Hello!
I'm using the Port Knocking example found here:
http://www.shorewall.net/PortKnocking.html
It works perfectly. Also, I've switched the knocking to use UDP packets
(short reason: Windows blows), and that is working perfectly as well.
However, there is one thing I do not understand, and I'm hoping someone
will be able to help me. Here's the contents of /etc/shorewall/SSHKnock
after I've made my changes:
if [ -n "$LEVEL" ]; then
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp
--dport 22 -m recent --rcheck --name SSH
log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p udp
--dport ! 22
fi
run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck
--seconds 60 --name SSH -j ACCEPT
run_iptables -A $CHAIN -p udp --dport 1599 -m
recent --name SSH --remove -j DROP
run_iptables -A $CHAIN -p udp --dport 1600 -m
recent --name SSH --set -j DROP
run_iptables -A $CHAIN -p udp --dport 1601 -m
recent --name SSH --remove -j DROP
You'll notice that the 3 knocking ports (2 that force-close and one that
opens) are now switched to UDP. The line that doesn't look correct
anymore is the second of the logging lines in the if statement. Before,
we wouldn't want to log a drop for the accepted TCP port. However, in
this case, it seems to me that having the "--dport ! 22" is no longer
needed. Would I just drop that?
Along with that, wouldn't it be better to have this rule logging only
packets specifically interesting to this rule? In other words, I
wouldn't want to turn on logging for this rule and have *every* UDP
packet logged when this rule is only interested in 3 UDP ports. Some
other rule might enable that logging, but not this one. What about
having something like this:
if [ -n "$LEVEL" ]; then
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp
--dport 22 -m recent --rcheck --name SSH
log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p udp
--dport 1599
log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p udp
--dport 1600
log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p udp
--dport 1601
fi
It adds 2 more logging lines, but it only affects the logging rules for
the 3 ports we're interested in, rather than the 65,000 or so that we're
not. Am I missing something?
Also, I have step-by-step instructions written up for enabling port
knocking (including loading the necessary module), as well as creating a
simple Windows batch file for handling UDP port knocking. It's not
terribly complex, nor all that different than the shorewall page linked
above. However, it is more step-by-step. Would there be any interest
in adding this to the Bering-uClibc documentation?
Tim Massey
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637&alloc_id=16865&op=click
------------------------------------------------------------------------
leaf-user mailing list: [email protected]
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/
