search

isontheline / pro.webssh.net

iOS / iPadOS / macOS SSH Client
https://apps.apple.com/us/app/id497714887
MIT License
317 stars 46 forks source link

Port knocking IPv4 only? #1208

Closed cistronix closed 1 month ago

cistronix commented 1 month ago

Bug description

When connecting to a host with both an A and an AAAA record (ipv4 and ipv6 address), port knocking seems to knock on the ipv4 address, while the ssh connection is made to the ipv6 address.

Steps to reproduce

  1. Set up port knocking for a host with both an A and AAAA record.
  2. Connect to the host.
  3. Port knocking is done on the ipv4 address
  4. SSH connection is made to the ipv6 address
  5. The connection to the ipv6 address is blocked by the host, since only the ipv4 address is opened.
github-actions[bot] commented 1 month ago

Thank you for your feedback! 🙏 Arnaud (@isontheline) will respond within a few hours. In the meantime, please feel free to add any additional information that may help us resolve or improve WebSSH.

isontheline commented 1 month ago

Hello @cistronix 👋

Good catch!

I'm planing this issue and hope to come back to you within 2 weeks

cistronix commented 1 month ago

Great! I love WebSSH btw.

A few more observations I've made since:

isontheline commented 1 month ago

Knocking on a ipv6-only host name seems not to work

Yes it's a known issue that I will try to resolve with this one

My Mobile internet provider uses a form of Carrier-Grade NAT, and even on ipv4-only hosts, my knocks are routed from a different IP than the ssh connection. And thus, any of my observations may be caused by my internet provider, and not by WebSSH.

Strange as I try to mimic the port opening like SSH does. If you can multiple times to your SSH host, are you seeing multiple IP addresses ?

cistronix commented 1 month ago

I set up another knocking sequence on port 22:tcp, so that knockd would see both the knocking and the ssh connection, and just echo the %IP%. It's obviously not useful that way, but for testing purposes I guess it works.

I see this in my log: [2024-10-02 00:26] xx.yy.75.165: openSSH3: Stage 1 [2024-10-02 00:26] xx.yy.75.165: openSSH3: OPEN SESAME [2024-10-02 00:26] openSSH3: running command: echo xx.yy.75.165

[2024-10-02 00:26] xx.yy.75.165: openSSH3: Stage 1 [2024-10-02 00:26] xx.yy.75.165: openSSH3: OPEN SESAME [2024-10-02 00:26] openSSH3: running command: echo xx.yy.75.165

[2024-10-02 00:26] xx.yy.75.165: openSSH3: Stage 1 [2024-10-02 00:26] xx.yy.75.165: openSSH3: OPEN SESAME [2024-10-02 00:26] openSSH3: running command: echo xx.yy.75.165

[2024-10-02 00:27] xx.yy.75.165: openSSH3: Stage 1 [2024-10-02 00:27] xx.yy.75.165: openSSH3: OPEN SESAME [2024-10-02 00:27] openSSH3: running command: echo xx.yy.75.165

[2024-10-02 00:27] xx.yy.67.81: openSSH3: Stage 1 [2024-10-02 00:27] xx.yy.67.81: openSSH3: OPEN SESAME [2024-10-02 00:27] openSSH3: running command: echo xx.yy.67.81

[2024-10-02 00:27] xx.yy.75.165: openSSH3: Stage 1 [2024-10-02 00:27] xx.yy.75.165: openSSH3: OPEN SESAME [2024-10-02 00:27] openSSH3: running command: echo xx.yy.75.165

[2024-10-02 00:27] xx.yy.67.81: openSSH3: Stage 1 [2024-10-02 00:27] xx.yy.67.81: openSSH3: OPEN SESAME [2024-10-02 00:27] openSSH3: running command: echo xx.yy.67.81

[2024-10-02 00:27] xx.yy.67.81: openSSH3: Stage 1 [2024-10-02 00:27] xx.yy.67.81: openSSH3: OPEN SESAME [2024-10-02 00:27] openSSH3: running command: echo xx.yy.67.81

[2024-10-02 00:27] xx.yy.67.81: openSSH3: Stage 1 [2024-10-02 00:27] xx.yy.67.81: openSSH3: OPEN SESAME [2024-10-02 00:27] openSSH3: running command: echo xx.yy.67.81

[2024-10-02 00:27] xx.yy.67.81: openSSH3: Stage 1 [2024-10-02 00:27] xx.yy.67.81: openSSH3: OPEN SESAME [2024-10-02 00:27] openSSH3: running command: echo xx.yy.67.81

[2024-10-02 00:27] xx.yy.67.81: openSSH3: Stage 1 [2024-10-02 00:27] xx.yy.67.81: openSSH3: OPEN SESAME [2024-10-02 00:27] openSSH3: running command: echo xx.yy.67.81

The ip addresses are both in the expected range for my mobile ISP. I have no idea what that means, but maybe it's helpful for you. After that I tried just ssh without port knocking and it was another ip address again. I guess the ip address just changes too often. Anyways, for now I'll go back to using webSSH via wireguard without port knocking. It drains the battery of my phone, but works just fine for now.

I hope this information helps!

isontheline commented 1 month ago

Another way to deal with IP switching from your ISP : open the SSH port for "all the world" just for 3-5 seconds and then close the SSH port again (without closing established connections). It's far from perfect but could help you to bypass wireguard if you have battery concerns.

cistronix commented 1 month ago

It sounds good enough, I'll take it. It's better than locking myself out of my system. BTW, I noticed the knockd service is not "seeing" the ipv6 packets if it is started right after boot as a service. And since it's no longer actively developed, it's probably not going to be fixed. Maybe you shouldn't put too much effort in fixing the bug in WebSSH, maybe it's a feature this way...

isontheline commented 1 month ago

Hello @cistronix 👋

WebSSH 27.8.1409 should now support Port Knocking over IPv6 : https://testflight.apple.com/join/QSrBK59z

Feel free to come back to me at any time if you need support

I wish you a nice day ☀️