Port Knocking

I just implemented port knocking on one of my internet facing servers.  A decent article on it is here: http://www.linuxjournal.com/magazine/implement-port-knocking-security-knockd

The server setup was pretty dang simple.  Make sure your firewall has a few failback rules before you implement this, of course.  In particular, hand enter one for the subnet of the workstation you're ssh'ing is from, and make sure you have an ESTABLISHED, RELATED rule.  My default rules look like this:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
 
iptables -A INPUT -m state --state NEW -m tcp -p tcp --source MYNET/MYNETMASK --dport 22 -j ACCEPT

iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited

The only wrinkle I found was writing scripts for doing the knocking.  I had used the package recommended in the article, 'knockd', and it comes with a client 'knock'.  Unfortunately, I found the 'knock' utility knocked too fast.  Additionally, macports didn't appear to have a port of it for OSX.  What I did was to use a script using "nc -z" with some sleeps, which is both portable and worked.   

Here's a (sanitized) copy of my knock script.  No, these aren't the real ports I'm using :-)

#!/bin/sh

for p in 12345 23456 34567 45678 56789 ; do
    nc -v -z myserver.domain.top $p
    sleep 1
done


Just remember to put enough sequence time (parameter 'seq_timeout') in your /etc/knockd.conf script for the above to finish.  With a 1 second sleep, try about 2-3 times the sequence time as the number of ports you're knocking.

Luck!

My review of Square / SquareUp

So, some while ago, I downloaded a copy of the Square payment application for my android phone. For those unfamiliar with it, it's a small credit card payment app for your Apple or Android smart phone.  Home page is here: https://squareup.com/.   I should note that Intuit also has a competing product.

The basics of it is that you set up an account with Square, you link it to a bank account, and you accept payments via your phone.  They send you a little card reader plugin that is supposed to plug into your smart phone's microphone/headset jack, but you can also manually enter a credit card number, which is fortunate.

With the default account, they charge a small per transaction fee, I think 2.75%.  Less than traditional credit cards, but they limit how much per week you can process.

I generally like it - my only complaint is that I've never gotten the funky card reader to operate, and have always had to manually key in the credit card numbers.  I've tried this with 3 different card reader widgets (two from Square, and one I bought at Radio Shack), and on three different android devices: my HTC Evo 4G, my wife's HTC Evo Slide, and a hacked Nook Color tablet running CyanogenMod.   This is doubly a bummer, 'cause Square charges you an extra 1/4% on manually entered card numbers.

Nonetheless, give it a try.  It's a nifty tool.

-- Pat

A short rant about Fedora:

Sorry Fedora, you've lost me. 

I've been a linux devotee since around '93 or so, my first install was the SLS linux distro from a stack 'o floppies downloaded painfully via modem.  I've been a professional sysadmin specializing mostly in linux (with some other unix flavors) for about a decade and a half now.

Ergo, I've gotten very familiar with lots of different linux setups.

Unfortunately, though, fedora is moving sharply away from what I considered to be one of the best features of linux and unix like os's overall: discoverability.

Don't know where something is configured?  A "grep -R" or "find . -type f | xargs grep" has a very high likelyhood of finding it.  Once you get a hit, then you have some context you can use in a "man -k" or google search.  Voila, one more configuration issue solved.

Unfortunately, with the sharp turn toward opaque tools (journal, systemd, network-manager) fedora is breaking away from this, and sadly the rest of linux land appears to be following. 

I always rather despised having to use special tools to find errors in windows (event viewer), now I have to do the same in fedora (journalWhateverTheHeckItsNamed).  I hate not having the system config and startup in a an obvious, known, transparent and readable location (what, /etc/rc.d/init.d/ is empty?!  Blargh, I hate having to find, and then try to read XML.)  Whups -- I need to do something slightly out of the 'standard' laptop network setup, like a static IP and a bridge for a VM setup, uh, where do I configure that again?  Oh, my system moved and needs to be renamed, uh, where is that at?

Sure change is good, yadda yadda.   Transparency, though, is better.

-- Pat

p.s. and da** solaris for doing the same, but earlier and worse.  Can't even edit /etc/nsswitch.conf on sol 11 anymore ...