This is a read-only archive. Find the latest Linux articles, documentation, and answers at the new!

Re:Author is dead-on

Posted by: Anonymous Coward on August 11, 2004 12:42 PM
cool, then have the firewall pull all the information it can about the IP that the hacker is attacking from, (who owns it-reverse DNS, admin contact info-whois, etc.) and e-mail the info to the admin -- while the attacker is still trying to get into the honeypot.

better yet, have it ssh it over to another server on another network, and have that server send the e-mail, so that if the hacker is actually watching the packets, what goes by telling on him will be encrypted and not plain text.

One objection was that the thing could be replayed. Why not encode a timestamp into the knock. Heck, why not use UDP packets as the author suggested, and load those packets with hashed data that includes time-stamps and other information that must match the servers time(a skewed clock on your client machine just might keep you out). The packet still gets rejected, but the contents are read and logged, and if the contents aren't correct (eg. wrong user or wrong timestamps) then this thing just doesn't open up.


Return to A critique of port knocking