Benjamin Smith wrote:
On Friday 16 March 2007, MrKiwi wrote:
mitigate a situation
where you have no control over an intermediate firewall that
only passes port 80
Yes, that's EXACTLY what I'm trying to do... but I dont' see how this exactly
relates to port knocking.
Port knocking seems to be that you log connection attempts to various ports
that are otherwise closed, EG:
iptables -I input -p tcp -j DENY -l
and then watch the log file for a specific, exact sequence of connections from
a common source IP. How would that help me here?
Yes - you're right, it would not be a simple drop in
solution. In the other scenario i suggested (reducing your
visibility) port knocking would have been perfect.
You could still use a modified port knocking system i think
- just using a url hit to do the triggering instead of a
port knock sequence. That way the port knock config takes
care of removing the iptables line after x seconds.
See Michael Rash's pdf
http://www.usenix.org/publications/login/2006-02/pdfs/rash.pdf
His implementation is rock solid, and easy to config. Also
anyone with some grep and script skills should be able to
hack the port-knock -> httpd-log-watcher part you need.
MrKiwi
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
