port knocking with knockd

2013-01-16 Thread jugree 
Hello.

I'm trying to enable port knocking with `knockd'.

I configured `/etc/knockd.conf':

(I changed the default ports.)

[options]
UseSyslog

[openSSH]
sequence= 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -A INPUT -I 6 -p tcp --dport 22 -j
ACCEPT
tcpflags= syn
cmd_timeout = 25

[closeSSH]
sequence= 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -p tcp --dport 22 -j ACCEPT
tcpflags= syn

Then `/etc/default/knockd':

START_KNOCKD=1

And started the daemon via `sudo /etc/init.d/knockd start'

BTW, I have the following line in `iptables':

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

I don't have a physical access to the machine. So I decided to keep
the rule and close it from a client:

client$ knock ip 9000 8000 7000

Unfortunately, I still can connect to the SSH port.

Did I make a mistake somewhere?



-- 
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/38781.150.254.37.193.1358395695.squir...@lavabit.com

Re: port knocking with knockd

2013-01-16 Thread Andrew Alderwick 

Hi there,

On Wed, Jan 16, 2013 at 11:08:15PM -0500, jug...@lavabit.com wrote:
[...]

[openSSH]
   sequence= 7000,8000,9000
   seq_timeout = 5
   command = /sbin/iptables -A INPUT -I 6 -p tcp --dport 22 -j
ACCEPT
   tcpflags= syn
cmd_timeout = 25

[...]

[closeSSH]
   sequence= 9000,8000,7000
   seq_timeout = 5
   command = /sbin/iptables -D INPUT -p tcp --dport 22 -j ACCEPT
   tcpflags= syn

[...]

BTW, I have the following line in `iptables':

-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

I don't have a physical access to the machine. So I decided to keep
the rule and close it from a client:

client$ knock ip 9000 8000 7000

Unfortunately, I still can connect to the SSH port.

Did I make a mistake somewhere?


I've spotted that the rules aren't exactly identical, which is required 
by iptables to delete the rule you want. Lining them all up together:



-A INPUT -I 6 -p tcp --dport 22 -j ACCEPT
-D INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT


The -A and -D at the beginning stand for Adding and Deleting a rule, so 
they do need to be different. However, the rest of the commands clearly 
aren't identical: while I think -m tcp is brought in automatically by 
-p tcp and can be ignored, you're certainly missing the -m state 
--state NEW portion in your config file. So let's try changing the 
commands in your config file to be:


[openSSH]
...
command = /sbin/iptables -I INPUT -p tcp -m state --state NEW -m 
tcp --dport 22 -j ACCEPT

[closeSSH]
...
command = /sbin/iptables -D INPUT -p tcp -m state --state NEW -m 
tcp --dport 22 -j ACCEPT

These commands match what you've already got in the firewall. If your 
firewall received that rule on system startup, then knockd's config will 
continue to be valid across reboots.


Finally, can I suggest that if you don't have physical access, perhaps 
it's worth testing your setup with something other than the SSH port? 
For example, if you aren't already running a webserver, install a tiny 
one and test all the above rules with port 80 instead. Even if the 
webserver just gives you a 404 error, you'd still know if the firewall 
rules were working properly.


With the configuration you've provided, you were extremely lucky that 
the deletion command didn't work; this is because -A INPUT -I 6 in 
your addition command is invalid syntax and causes iptables to refuse to 
do anything. You may have meant -I INPUT 6 and I have used -I INPUT 
to simplify things further.


Hope this helps,
Andy
--
Dr Andrew Alderwick


--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/20130117070139.ga23...@alderwick.co.uk