-
Notifications
You must be signed in to change notification settings - Fork 25
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ingress Restrictions to Middle from Edges on Port 2222 #70
Comments
While only allowing 2222 from an edge -> middle and 2222 from middle -> proxy01 prevents correlation of the fingerprint to internal infra, the same key fingerprint is still present across all edges that share the same proxy sshd key fingerprint. We need to figure out a way in which every edge has a different sshd host key fingerprint from proxy01. This may require each edge pointing to a different sshd server, and unique port. Port knocking may be a solution to this... but |
The backflip role should be changed. The user should be able to specify how many backflips they would like by either port number or with a count of how many they would like (not necessarily both). For each port/count a new host keypair should be generated along with a unique sshd_config that listens on one of those ports. E.g. I want to have 3 edges, each listening on one of the following ports 1433, 3306, or 8080. I would specify that in my variables for the role. Ansible then would generate new host keypairs like Another option could be to use docker compose with something like https://github.com/linuxserver/docker-openssh-server. You then could specify how many ports you would like either by number of port or specify port numbers and docker compose could handle forwarding your ports into the docker container on port 22. |
Censys was able to tie together all edges and proxy01 with public key fingerprints.
Possible solution elements include:
The text was updated successfully, but these errors were encountered: