Talk:Port knocking

From ArchWiki
Revision as of 22:47, 21 August 2013 by Indigo (talk | contribs) (closing old disc. hints are in the script)
Jump to: navigation, search

Nmap parameters

For me the supplied script did not work. Instead of

nmap -P0 --host_timeout 201 -p $2 $1 &> /dev/null

nmap -P0 --host_timeout 201 -p $3 $1 &> /dev/null

I use

nmap -PN --host_timeout 201 --max-retries 0 -p $2 $1 &> /dev/null

nmap -PN --host_timeout 201 --max-retries 0 -p $3 $1 &> /dev/null

The Flag P0 seems to have been renamed to PN in a more recent nmap version. But the important part is max-retries. If it is not set to 0 nmap sends several TCP SYN packets to the target host. This then causes serveral knocks on Port 1 and 2 instead of just one - thus knocking 'out of order'.

Please edit if you agree - I'm not an 'expert' by all means, this are just my thoughts after examining iptables logs. I'll edit the page in a few days if there is no respone - I just wanted to have feedback before I do.

Merge tag with iptables

Hi, I would not merge this to iptables. Three reasons: (1) Iptables is a massive topic. It's basics are hard enough to cover on one page. (2) This here is pretty specialised and only few users will ever have contact with the concept of port knocking. It's likely out-of-bounds on the main page. (3) More adequate imo would be a merge to the stateful-firewall page (port knocking with iptables is great, but boils down to advanced state handling). But that is too large itself and has a small section regarding knockd (maybe that bit could be merged here?). I think it would be enough to link the pages together a bit more. Thoughts? --Indigo (talk) 19:30, 11 August 2013 (UTC)

I just don't like the current state, it seems it could use merging into some page with better context (you're absolutely right about Simple Stateful Firewall). But, if this page is rewritten to be more like a guide and not just presenting a (commented) config file, then it could be useful standalone page. (Perhaps I should have added a 'Poor writing' tag instead of 'Merge'.) -- Lahwaacz (talk) 08:34, 12 August 2013 (UTC)
I'd enjoy contributing to making the page more proper, but it'll take some time with leisure. I just re-read the Simple_stateful_firewall#Port_knocking and think one should move that here and link from stateful firewall. Although the explained knockd has (obviously) great history, I personally find it going too far for that page. Also I dislike introducing daemons on the Simple_stateful_firewall page and knockd is the only daemon explained there on top of iptables itself. Moving that para here would make it a section on the daemon (automatic way to setup) and a manual way (like on the wireless page). For the manual way the rules on the page could be split up a bit further in blocks moving the comments into verbose for starters.
Additionally, as an light intro one could take up a (1) simple example of state-checking ssh bruteforce, leading over to (2) port knocking as a concept, to (3) introducing knockd (and maybe alternatives), then the (4) manual script in more verbose and (5) Resources. What do you think? --Indigo (talk) 22:31, 13 August 2013 (UTC)
Sounds great! I'll see if I can help too. -- Lahwaacz (talk) 14:38, 16 August 2013 (UTC)
I've redone it roughly in the way proposed above. Below I copied the original rules for the time being (I find it easier than looking up the edit history), because I changed them slightly.
One thing I missed was that someone added a SSH bruteforce section to the stateful firewall article earlier this year. It is really much better in context there, so I'll skip that bit (1) of the proposal above. I moved the knockd here too; goes well with both I find. Comments/edits on the work over welcome! --Indigo (talk) 22:45, 21 August 2013 (UTC)

Temp backup of original port knocking script before edit August 2013

:TRAFFIC - [0:0]
:SSH-INPUT - [0:0]

# Accepted connections by default

-A TRAFFIC -p icmp --icmp-type any -j ACCEPT
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT

# Port Knocking -- the correct port sequence is 8881 -> 7777 -> 9991; any other sequence will close the port 22

# If the ip is on the list SSH2, the port 22 is going to be open for 30 seconds, 
# after that is closed again (but only for new connections, established ones are not closed)
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --seconds 30 --name SSH2 -j ACCEPT

# Now we delete the ip from the list SSH2 (if present)
-A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH2 --remove -j DROP

# This will call SSH-INPUTTWO if the ip is present on the list SSH1 and the port knocked is 9991
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 9991 -m recent --rcheck --name SSH1 -j SSH-INPUTTWO

# Now we delete the ip from the list SSH1 (if present)
-A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH1 --remove -j DROP

# This will call SSH-INPUT if the ip is present on the list SSH0 and the port knocked is 7777
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 7777 -m recent --rcheck --name SSH0 -j SSH-INPUT

# Now we delete the ip from the list SSH0 (if present)
-A TRAFFIC -m state --state NEW -m tcp -p tcp -m recent --name SSH0 --remove -j DROP

# This will add the ip to the list SSH0 if the port knocked is 8881
-A TRAFFIC -m state --state NEW -m tcp -p tcp --dport 8881 -m recent --name SSH0 --set -j DROP

# SSH-INPUT add the ip to the list SSH1 
-A SSH-INPUT -m recent --name SSH1 --set -j DROP

# SSH-INPUTTWO add the ip to the list SSH2
-A SSH-INPUTTWO -m recent --name SSH2 --set -j DROP 

# Any other traffic is dropped
# you can add nat rules, etc here