Difference between revisions of "Talk:Port knocking"

From ArchWiki
Jump to: navigation, search
(Merge tag with iptables)
m (Remove closed discussion.)
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
For me the supplied script did not work.
 
Instead of
 
  
 
nmap -P0 --host_timeout 201 -p $2 $1 &> /dev/null
 
 
nmap -P0 --host_timeout 201 -p $3 $1 &> /dev/null
 
 
 
I use
 
 
 
nmap -PN --host_timeout 201 --max-retries 0 -p $2 $1 &> /dev/null
 
 
nmap -PN --host_timeout 201 --max-retries 0 -p $3 $1 &> /dev/null
 
 
 
The Flag P0 seems to have been renamed to PN in a more recent nmap version.
 
But the important part is max-retries. If it is not set to 0 nmap sends several TCP SYN packets to the target host. This then causes serveral knocks on Port 1 and 2 instead of just one - thus knocking 'out of order'.
 
 
Please edit if you agree - I'm not an 'expert' by all means, this are just my thoughts after examining iptables logs.
 
I'll edit the page in a few days if there is no respone - I just wanted to have feedback before I do.
 
 
==Merge tag with iptables==
 
Hi, I would not merge this to iptables. Three reasons: (1) Iptables is a massive topic. It's basics are hard enough to cover on one page. (2) This here is pretty specialised and only few users will ever have contact with the concept of port knocking. It's likely out-of-bounds on the main page. (3) More adequate imo would be a merge to the stateful-firewall page (port knocking with iptables is great, but boils down to advanced state handling). But that is too large itself and has a small section regarding knockd (maybe that bit could be merged here?).
 
I think it would be enough to link the pages together a bit more. Thoughts? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 19:30, 11 August 2013 (UTC)
 
 
:I just don't like the current state, it seems it could use merging into some page with better context (you're absolutely right about [[Simple Stateful Firewall]]). But, if this page is rewritten to be more like a guide and not just presenting a (commented) config file, then it could be useful standalone page. (Perhaps I should have added a 'Poor writing' tag instead of 'Merge'.) -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 08:34, 12 August 2013 (UTC)
 
::I'd enjoy contributing to making the page more proper, but it'll take some time with leisure. I just re-read the [[Simple_stateful_firewall#Port_knocking]] and think one should move that here and link from stateful firewall. Although the explained knockd has (obviously) great history, I personally find it going too far for that page. Also I dislike introducing daemons on the [[Simple_stateful_firewall]] page and knockd is the only daemon explained there on top of iptables itself. Moving that para here would make it a section on the daemon (automatic way to setup) and a manual way (like on the wireless page). For the manual way the rules on the page could be split up a bit further in blocks moving the comments into verbose for starters.
 
::Additionally, as an light intro one could take up a (1) simple example of state-checking ssh bruteforce, leading over to (2) port knocking as a concept, to (3) introducing knockd (and maybe alternatives), then the (4) manual script in more verbose and (5) Resources. What do you think? --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 22:31, 13 August 2013 (UTC)
 
:::Sounds great! I'll see if I can help too. -- [[User:Lahwaacz|Lahwaacz]] ([[User talk:Lahwaacz|talk]]) 14:38, 16 August 2013 (UTC)
 
::::I've redone it roughly in the way proposed above. Below I copied the original rules for the time being (I find it easier than looking up the edit history), because I changed them slightly.
 
::::One thing I missed was that someone added a SSH bruteforce section to the stateful firewall article earlier this year. It is really much better in context there, so I'll skip that bit (1) of the proposal above. I moved the knockd here too; goes well with both I find. Comments/edits on the work over welcome! --[[User:Indigo|Indigo]] ([[User talk:Indigo|talk]]) 22:45, 21 August 2013 (UTC)
 
 
==== <s>Temp backup of original port knocking script before edit August 2013</s> ====
 
 
{{hc|/etc/iptables/iptables.rules|2=
 
*filter
 
:INPUT ACCEPT [0:0]
 
:FORWARD ACCEPT [0:0]
 
:OUTPUT ACCEPT [0:0]
 
:TRAFFIC - [0:0]
 
:SSH-INPUT - [0:0]
 
:SSH-INPUTTWO - [0:0]
 
-A INPUT -j TRAFFIC
 
-A FORWARD -j TRAFFIC
 
 
# Accepted connections by default
 
 
-A TRAFFIC -i lo -j ACCEPT
 
-A TRAFFIC -s 192.168.0.0/24 -j ACCEPT
 
-A TRAFFIC -p icmp --icmp-type any -j ACCEPT
 
-A TRAFFIC -m state --state ESTABLISHED,RELATED -j ACCEPT
 
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
 
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
 
 
# Port Knocking -- the correct port sequence is 8881 -> 7777 -> 9991; any other sequence will close the port 22
 
 
# If the ip is on the list SSH2, the port 22 is going to be open for 30 seconds,
 
# after that is closed again (but only for new connections, established ones are not closed)
 
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --seconds 30 --name SSH2 -j ACCEPT
 
 
# Now we delete the ip from the list SSH2 (if present)
 
-A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH2 --remove -j DROP
 
 
# This will call SSH-INPUTTWO if the ip is present on the list SSH1 and the port knocked is 9991
 
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 9991 -m recent --rcheck --name SSH1 -j SSH-INPUTTWO
 
 
# Now we delete the ip from the list SSH1 (if present)
 
-A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH1 --remove -j DROP
 
 
# This will call SSH-INPUT if the ip is present on the list SSH0 and the port knocked is 7777
 
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 7777 -m recent --rcheck --name SSH0 -j SSH-INPUT
 
 
# Now we delete the ip from the list SSH0 (if present)
 
-A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH0 --remove -j DROP
 
 
# This will add the ip to the list SSH0 if the port knocked is 8881
 
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 8881 -m recent --name SSH0 --set -j DROP
 
 
# SSH-INPUT add the ip to the list SSH1
 
-A SSH-INPUT -m recent --name SSH1 --set -j DROP
 
 
# SSH-INPUTTWO add the ip to the list SSH2
 
-A SSH-INPUTTWO -m recent --name SSH2 --set -j DROP
 
 
# Any other traffic is dropped
 
-A TRAFFIC -j DROP
 
COMMIT
 
# you can add nat rules, etc here
 
}}
 

Revision as of 13:39, 27 August 2013