Hacker News new | ask | show | jobs
by gen220 2102 days ago
This made me think of a fun toy-idea.

Let the server and client share a secret. Use that secret to encrypt the UTC date (2020-09-21), and sample some decimals from the first few bits (adding 100 or so, to avoid low-ports).

You could use that mechanism to rotate ports every 24 hours. This way, the bots wouldn't be able to learn the ssh port for more than 24 hours, without the shared secret.

Sounds like fun, or an easy way to lock yourself out of a box by mistake, depending on your perspective. :)
4 comments
codys 2102 days ago
Along similar lines, Port knocking (https://en.wikipedia.org/wiki/Port_knocking) is something out-of-band used to allow access to a host (bypassing a firewall).

I think I'd sooner implement port knocking rather than port-hopping

link
gen220 2102 days ago
Ooh, yep. This is definitely a better first line of defense than port-hopping.

Maybe you'd knock to get a number, and hash the number to get the real port.

Defense in depth! :)

link
dontchooseanick 2102 days ago
I came here looking forward to upvote anyone mentionning port knocking.

This is THE way to go !

link
CobaltFire 2102 days ago
You've reinvented HAVE QUICK[0]

[0]https://en.wikipedia.org/wiki/HAVE_QUICK

link
gen220 2102 days ago
What is old is new! Seriously, it's cool to see something like this built, especially in the analog (EM spectrum).

I imagine the people who had to use these things locked themselves out all the time. :)

link
CobaltFire 2102 days ago
We still use it, and we still have sync issues.

So yes, it's a FANTASTIC way to lock yourself out!

link
zimpenfish 2102 days ago
Or use a TOTP with a long period (10 minutes?) and use that value mod, say, 10k with a base of something like 9000. Easy to calculate the port in your head, impossible to guess without knowing the TOTP secret (I think) and can be extended with other fun* rules like "But subtract 10* the first digit" or "Add the first and second digits multiplied".
link
gen220 2102 days ago
Ah, this is a great twist! Thank you for this great contribution to the "locked myself out" idea bank.
link
zimpenfish 2102 days ago
That's a fair point - e.g. Authy is currently broken on iOS 14 which means I'd be locked out if I was doing this and using Authy (although I have a VPN to one server which can then get to my others.)
link
SahAssar 2102 days ago
Seems like a more effective way would be to use port knocking?
link