On Wed, 29 Sep 2004 23:10:11 +0200, Jacob S <[EMAIL PROTECTED]> wrote:
> On Wed, 29 Sep 2004 21:55:59 +0200 > Matthijs <[EMAIL PROTECTED]> wrote: > > > It's not really what you're asking, but: > > In the dutch computer magazine C't, I read an article a few months ago > > about protecting your computer using a port knocking system. If I > > remember correctly, you can close a port (your SSH port, for example) > > and only open it when a pre-defined pattern of access attempts on a > > pre-defined port (unused for applications) is applied. The SSH port > > can then be set to open in your firewall, perhaps only for the > > IP-adress that performed the knocking sequence. > > hmm... You're right, it's not what I'm looking for, but it still sounds > like a good concept. I'd be interested in learning more about that, if > not for this use with ssh, I have a couple other applications it could > work with on servers. Short note in advance: I've only read the article, I use neither this portknocking stuff nor the iptables firewall (well, at least not that I'm really aware of). So I can't be held responsible for mistakes in the article that I've copied below... OK, here's some info from the article (Dutch C't september 2004, page 112-114): Port knocking project by Martin Krzywinski: http://www.portknocking.org Portknocking uses a predefined range of 255 ports to receive TCP connection attempts ('knocks'). These ports do not need to be open for incoming connections, the messages written by iptables in the system log is enough to activate the portknocking software. The portknocking package consists of two scripts, one for the client and the other for the server. According to the article, a C, Python and Perl version of the scripts exists but the focus of the article is on the Perl version. The firewall needs to guard a port range that is used for the portknocking system and write connection attempts to a log file. A command like: iptables -I INPUT -p tcp -s 0/0 -d 0/0 dport 55000:55255 -j LOG should do this. The installation of the portknocking software itself is not well described. I did notice that there is a debian package 'knockd', which I think might be the same portknocking daemon described in the article. Configuration is done in the file knockdaemon.conf. The most important part is the part that defines the knocking sequence. The default is an 8-part sequence where the first 4 values specify the IP-address of the knocker, followed by a variable which could for instance indicate the port to be opened, followed by some other random number. After this sequence, the knocker should also send a checksum for verification. There is a lot more possible including date-functions. With all the possibilities, it should be possible to prevent a replay attack (someone listening to the knocking sequence and replaying it to open a port for themselves). Also, it is possible to specify a closing sequence so you can close a port after you're done with it. The <template> directive specifies the action to perform for a correct knocking sequence. Normally that would be a command to open a port in the firewall, but other not firewall related commands are also possible. Most important in the configuration is to specify the correct portrange to scan in the logfile for knocking sequences. Look for the attribute 'portspan'. The portknocking package is password protected, but it may be wise to change the default password 'password'. After configuration, the daemon can be started and will check every 500ms if something has been knocking on some ports. The portknocking client is also written in Perl. The file 'knockclient.conf' needs to be modified before first use. The IP address of the server with the knock daemon should be specified (variable 'remote'). The knocking sequence should of course be specified and be identical to the specification in the daemon's configuration file. Variable 'client' should specify the IP address of the client (which will be knocked to the server); variable 'port' specifies the port that must be opened. Executing the knocking client should then sent a series of knocks to the server's IP address. These will be written by iptables to a log file. The portknocking daemon will read this log file and, if the knocking sequence is correct, execute the required action like opening the SSH port. Of course this system is only an additional security layer and is not a substitute for keeping your system up-to-date. Nevertheless, it is recommended by cryptography expert Bruce Schneier: http://www.schneier.com/crypto-gram-0403.html Well, that's about it, really. Hope this stuff is helpful for you or anyone else reading this thread! -- Matthijs [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
