founder of cipherdyne.org, a Web site dedicated to open-source security software for Linux systems, and he works as Security Architect on the Dragon Intrusion Detection System for Enterasys Networks. He is the author of the upcoming book Linux Firewalls: Attack Detection and Response, published by No Starch Press.
|Using Salt Stack and Vagrant for Drupal Development||May 20, 2013|
|Making Linux and Android Get Along (It's Not as Hard as It Sounds)||May 16, 2013|
|Drupal Is a Framework: Why Everyone Needs to Understand This||May 15, 2013|
|Home, My Backup Data Center||May 13, 2013|
|Non-Linux FOSS: Seashore||May 10, 2013|
|Trying to Tame the Tablet||May 08, 2013|
- Making Linux and Android Get Along (It's Not as Hard as It Sounds)
- Using Salt Stack and Vagrant for Drupal Development
- RSS Feeds
- New Products
- Validate an E-Mail Address with PHP, the Right Way
- Drupal Is a Framework: Why Everyone Needs to Understand This
- A Topic for Discussion - Open Source Feature-Richness?
- Home, My Backup Data Center
- New Products
- Tech Tip: Really Simple HTTP Server with Python
- Connecting Android device to desktop Linux via USB
22 min 15 sec ago
- Find new cell phone and tablet pc
1 hour 20 min ago
2 hours 49 min ago
- Automatically updating Guest Additions
3 hours 57 min ago
- I like your topic on android
4 hours 44 min ago
- Reply to comment | Linux Journal
5 hours 5 min ago
- This is the easiest tutorial
11 hours 19 min ago
- Ahh, the Koolaid.
16 hours 58 min ago
- git-annex assistant
22 hours 58 min ago
- direct cable connection
23 hours 20 min ago
Free Webinar: Linux Backup and Recovery
Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.
In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.