I just implemented port knocking on one of my internet facing servers. A decent article on it is here: http://www.linuxjournal.com/magazine/implement-port-knocking-security-knockd
The server setup was pretty dang simple. Make sure your firewall has a few failback rules before you implement this, of course. In particular, hand enter one for the subnet of the workstation you're ssh'ing is from, and make sure you have an ESTABLISHED, RELATED rule. My default rules look like this:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state NEW -m tcp -p tcp --source MYNET
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
The only wrinkle I found was writing scripts for doing the knocking. I had used the package recommended in the article, 'knockd', and it comes with a client 'knock'. Unfortunately, I found the 'knock' utility knocked too fast. Additionally, macports didn't appear to have a port of it for OSX. What I did was to use a script using "nc -z" with some sleeps, which is both portable and worked.
Here's a (sanitized) copy of my knock script. No, these aren't the real ports I'm using :-)
#!/bin/sh
for p in 12345 23456 34567 45678 56789 ; do
nc -v -z myserver.domain.top $p
sleep 1
done
Just remember to put enough sequence time (parameter 'seq_timeout') in your /etc/knockd.conf script for the above to finish. With a 1 second sleep, try about 2-3 times the sequence time as the number of ports you're knocking.
Luck!
No comments:
Post a Comment