Hi list, Here's a proof of concept of DNS based port knocking. Firewall opens up port of SSHd for 10 seconds after nameserver answering to a predefined DNS query. It uses pattern db and netfilter only. http://vimeo.com/endreszabo/dns-portknocking Endre
Endre Szabo <syslog-ng@end.re> writes:
Here's a proof of concept of DNS based port knocking. Firewall opens up port of SSHd for 10 seconds after nameserver answering to a predefined DNS query. It uses pattern db and netfilter only.
This is seriously wicked. -- |8]
On 08/14/2012 10:58 PM, Gergely Nagy wrote:
Endre Szabo <syslog-ng@end.re> writes:
Here's a proof of concept of DNS based port knocking. Firewall opens up port of SSHd for 10 seconds after nameserver answering to a predefined DNS query. It uses pattern db and netfilter only.
http://vimeo.com/endreszabo/dns-portknocking This is seriously wicked.
Agreed. Would you care to write a bit more about it and/or share your patterndb/scripts? thanks, Peter
Wow, that's slick! ______________________________________________________________ Clayton Dukes ______________________________________________________________ On Wed, Aug 15, 2012 at 12:41 PM, Peter Gyongyosi <gyp@balabit.hu> wrote:
On 08/14/2012 10:58 PM, Gergely Nagy wrote:
Endre Szabo <syslog-ng@end.re> writes:
Here's a proof of concept of DNS based port knocking. Firewall opens up port of SSHd for 10 seconds after nameserver answering to a predefined DNS query. It uses pattern db and netfilter only.
http://vimeo.com/endreszabo/dns-portknocking This is seriously wicked.
Agreed. Would you care to write a bit more about it and/or share your patterndb/scripts?
thanks, Peter
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
It just came to my attention that the syslog-ng-ctl shows statistics for ALL sources/destination that have ever existed. This means that if I create a destination template that changes every second destination d_something { file("/var/log/syslog.log.$S_YEAR$S_MONTH$S_DAY-$S_HOUR$S_MIN$S_SEC" }; that syslog-ng will track 86400 statistics every day. Over time this will consume memory and eventually require a restart. Is it possible to create a --clear flag on the stats command that will dump the current stats and clear them? This would also drop the memory required to track source/destinations that are no longer open. Comments? Evan.
Evan Rempel <erempel@uvic.ca> writes:
It just came to my attention that the syslog-ng-ctl shows statistics for ALL sources/destination that have ever existed.
[...]
Over time this will consume memory and eventually require a restart.
Is it possible to create a --clear flag on the stats command that will dump the current stats and clear them? This would also drop the memory required to track source/destinations that are no longer open.
Something along these lines was already proposed in BugZilla#186[1], and the it is something we want to do, indeed. It should be possible to reset either all or only selected stats. Similarly, we could make it possible to completely remove said stat counter, not just reset it. This is something I'd like to see in 3.4, isn't too hard to do, either as far as I see, so there's hope! [1]: https://bugzilla.balabit.com/show_bug.cgi?id=186 -- |8]
participants (5)
-
Clayton Dukes
-
Endre Szabo
-
Evan Rempel
-
Gergely Nagy
-
Peter Gyongyosi