Minimize sshd log clutter/spam from unauthenticated connections

Jochen Bern Jochen.Bern at binect.de
Sun Jun 11 18:30:15 AEST 2023 

On 10.06.23 11:19, Carsten Andrich wrote:
> For the time being, I've deployed a quasi-knocking KISS solution that 
> sends an unencrypted secret via a single UDP packet. Server side is 
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> realized entirely with nftables

... frankly, for that reason, I like fwknop (in my case, straight from 
OS repos) better ... I'd still have to see fwknopd exit unexpectedly, 
which is where a host-firewall-only mechanism on the server side would 
have an advantage ...

http://www.cipherdyne.org/fwknop/

> ~# cd /etc/fwknop

> fwknop# diff access.conf.orig access.conf | sed -e '/> .*KEY/s/\t.*/\t.../'
> 204,206c204,211
> < SOURCE              ANY
> < KEY_BASE64          __CHANGEME__
> < HMAC_KEY_BASE64     __CHANGEME__
> ---
>> SOURCE                        ANY
>> KEY_BASE64    ...
>> HMAC_KEY_BASE64       ...
>> REQUIRE_SOURCE_ADDRESS        Y
>> # fwknopd fiddles with iptables, we need to have nftables modified.
>> CMD_CYCLE_OPEN                /usr/local/sbin/fwknop2nftables $IP $PORT
>> CMD_CYCLE_CLOSE               NONE
>> CMD_CYCLE_TIMER               30s

> fwknop# diff fwknopd.conf.orig fwknopd.conf
> 40a41
>> PCAP_INTF     enp0s25

> fwknop# cat /usr/local/sbin/fwknop2nftables
> #!/bin/sh
> 
> # Syntax: $0 SRC_IP PORT
> 
> NFT="/usr/sbin/nft"
> SET="fwkn"
> # Note that we are ignoring everything from the accepted fwknop
> # requests except the src IP and tgt port to be allowed ...
> 
> PREP=`$NFT list chain inet firewalld filter_IN_public_allow | grep -c "@${SET}_$2"`
> 
> if [ $PREP -eq 0 ]; then
>         $NFT add set inet firewalld "${SET}_$2" '{ type ipv4_addr ; timeout 30s ; size 32 ; }'
>         $NFT add rule inet firewalld filter_IN_public_allow ip saddr "@${SET}_$2" tcp dport "$2" accept
> fi
> 
> $NFT add element inet firewalld "${SET}_$2" { $1 }

> ~$ tail -8 .fwknoprc | sed -e '/^[SKH]/s/\t.*/\t.../' -e '/^\[/s/[a-z][a-z]*/.../g'
> [...]
> ACCESS                  tcp/22
> SPA_SERVER      ...
> #ALLOW_IP               TBD
> KEY_BASE64      ...
> HMAC_KEY_BASE64 ...
> USE_HMAC                Y
> RESOLVE_IP_HTTPS        N
Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20230611/90969535/attachment.p7s>

More information about the openssh-unix-dev mailing list