Port Knocking / Cisco / Debian Linux

TiziteLayinLow

Senior member
Aug 18, 2003
493
0
0
I have a cisco router now for my network, i have several public services (HTTP/SMTP/POP3).. am also running SSH/VPN-PPTP.

I would like to hide SSH and VPN behind a port knocking daemon. The method I was thinking about was.. put the debian box at the edge of my network. However I would like my cisco to handle DHCP/NAT still.. only add the debian box for port knocking.

Can I put the debian box at the end get WAN interface via DHCP, and get the LAN interface to send down the cisco.. say set static IP of my internal network?

If there is an easier method, I'm open, if not any ideas if this will work or not would be greatly appreciated.

i would like to also have the ability to install scripts on this machine to use remotely.. fping and what not.. as well as a packet sniffer.. maybe dsniff to capture any clear text passwords on the network..

-TiziteLayinLow
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Use OpenSSH. It has adequate authentication so you won't need crap like port knocking. :p

If this is DSL or cable or something like that, the Debian box can definitely be first and provide NAT or similar functions for the network. snort, tcpdump, fping, etc. should all work from there just fine.
 

TiziteLayinLow

Senior member
Aug 18, 2003
493
0
0
well im using the ssh daemon in my cisco router i realize that it uses rsa encryption.. however, this is partly because theres someone in my logs that has been attempting to brute force my ssh, and with cisco ios exploits out, i thought this woud add another layer of security..


i was not able to find anyway to accomplish port knocking on cisco routers.

i like using the cisco cli becuase im used to it, thats why i wanted to still have the cisco doing NAT and everything, but as I learn more and more about linux and what it can provide as a router I might switch over to that, I just hate to waste this cisco router that wasnt exactly cheap even for the SOHO model.

Thanks for your input,
TiziteLayinLow
 

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
change your ssh port. There are some scripts floating around, I had a few thousand attempts on my RH9 based iptables firewall box. I changed to 22XX and have had 0 attempts in 9 months or so.

also make sure you follow good security practices regarding passwords (lenght, complexity, etc) and change it every few months. It's a pain, but it is good to do.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Originally posted by: TiziteLayinLow
well im using the ssh daemon in my cisco router i realize that it uses rsa encryption.. however, this is partly because theres someone in my logs that has been attempting to brute force my ssh, and with cisco ios exploits out, i thought this woud add another layer of security..


i was not able to find anyway to accomplish port knocking on cisco routers.

i like using the cisco cli becuase im used to it, thats why i wanted to still have the cisco doing NAT and everything, but as I learn more and more about linux and what it can provide as a router I might switch over to that, I just hate to waste this cisco router that wasnt exactly cheap even for the SOHO model.

Thanks for your input,
TiziteLayinLow

Forget passwords, use keys. Chances are keys won't be brute forced anytime soon (barring catestrophic failure or quantum computing reaching the home), so it won't be a big deal. If you have to be leet, change the port.

Port knocking isn't really much security at all, just an annoyance. :p