I just want to run a service that can't be tagged on Shodan without having CAP_NET_RAW T_T

Please

@jennamagius maybe add a firewall rule blocking outbound ICMP Unreachable?

@queerhackerwitch That's what the StackOverflow advice is, and that's pretty much the best answer. It doesn't really make it possible to run a hidden service without privileges though, 'cause you need privileges to make the firewall rule.

@queerhackerwitch The reason I want to operate without privileges is not because I can't get them; I'm developing some security-paranoid software, and rule 1 of security paranoia is "try not to have privileges. The more privileges you have, the worse it is when you get pwned."

@queerhackerwitch So I'm at the point of maybe having a suid knock helper program that runs in a different process.

@jennamagius In this case though it’s not the software that needs privileges, it’s the admin during setup

@queerhackerwitch That's true, but I'm disappointed to have written a program that can do 99.9% of it's work with user privs, but isn't directly usable when you only have user privs.

@jennamagius That’s because those privileges have to keep the security of the rest of the system in mind. Those privileges aren’t normally available to users because they can be abused. This is why many services usually start as root and then drop their privileges after they’ve used them to set up what they need.

@queerhackerwitch I assure you I understand this, I'm not... new to computing. My argument is that "services should be visible to any unauthenticated anyone who looks for them, from anywhere" is an unreasonable default.

@jennamagius Sorry, I’m not making an assumption that you don’t understand, I’m just trying to get across another perspective on why others would consider this desired behavior. I spend most of my time working with network security so I’m forced to see both sides of the coin.

@queerhackerwitch Sure, I certainly understand that hidden services are more difficult to use than visible services, but I think running visible services should be an option for environments with enfranchised users and high security needs. I think the "visible services are more ergonomic" has translated excessively into "hidden services should not be possible" with respect to how our kernel infrastructure has developed.

@queerhackerwitch s/running visible services should be an option/running hidden services should be an option/

@queerhackerwitch It kinda seems to me like "We've got some great infrastructure in place for running discoverable, ergonomic services. It's called TCP. It runs great services you know and love, like HTTPS. People connect to HTTPS services on servers they don't know much about all the time." I don't feel like UDP needs to _be_ the same thing TCP is.

@queerhackerwitch The annoying thing about making a firewall rule is that interacting with the firewall is very different across different platforms. Plus, there's an information disclosure inherent in not sending the unreachable responses when you are an otherwise clearly existant system. The approach I'm going with is using raw sockets to recieve portknocks without causing the kernel to consider additional UDP ports "open", so it _keeps_ sending unreachable responses.

@queerhackerwitch knockd exists, and it shells out to iptables, but shelling out to iptables is fragile and miserable and I hate it >.> We can do better.

@queerhackerwitch Also, literally the first time I set up knockd my knock ports showed up in nmap -sU and you could find the knock sequence by brute-forcing permutations on five ports, which is fairly pathetic. I suspect that happens to pretty much everyone the first time they set up knockd.

@jennamagius it makes sense to need root privileges to be able to hide a service though, even as a one time thing to set up a firewall rule

@queerhackerwitch Kinda. I mean, it's not "hidden" from the admins of the box: it shows up in netstat. It's just hidden from people on the far side of the network. I kinda resent the notion that people on the far side of a network "have a right" to know what services you are running by default.

@jennamagius It’s not that they “have a right” it’s just from a protocol practicality point of view. It’s often better for a server to respond “nothing’s on this port, go away” than to remain silent and have the other end keep retrying (because there’s an assumption that the network can be unreliable).

@queerhackerwitch The thing is, anyone who should be accessing remote-access services on my network should have a-priori out-of-band knowledge about what services should and should not exist. There's no user that's like "Maybe there is not supposed to be a service here or maybe this is connectivity problems" because they should know FOR A FACT, BEFORE THEY START what services are and are not supposed to exist.

@bob IMO there should be a sysctl flag for it, but I can't find one. You can drop them at firewall time, but there's no way to stop them from being generated in the first place.

@espen When 17-010 dropped, worms started spamming every SMB service on the internet with EternalBlue. There's no reason somebody who doesn't have authorization to access my system should know if I am or am-not running remote access services: https://www.shodan.io/search?query=ssh

@espen I'll admit to you that I'm running a remote access service after you've proven that you're authorized to access that service. Otherwise, you're an attacker, and you don't need to know shit.

@jennamagius I get that. I'm not certain there are any "correct" answers here, that is why I am interested in your reasoning.

Like you, I assume "everyone" is an attacker, but I also assume that anyone interested in attacking me would be able to discover what services are available with little effort. Any effort I make to mask this is little more than theater and security through obscurity. So, given that, I prefer to say "access denied, keep moving" than not responding.

@espen Strong disagree. It is absolutely not security theatre, it is surface area minimization. MS17-010 said "access denied" and EternalBlue said "Boy, there sure is a LOT of surface area on the outside of your access denied" and then pwned the shit out of services that were "denying" "access"

@espen There's going to be an unauthenticated RCE in OpenSSH some day. The only way to reduce the chance that RCE will happen is by reducing the amount of codepaths an attacker can hit without creds. The minimum codepaths possible is "Does this UDP packet contain a specific static value? If not, we have reached the end of our codepaths."

@espen The even more minimal codepath is "You don't even know where to send the knock, so you don't even have the ability to trigger that static check at will. You can run 0.00 instructions of service code"

@jennamagius we ARE talking closed ports, right? Ports where no services are running?

My apologies if I misunderstood something.

@espen I'm talking about running services that appear to be closed ports unless you can authorize yourself enough get get the service to admit that it exists.

https://en.wikipedia.org/wiki/Port_knocking

@jennamagius Right, a system protected behing 7 port knocks. But fine, I get that we're talking about something slightly different than I thought so I'll let this be. But thanks for taking the time to explain. :)