On Tue, 06 May 2003 13:07:24 -0500 Mark Edgington <[EMAIL PROTECTED]> wrote:
> > it doesn't matter if others are > connecting to port 80, etc. while he is doing these connections, as long as > no-one > else is trying to connect to any of the ports in the trigger-sequence list -- > this is > the only thing which will invalidate the sequence-recognition Hi,it seems you don't mention that the connection attempts can be memorized associated to the originating IP, and then the wanted port made available only for this IP. It looks a bit complex to me, only useful for a private use of a port which is not publically available, which means only for ssh as other protocols can pass through a ssh tunnel. This authentification system won't be vulnerable to ssh exploits, but you're basically using port numbers as characters of an unencrypted password. A simplification of your idea with no loss of feature without using ssh may be to have incoming packets of an unique port appear as dropped from the outside and still processed (how ??) by a daemon waiting for a password in the packet body. Passwords can be OTP. (a bit dirty) is it possible to use snort with a special rule to detect such a traffic, eventually with another process reading snort log files ? Alain
