[clue] Port knocking.
David L. Anselmi
anselmi at anselmi.us
Sun Sep 2 12:54:00 MDT 2012
So I was reading about how to build port knocking with netfilter[1] (that is, a shell, dc, nc, and
iptables only) and found this:
"...then I can just add the following lines to my ~/.ssh/config:
Host blahblah
IdentityFile foobar
ProxyCommand /home/roland/bin/portknock.sh %h %p
...and SSH will automagically tunnel its network socket through the script, which will in turn
happily tunnel that through netcat after completing the secret handshake."
Dang Unix is cool. My hat's off to the OpenSSH and netcat guys.
And that reminds me of this, related to "everyone should learn programming"...
I have thought, ephemerally, that everyone should learn programming. Although I don't really mean
programming but more like:
"The general populace (and its political leadership) could probably benefit most of all from a basic
understanding of how computers, and the Internet, work. Being able to get around on the Internet is
becoming a basic life skill, and we should be worried about fixing that first and most of all,
before we start jumping all the way into code."[2]
"Getting around on the Internet" isn't as important to me as streamlining your activity. Stop
retyping things; stop cutting and pasting; stop making foo.doc, foo1.doc, foov2.doc, foo2Sep.doc...
Ah well. I suppose that I'm just trading being a programming snob for being an engineering snob.
But I'm still glad I can set up port knocking with such a small tool set.
Dave
1) http://roland.entierement.nu/blog/2008/08/19/netfilter-based-port-knocking.html
2) http://www.codinghorror.com/blog/2012/05/please-dont-learn-to-code.html
And look at
http://roland.entierement.nu/blog/2012/08/31/integrating-fwbuilder-with-fail2ban-and-port-knocking.html
to integrate this kind of flexibility with something simpler than maintaining iptables scripts.
More information about the clue
mailing list