shimmer

Current Release

The current shimmer version is v0.1.0.

[Project Page] [Download]

About

shimmer is a pair of small programs (a client and a server) that provide an alternative to port knocking program such as tumbler and are used to hide a valuable port (such as a hidden web server or SSH) on a public IP address.

shimmer works by cryptographically changing a set of 16 ports (one of which forwards to the real service, and 15 others that lead to a trap to blacklist attackers). The 16 ports change every minute frustrating an attacker, but a legimitate user with access to a secret shared between the client and server can determine the real port, avoid blacklisting, and get a connection.

Since both client and server must be time synchronized to the nearest minute shimmer actual holds 48 ports open at a time (16 for the previous minute, 16 for the current minute and 16 for the next minute) to avoid problems due to small amounts of clock drift.



Figure 1: shimmerd operation

Figure 1 shows a simplifed (8 port rather than 16 port) shimmerd set up. First the standard firewall blocks all ports except the range 10000 to 10999 chosen to work with shimmerd. Connections on those ports are forwarded.

Then shimmerd has selected 8 ports (for the current minute in time) of which 7 cause automatic blacklisting of the incoming connections and associated IP addresses (the IP addresses are recorded and banned from connections for 15 minutes, with the 15 minutes sliding each time a connection is attempted).

One port forwards through to the real SSH server running on the machine.

Using shimmer

shimmerd is the daemon program that managers the collections of ports (known as mirages) on a server. shimmerd is configured using a simple text-based configuration file. Here's a simple configuration that hides an SSH server residing on port 22 (which should be firewalled off from the outside world) behind a collection of ports in the range 10000 to 109999.
[common]

log = /var/log/shimmer.log

[mirage-ssh]

secret = password
port = 22
range = 10000-10999
The log setting in the [common] section tells shimmerd where to write its log file. After [common] come an arbitrary number of mirages each with a unique name. Here, just one named ssh is defined in the section [mirage-ssh].

The port setting tells shimmerd to forward a connection to the right mirage port to the local port 22 (where SSH normally resides). The range setting gives the range of ports over which shimmerd will choose ports to hide behind.

Finally, the secret setting is a shared secret between the shimmerd server and any user connecting with the shimmer client program.

Starting shimmerd is as simple as

$ shimmerd --config=shimmer.conf &
The shimmer client does one thing only: it outputs the current legitimate port for a specific mirage, range and secret combination. This output can then be used to configure another program (such as an SSH client) with the port to connect to.

Here's shimmer being used to connect to a hidden SSH server:

ssh user@remote.host -p `./shimmer --open ssh:10000:10999 --secret password`
shimmer's --open gives the mirage name and range of ports configured. The secret can be passed on the command-line (with --secret) or entered interactively.

Cryptographically Constantly Changing Port Opening or C3PO

My original discussion of the underlying idea is here. Inside both shimmerd and shimmer is the same cryptographic choice of ports. The algorithm works as follows:
  1. Get the current Unix epoch time to the nearest minute: minute
  2. Get the name of the mirage being shimmered: name
  3. Get the shared secret: secret
  4. Calculate the SHA-256 hash of a combination of minute, name and secret to create a 256-bit Rijndael key that depends on time (changing every minute) and a shared secret: key.
  5. Use key to AES encrypt the numbers 0 through 15 to obtain 16 seeds for port numbers: seeds.
  6. Map each seed to a port number in the range specified for the mirage using a simple modulus operation to obtain a list of ports: ports.
  7. The first port generated (corresponding to the first seed from encrypting 0) is the port that will be forwarded, the other 15 are traps.

Alpha Software

This is alpha software. It's an open source rewrite of code I actually run on my own server, there could be bugs, so please report them and I'll get fixing.
Copyright (c) 2007-2008 John Graham-Cumming

Last modified: Tue Jan 8 09:45:43 CET 2008