Friday, July 1, 2016

Forcing SaltStack to "knock harder"

I really like the "knocking harder" technique I developed.  I haven't seen it mentioned in any other places, and it effectively gives the protected service a smart layer of obscurity with minimal effort and complexity.

I also like SaltStack as a remote configuration and management tool.  It connects over two ports, and I was looking for a way to use my technique on this service.  Salt uses ports 4505 and 4506, where 4506 is first to connect and has several short-lived connections as well as a long-lasting session, and 4505 has a single long-lasting session.

I wanted to protect the first connection by requiring multiple SYN packets (a loud knock), but then allow connections to both ports with no delay as long as there's continuous traffic and sessions between them.  To that end, I've come up with the following patch to ufw's after.rules file.