Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ingress Restrictions to Middle from Edges on Port 2222 #70

Open
willk opened this issue Jan 5, 2024 · 2 comments · May be fixed by #113
Open

Ingress Restrictions to Middle from Edges on Port 2222 #70

willk opened this issue Jan 5, 2024 · 2 comments · May be fixed by #113
Assignees
Labels

Comments

@willk
Copy link
Contributor

willk commented Jan 5, 2024

Censys was able to tie together all edges and proxy01 with public key fingerprints.

Possible solution elements include:

  • Only allow incoming 2222 connections to proxy01 from middle (partial mitigation)
  • port knocking or other 2nd factor port hiding
@tophertimzen
Copy link
Member

tophertimzen commented May 8, 2024

While only allowing 2222 from an edge -> middle and 2222 from middle -> proxy01 prevents correlation of the fingerprint to internal infra, the same key fingerprint is still present across all edges that share the same proxy sshd key fingerprint.

We need to figure out a way in which every edge has a different sshd host key fingerprint from proxy01. This may require each edge pointing to a different sshd server, and unique port.

Port knocking may be a solution to this... but nc and other equivalent tools to port knock alert.

@willk
Copy link
Contributor Author

willk commented May 10, 2024

The backflip role should be changed. The user should be able to specify how many backflips they would like by either port number or with a count of how many they would like (not necessarily both). For each port/count a new host keypair should be generated along with a unique sshd_config that listens on one of those ports.

E.g. I want to have 3 edges, each listening on one of the following ports 1433, 3306, or 8080. I would specify that in my variables for the role. Ansible then would generate new host keypairs like ssh_host_ed25519_key_1433, ssh_host_ed25519_key_1433.pub, ssh_host_rsa_key_1433, ssh_host_rsa_key_1433.pub, and an sshd_config file called sshd_1433. It would do that for each of the ports. Next for each of the ports a different systemd unit file would be created, installed and run that uses the unique sshd_config.

Another option could be to use docker compose with something like https://github.com/linuxserver/docker-openssh-server. You then could specify how many ports you would like either by number of port or specify port numbers and docker compose could handle forwarding your ports into the docker container on port 22.

@devzspy devzspy added the opsec label Aug 14, 2024
@devzspy devzspy moved this to Backlog in Feature Release Aug 14, 2024
@devzspy devzspy self-assigned this Aug 14, 2024
@devzspy devzspy linked a pull request Aug 14, 2024 that will close this issue
@devzspy devzspy moved this from Backlog to In review in Feature Release Aug 14, 2024
@devzspy devzspy changed the title Backflip correlation via ssh public key Ingress Restrictions to Middle from Edges on Port 2222 Aug 14, 2024
@devzspy devzspy moved this from In review to In progress in Feature Release Aug 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: In progress
Development

Successfully merging a pull request may close this issue.

3 participants