Mailing List Archive: Gentoo: Security

Port knocking

Index | Next | Previous | View Threaded

moixa at gmx

Oct 4, 2005, 12:45 PM

Post #1 of 10 (1387 views)
Permalink

Port knocking

on 2005-10-04 19:16 Kirk Hoganson wrote the following:
> Yes, there are. I use one for my work servers that is iptables based.
> I don't have any links for you unfortunately but I have seen them. If
> you are really interested I can probably track down one I saw that used
> iptables and was a combination style. I also know of an open source
> "magic packet" style that I could probably find a link for if you were
> interested.

That's a possibility I once saw on slashdot:

iptables -A INPUT -p tcp --dport 1000 -m recent --remove --name PART1
iptables -A INPUT -p tcp --dport 2000 -m recent --remove --name PART2
iptables -A INPUT -p tcp --dport 3000 -m recent --remove --name PART3
iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PART1
iptables -A INPUT -p tcp --dport 2000 -m recent --set --name PART2
iptables -A INPUT -p tcp --dport 3000 -m recent --set --name PART3
iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 \
--name PART1 --name PART2 --name PART3 -j ACCEPT

I have not tested if this works, but it looks plausible to me.
Please note this security flaw (fixed in 2.6.14) about ipt_recent:
http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/

>From the same guy, a shorewall solution for SSH attack:
http://blog.blackdown.de/2005/02/18/mitigating-ssh-brute-force-attacks-with-ipt_recent/

There are numerous knock, knock implementations listed at:
http://www.portknocking.org/view/implementations/implementations

IMHO, the problem with "normal" port knocking tools is the dependency on
client software. I would prefer a solution which can be used without
(too much) hassle (eg. using telnet and then putty or such).
This evidently is not be possible when using more sophisticated port
knocking with timing or specially crafted / encrypted packages, unless
you have a really good feel for timing.. ;-)

Cheers
Tobias

--
GPG-Key 0xEF37FF28 - 1024/4096 DSA/ELG-E - 16.11.2001
Fingerprint: 3C4B 155F 2621 CEAF D3A6 0CCB 937C 9597 EF37 FF28

Attachments:

signature.asc (0.18 KB)

morganrallen at sbcglobal

Oct 4, 2005, 1:12 PM

Post #2 of 10 (1346 views)
Permalink

RE: port knocking [In reply to]

Here is a method I use to frustrate people trying to
nab my wifi connection using iptables (wireless router
-> linux router -> dsl -> net). The wireless router in
setup with a basic NAT for my desktops and wireless
but the wireless comes in on its own nic. with
prerouting set to drop, I have
[1:56] -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT

echo 204 > /proc/sys/net/ipv4/ip_default_ttl
on my laptop init

--
gentoo-security [at] gentoo mailing list

boger at ttk

Oct 4, 2005, 1:20 PM

Post #3 of 10 (1350 views)
Permalink

Re: Port knocking [In reply to]

Hello Tobias,

TS> That's a possibility I once saw on slashdot:

TS> iptables -A INPUT -p tcp --dport 1000 -m recent --remove --name PART1
TS> iptables -A INPUT -p tcp --dport 2000 -m recent --remove --name PART2
TS> iptables -A INPUT -p tcp --dport 3000 -m recent --remove --name PART3
TS> iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PART1
TS> iptables -A INPUT -p tcp --dport 2000 -m recent --set --name PART2
TS> iptables -A INPUT -p tcp --dport 3000 -m recent --set --name PART3
TS> iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 \
TS> --name PART1 --name PART2 --name PART3 -j ACCEPT

It's the best :)
I'll add some protection from plain port scan.
iptables -A INPUT -p tcp --dport 999 -m recent --remove --name PART1
iptables -A INPUT -p tcp --dport 1001 -m recent --remove --name PART1
...

TS> There are numerous knock, knock implementations listed at:
TS> http://www.portknocking.org/view/implementations/implementations

I've found this page not long ago, most promising temprules. I'm currently experimenting with them.
TS> IMHO, the problem with "normal" port knocking tools is the dependency on
TS> client software. I would prefer a solution which can be used without
TS> (too much) hassle (eg. using telnet and then putty or such).
TS> This evidently is not be possible when using more sophisticated port
TS> knocking with timing or specially crafted / encrypted packages, unless
TS> you have a really good feel for timing.. ;-)
Same to me ;)
or even a web browser: http://somehost:123

--
Best regards,
boger mailto:boger [at] ttk

--
gentoo-security [at] gentoo mailing list

boger at ttk

Oct 4, 2005, 1:25 PM

Post #4 of 10 (1345 views)
Permalink

Re: RE: port knocking [In reply to]

Hello morgan,

Wednesday, October 5, 2005, 12:12:53 AM, you wrote:

ma> Here is a method I use to frustrate people trying to
ma> nab my wifi connection using iptables (wireless router
->> linux router -> dsl -> net). The wireless router in
ma> setup with a basic NAT for my desktops and wireless
ma> but the wireless comes in on its own nic. with
ma> prerouting set to drop, I have
ma> [1:56] -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT

echo 204 >> /proc/sys/net/ipv4/ip_default_ttl
ma> on my laptop init

Correct me if I wrong, but it works only from lan, because ttl decreases when routed.

Also it needs root or special user to change /proc/sys/...

--
Best regards,
boger mailto:boger [at] ttk

--
gentoo-security [at] gentoo mailing list

dan.gregory at mci

Oct 4, 2005, 1:31 PM

Post #5 of 10 (1345 views)
Permalink

Re: RE: port knocking [In reply to]

morgan allen wrote:

> -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT
>
> echo 204 > /proc/sys/net/ipv4/ip_default_ttl

202 != 204?

Is this a typo?

Dan
--
gentoo-security [at] gentoo mailing list

morganrallen at sbcglobal

Oct 4, 2005, 1:45 PM

Post #6 of 10 (1349 views)
Permalink

RE: port knocking [In reply to]

Yes I have it setup to work only from lan side, but i
can work from the net side by tracerouting first, then
setting the ittl accordingly. And yes, unfortunatly it
does require special privleges.
--
gentoo-security [at] gentoo mailing list

morganrallen at sbcglobal

Oct 4, 2005, 1:51 PM

Post #7 of 10 (1349 views)
Permalink

RE: port knocking [In reply to]

nope, laptop -> wifi router -> iptable
--
gentoo-security [at] gentoo mailing list

wwong at Princeton

Oct 4, 2005, 2:57 PM

Post #8 of 10 (1358 views)
Permalink

Re: RE: port knocking [In reply to]

On Tue, Oct 04, 2005 at 04:31:38PM -0400, Dan Gregory wrote:
> > -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT
> >
> > echo 204 > /proc/sys/net/ipv4/ip_default_ttl
>
> 202 != 204?
>
> Is this a typo?
>
Thought so first, but remember that each time a router touches it the
ttl gets decreased. So if the linux routing box it two hops away from
the laptop (which is likely if he has a separate wireless router
dedicated to such use) the difference of two would be the right
solution. :)

W
--
"What the hell, he thought, you're only young once, and
threw himself out of the window. That would at least keep
the element of surprise on his side."

- Ford outwitting a Vogon with a rocket launcher by going
into another certain death situation.
Sortir en Pantoufles: up 54 days, 58 min
--
gentoo-security [at] gentoo mailing list

boger at ttk

Oct 11, 2005, 11:00 AM

Post #9 of 10 (1343 views)
Permalink

port knocking [In reply to]

This is result of last week discussion about port knockers.
Its my second bash script (first is my firewall), so any feedback will be appreshiated ;)

usage: ./knocker.sh <config file name> del
Path to config file is constant in knocker.sh.
del - is optional, simply deletes target chain

script has no limits on knock sequences, and demands statefull filtering enabled
ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Attachments:

knocker.sh (2.13 KB)

test (77 B)

JeffG at kizan

Oct 20, 2005, 12:42 PM

Post #10 of 10 (1352 views)
Permalink

RE: port knocking [In reply to]

My versions of gateway portknocking:

First script:
If you log in w/ ssh (pki only) from the wireless segment
(192.168.33.0/24), an entry for your IP address is added to iptables.
When you log out, the entry is removed. I know it's ugl but it works
well. If the script is restarted any existing iptable entries will
obviously get orphaned. This only works because there si no dns
resolution for the wireless segment, otherwise `who` will resolve the
addresses and bad things will happen.

#! /usr/bin/env python
import string,os,time
# Dictionary value explaination (key is IP) # I= insert into iptables,
user logged in # D= delete from iptables, user disconnected # L= don't
do anything, user is still logged in master={} while (1):
for i in master.keys():
master[i]="D" #First assume everybody left #
loggedIn=os.popen("who | grep 192.168.33 | sed 's/.*($.*$)/\1/g' |
sort -u") #
for i in loggedIn.readlines():
i=i.strip()
if master.has_key(i):
master[i]="L" #leave this IP in iptables (change "D" value)
else: master[i]="I" #insert this IP in iptables (new key) #
for i in master.keys():
if master[i] == 'L':
print 'ignoring IP: '+i
continue
elif master[i] == 'I':
print 'new IP: '+i
os.popen("/sbin/iptables -I FORWARD -p all -s "+i+" -j
ACCEPT")
else:
print 'removing IP: '+i
os.popen("/sbin/iptables -D FORWARD -p all -s "+i+" -j
ACCEPT")
time.sleep(3)

+++++++++++++++++++++++++++++++++++++++++++++
Second Script:
This script is a bit more complicated. An entry is added to iptables to
match icmp traffic to playboy.com and log it. Syslog-ng will filter The
trigger in this script is playboy.com and your mac address (grepped from
arp -a) is added to the iptables leaf wireless2net (I use shorewall).

#!/bin/env python
# filename: /usr/sbin/portknock.py
import os,time
print "Flush the iptables chain or create it if it doesn't exist"
a=os.popen('/sbin/iptables -F wless_portknock || /sbin/iptables -N
wless_portknock') print "Check to see if chain is included in
wireless2net chain"
if os.popen('/sbin/iptables -L wireless2net | grep
wless_portknock').readlines()==[]: os.popen('/sbin/iptables -I
wireless2net 2 -j wless_portknock')

print 'starting loop'
master={}
while (1):
for r in os.popen('grep "`/usr/bin/date +"%b %e"`"
/var/log/portknock | cut -d " " -f8 | cut -d "=" -f2 | sort
-u').readlines():
if len(r)==0:continue
r=r.strip()
i=os.popen('arp -an | grep '+r+'| cut -d " " -f4').readline()
i=i.strip()
if master.has_key(i):continue
else:
master[i]=''
print 'adding mac '+i+' which belongs to IP '+r
a3=os.popen("/sbin/iptables -I wless_portknock -p all -j
ACCEPT -m mac --mac-source "+i)
time.sleep(3)

-----------------------------------------------
The relevent entry in the shorewall rules file

ACCEPT:info:pnoc wireless net:216.163.137.3
icmp

-----------------------------------------------
The relevent parts of syslog-ng.conf

destination portknock { file("/var/log/portknock"); }; filter
f_portknock { match ("Shorewall:wireless2net:ACCEPT"); }; log {
source(src); filter(f_portknock); destination(portknock); };

I tried to use tagging but the field gets trunicated so syslog-ng never
sees it.

------------------------------------------------
At midnight cron runs the following reset script:

#!/bin/bash
echo > /var/log/portknock
kill `pgrep -f portknock.py`
python /usr/sbin/portknock.py&

------------------------------------------------
Like I said, it's complicated. Don't forget to touch /var/log/portknock

-Jeff

-----Original Message-----
From: boger [mailto:boger [at] ttk]
Sent: Tuesday, October 11, 2005 2:00 PM
To: gentoo-security [at] lists
Subject: [gentoo-security] port knocking

This is result of last week discussion about port knockers.
Its my second bash script (first is my firewall), so any feedback will
be appreshiated ;)

usage: ./knocker.sh <config file name> del Path to config file is
constant in knocker.sh.
del - is optional, simply deletes target chain

script has no limits on knock sequences, and demands statefull filtering
enabled ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT

--
gentoo-security [at] gentoo mailing list

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads