Re: Running stealth servers

David Kirkby wrote:

> A friend is looking to remotely administer a UNIX box from anywhere in
> the world. Webmin attracts him, but I'm not over keen on the idea of
> having a program like that which runs as root open to the whole world.
> It must be quite atractive to hackers if they find webmin running.
>
> After thinking about it, I had this idea; How about making a stealth
> firewall with ipfilter, that ignores all attempts to connect. The
> firewall logs denied packets to a log file. The log file is parsed by
> a program which will open the port used by webmin (say 54321) if and
> only if:
>
> a) Someone tries to connect to port 1000
> b) From the same IP next tried to connect to port 13233
> c) From the same IP next tries to connect to port 3244
>
> (or any other random combination of ports). Then and only then the
> firewall is opened to the port with webmin running (54321).
>
> So in order to access webmin, you would from your browser try:
>
> http://www.somsite.com:1000 // ignored
> http://www.somsite.com:13233 //ignored
> http://www.somsite.com:3244 // now causes port 54321 to be opened
>
> (telnet, https or similar at those ports would all work too).
>
> and finally having detected the access to ports 1000, 13233, 3244 (in
> that order), with the firewall now opening port 54321, one would
> administer the site with:
>
> https://www.somsite.com:54321
>
> The probability of a hacker randomly scanning ports 1000, 13233, 3244
> (in that order), then trying to connect to port 54321 must be very
> small indeed.
>
> Thoughts?





Have you considered "port knocking", which is similar to what
your describing.