Ingress Restrictions to Middle from Edges on Port 2222

[willk]

Censys was able to tie together all edges and proxy01 with public key fingerprints.

Possible solution elements include:

• Only allow incoming 2222 connections to proxy01 from middle (partial mitigation)
• port knocking or other 2nd factor port hiding

[tophertimzen]

While only allowing 2222 from an edge -> middle and 2222 from middle -> proxy01 prevents correlation of the fingerprint to internal infra, the same key fingerprint is still present across all edges that share the same proxy sshd key fingerprint.

We need to figure out a way in which every edge has a different sshd host key fingerprint from proxy01. This may require each edge pointing to a different sshd server, and unique port.

Port knocking may be a solution to this... but nc and other equivalent tools to port knock alert.

[willk]

The backflip role should be changed. The user should be able to specify how many backflips they would like by either port number or with a count of how many they would like (not necessarily both). For each port/count a new host keypair should be generated along with a unique sshd_config that listens on one of those ports.

E.g. I want to have 3 edges, each listening on one of the following ports 1433, 3306, or 8080. I would specify that in my variables for the role. Ansible then would generate new host keypairs like ssh_host_ed25519_key_1433, ssh_host_ed25519_key_1433.pub, ssh_host_rsa_key_1433, ssh_host_rsa_key_1433.pub, and an sshd_config file called sshd_1433. It would do that for each of the ports. Next for each of the ports a different systemd unit file would be created, installed and run that uses the unique sshd_config.

Another option could be to use docker compose with something like https://github.com/linuxserver/docker-openssh-server. You then could specify how many ports you would like either by number of port or specify port numbers and docker compose could handle forwarding your ports into the docker container on port 22.