Due to a new ongoing need for me to be able to connect to my home lab away from home, I’ve set up an SSH server to connect back in through. As I didn’t want people to be trying to brute force the login credentials all day long, I set up Single Packet Authorization (SPA), which I came across a few years ago in the very interesting book by Michael Rash called Attack Detection and Response with iptables, psad, and fwsnort. The idea is that the SSH service remains hidden to the world, and is only exposed to the internet as required.
By installing a fwknop (FireWall KNock OPerator) daemon alongside the SSH server, I could send a specially crafted encrypted UDP packet to my home IP address to allow access to the SSH server from any IP address I specify for a limited period of time.
There is a client tool to complement the fwknopd daemon which does the job of creating the SPA packet for me, and this has the handy option of determining the client machine’s IP address on the internet, and automatically including this info in the SPA packet. By simply running the fwknop command on the client, the SSH server will be made available to my client machine (and of cource any other machine sharing the IP address at the time). This then gives me 30 seconds to initiate the SSH connection using an SSH client. I set it all up and it worked a treat over my giffgaff 3G connection – to begin with.
There was trouble – the IP address being authorised was often not the same IP address that the SSH connection was subsequently coming in from, resulting in SSH connection failure. Why was this? Well, I think the following screenshot offers some clue:
These sites were visited within seconds of each other. As you can see, they each have a different view of what my public IP address is, so which – if any – will match the one used by my SSH connection?
My conclusion is that I cannot use fwknop to auto-detect my IP address, but by configuring the fwknop daemon to allow the source IP address from the IP header of the SPA packet, I have been able to make this work reliably. Multiple connections from my laptop to my home IP address seem to reliably use the same public IP address.
This isn’t perfect, though, as IP headers are spoofable, so potentially there is a risk of someone capturing the SPA packet and rewriting it with a different source IP address. It is important, therefore, to remember to continue to follow standard security best practice for configuring the SSH server so that SPA is not the only protection in place eg using keys rather than passwords, and two-step verification.
Steve's Home Lab 