Thanks to all of you especially Moe.
I didn't know there existed something like portknocking but I guess it's the same idea except a few things I didn't found in other solutions.
After spending a few days studying the concept I have a few remarks:
Simple portknocking is not so very secure because of the same sequence every time. Dynamic knocking is better but more complex.
The main reason I'm looking for a web solution is:
- It works on port 80 so even when the company firewall is very secure ... if you can surf the Internet => it works.
- I prefer dynamic tokens above static port numbers.
- A small client can be written very easy in every language
So here the brute steps to my idea:
- Client requests a normal URL Code:
-------------------- e.g.
formatting link
-------------------- (where the token is a 32 or more character encrypted (MD5 or other) combination of the received token (read on) and the ip address)
- The web server (php/apache) will decrypt the received token and check if the "old token" is in a "valid token file" (read on)
- When the token is found in the file it will be removed.
- The IP address of the request is compared with the IP address in the received token.
- If all is OK, a new token is generated, written in the "valid token file" and sent to the client as response. The client will store it for use the next login.
- The correct port is opened where you still have to login with a valid user/pw combo
Does anyone knows of an existing tool that will do similar things? If not ... I know I'm partly reinventing the wheel but it has to work on port 80 (or another port that is seldom blocked) and I like the aspect of unique keys.
What do you think? Any suggestions/remarks?
Thanks in advance. You all get a copy when it is ready ;-) Jan