Daryl Caudill
2008-Jun-18 15:24 UTC
Expanding SSHKnock shell script, a few questions please
Hi all,
Another Debian Etch fan here, running shorewall (shell) 3.2.6-2 (and Yes
I''m going to upgrade when Lenny goes stable).
I already have the SSHKnock working, as documented on the website:
http://www.shorewall.net/PortKnocking.html
Thanks, works great!
In addition to the knock to open 22, I want to also ADD a redirect, from 2222 to
22 on an internal box. So, when I knock on 1600 (example), I want the firewall
to BOTH open 22 on the firewall, AND redirect 2222 to 22 on internal box.
I think I have it figured out, but since it''s a live firewall, I
don''t want to start mucking with it (and no I''m not really
using port 1600 for the knock, I did change it!).
I think this is what I need, did I get it right?
/etc/shorewall/SSHKnock
if [ -n "$LEVEL" ]; then
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG"
-A -p tcp --dport 22 -m recent --rcheck --name SSH
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG"
-A -p tcp --dport 2222 -m recent --rcheck --name SSH
log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG"
-A -p tcp --dport ! 22
fi
run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck --seconds 60
--name SSH -j ACCEPT
run_iptables -A $CHAIN -p tcp --dport 1599 -m recent
--name SSH --remove -j DROP
run_iptables -A $CHAIN -p tcp --dport 1600 -m recent
--name SSH --set -j DROP
run_iptables -A $CHAIN -p tcp --dport 1601 -m recent
--name SSH --remove -j DROP
(the above log_rule_limit for --dport ! 22 concerns me)
/etc/shorewall/rules
#ACTION SOURCE DEST PROTO DEST PORT(S)
SOURCE ORIGINAL
#
PORT(S) DEST
DNAT- net loc:192.168.1.5 tcp 2222 22
a.b.c.d
SSHKnock net $FW tcp 22,1599,1600,1601
SSHKnock net loc:192.168.1.5 tcp 2222 22
a.b.c.d
(and use my WAN IP for a.b.c.d)
In case you are wondering why I want to open two ports with one knock, instead
of creating another knock setup, I want one knock to open both to simplify
things, so I can ssh into both the firewall and my desktop from home via one
knock.
btw Thanks Tom for all the awesome work you continue to do for us, I am very
grateful!
Regards,
Daryl
-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It''s the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
Roberto C. Sánchez
2008-Jun-18 22:01 UTC
Re: Expanding SSHKnock shell script, a few questions please
On Wed, Jun 18, 2008 at 08:24:11AM -0700, Daryl Caudill wrote:> Hi all, > > Another Debian Etch fan here, running shorewall (shell) 3.2.6-2 (and Yes I''m going to upgrade when Lenny goes stable). >There is really no need to wait for Lenny. You can upgrade now: http://people.connexer.com/~roberto/debian/ These are the same packages that are in Lenny/Sid. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Daryl Caudill
2008-Jun-18 23:01 UTC
Re: Expanding SSHKnock shell script, a few questions please
> There is really no need to wait for Lenny. You can upgrade > now: > http://people.connexer.com/~roberto/debian/ > > These are the same packages that are in Lenny/Sid.Hi Roberto, No can do. My boss would never let me upgrade our live production firewall from a supported Etch package to your archive. Thanks though, I appreciate the suggestion. The original question still stands... do I have it right? Did I miss anything? Thanks, Daryl ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Roberto C. Sánchez
2008-Jun-18 23:40 UTC
Re: Expanding SSHKnock shell script, a few questions please
On Wed, Jun 18, 2008 at 03:58:18PM -0700, Daryl Caudill wrote:> > There is really no need to wait for Lenny. You can upgrade > > now: > > http://people.connexer.com/~roberto/debian/ > > > > These are the same packages that are in Lenny/Sid. > > Hi Roberto, > > No can do. My boss would never let me upgrade our live production firewall from a supported Etch package to your archive. Thanks though, I appreciate the suggestion. >I''m not sure that you understand the support situation. The version currently in Etch is 3.2.6. It is *very* old and is no longer supported. Theoretically, because it is part of a stable release, the Debian Security Team would provide security support. However, no one is looking for security vulnerabilities (at least on the upstream side). The packages available from my repo are *exactly* the same as those in Lenny/Sid, except that I have tweaked the version number so that the next stable release of Debian overtakes them. I am the maintainer of the packages in Debian. So, if you use the Debian packages, using my packages is no different. Additionally, Tom Eastep, the author of Shorewall, uses the packages from my repository on his Ubuntu systems. I upload new packages to Sid and to my repo usually within 24 hours of a new upstream release. You are more likely to get good support for 4.0.x than you are for 3.2.x around here. I just wanted to make sure that you are aware of situation. I personally gain nothing regardless of which packages you use. But there is no sense in you using unnecessarily ancient packages.> The original question still stands... do I have it right? Did I miss anything? >To be honest, I don''t use port knocking so I don''t know. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Daryl Caudill
2008-Jun-19 00:10 UTC
Re: Expanding SSHKnock shell script, a few questions please
Whoooooooooooops!!!! I went and annoyed our package maintainer DOH! Sorry about that! Thanks for all of that info Roberto, I appreciate you bringing me up to speed. Damn, I''ve been using version 3.x for so long, I haven''t even looked at 4.x yet. Well, since Lenny is going stable in a few months anyways, I guess it''s time to get off my butt and learn version 4.x I noticed there are two versions: shell vs perl. I don''t know perl, is it okay to stick with shell? Is perl version superior, or the future of shorewall? Should I switch to perl? Will I miss out on features or ease by sticking with shell? I''ll check out version 4. Is 3 upgradeable to 4? I suspect I''ll be rewriting my config files, and thats fine with me. Thanks Roberto!> I''m not sure that you understand the support situation. > The version > currently in Etch is 3.2.6. It is *very* old and is no > longer > supported. Theoretically, because it is part of a stable > release, the > Debian Security Team would provide security support. > However, no one is > looking for security vulnerabilities (at least on the > upstream side). > > The packages available from my repo are *exactly* the same > as those in > Lenny/Sid, except that I have tweaked the version number so > that the > next stable release of Debian overtakes them. I am the > maintainer of > the packages in Debian. So, if you use the Debian > packages, using my > packages is no different. > > Additionally, Tom Eastep, the author of Shorewall, uses the > packages > from my repository on his Ubuntu systems. I upload new > packages to > Sid and to my repo usually within 24 hours of a new > upstream release. > > You are more likely to get good support for 4.0.x than you > are for 3.2.x > around here. > > I just wanted to make sure that you are aware of situation. > I > personally gain nothing regardless of which packages you > use. But there > is no sense in you using unnecessarily ancient packages. > > > The original question still stands... do I have it > right? Did I miss anything? > > > To be honest, I don''t use port knocking so I don''t > know.------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Tom Eastep
2008-Jun-19 00:15 UTC
Re: Expanding SSHKnock shell script, a few questions please
Roberto C. Sánchez wrote:> On Wed, Jun 18, 2008 at 03:58:18PM -0700, Daryl Caudill wrote:>> >> No can do. My boss would never let me upgrade our live production firewall from a supported Etch package to your archive. Thanks though, I appreciate the suggestion. >> > > I''m not sure that you understand the support situation. The version > currently in Etch is 3.2.6. It is *very* old and is no longer > supported. Theoretically, because it is part of a stable release, the > Debian Security Team would provide security support. However, no one is > looking for security vulnerabilities (at least on the upstream side). > > The packages available from my repo are *exactly* the same as those in > Lenny/Sid, except that I have tweaked the version number so that the > next stable release of Debian overtakes them. I am the maintainer of > the packages in Debian. So, if you use the Debian packages, using my > packages is no different. > > Additionally, Tom Eastep, the author of Shorewall, uses the packages > from my repository on his Ubuntu systems. I upload new packages to > Sid and to my repo usually within 24 hours of a new upstream release. > > You are more likely to get good support for 4.0.x than you are for 3.2.x > around here.I must second Roberto''s comments. When I saw Daryl''s original post, I didn''t respond for two reasons: a) The age of the 3.2.6 release (I couldn''t test it and don''t remember clearly how it works). b) The fact that Daryl is asking this question because "it''s a live firewall, I don''t want to start mucking with it". Roberto has addressed the first issue. With respect to the second, the same boss who won''t let you use unofficial (but really official) packages should provide you with a test firewall so you can thoroughly test your changes before you put them in production. That''s especially important when you run an ancient version that those of us here at shorewall.net no longer maintain test systems for. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Daryl Caudill
2008-Jun-19 00:50 UTC
Re: Expanding SSHKnock shell script, a few questions please
--- On Wed, 6/18/08, Tom Eastep <teastep@shorewall.net> wrote:> I must second Roberto''s comments. When I saw > Daryl''s original post, I didn''t > respond for two reasons: > > a) The age of the 3.2.6 release (I couldn''t test it and > don''t remember > clearly how it works). > b) The fact that Daryl is asking this question because > "it''s a live > firewall, I don''t want to start mucking with it". > > Roberto has addressed the first issue. With respect to the > second, the same > boss who won''t let you use unofficial (but really > official) packages should > provide you with a test firewall so you can thoroughly test > your changes > before you put them in production. That''s especially > important when you run > an ancient version that those of us here at shorewall.net > no longer maintain > test systems for.Thank you both for all of the feedback, it''s appreciated. I am now aware Roberto maintains the official Debian packages (didn''t know that). I''m new to this mailing list, but that''s no excuse. My apologies to you both. As for the test firewall, I do run a nearly identical one on my home system. I didn''t want to "muck" with it either, because I do host a server, but at this point, it''s now obvious I need to get with the current program. I''ve been so happy with Etch, I didn''t want to accept it really has become out of date. I''m going to upgrade it to Roberto''s archive, then go from there... Cheers! Daryl ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Tom Eastep
2008-Jun-19 00:58 UTC
Re: Expanding SSHKnock shell script, a few questions please
Daryl Caudill wrote:> > As for the test firewall, I do run a nearly identical one on my home system. > I didn''t want to "muck" with it either, because I do host a server, but at> this point, it''s now obvious I need to get with the current program. > I''ve been so happy with Etch, I didn''t want to accept it really has become > out of date. I''m going to upgrade it to Roberto''s archive, then go from there... Then I encourage you to move to Shorewall-perl. It is the future of Shorewall and the future is now. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php
Roberto C. Sánchez
2008-Jun-19 03:59 UTC
Re: Expanding SSHKnock shell script, a few questions please
On Wed, Jun 18, 2008 at 05:10:03PM -0700, Daryl Caudill wrote:> Whoooooooooooops!!!! > > I went and annoyed our package maintainer DOH! Sorry about that! >No worries. I''m not annoyed.> Thanks for all of that info Roberto, I appreciate you bringing me up to speed. > > Damn, I''ve been using version 3.x for so long, I haven''t even looked at 4.x yet. Well, since Lenny is going stable in a few months anyways, I guess it''s time to get off my butt and learn version 4.x > > I noticed there are two versions: shell vs perl. I don''t know perl, is it okay to stick with shell? Is perl version superior, or the future of shorewall? Should I switch to perl? Will I miss out on features or ease by sticking with shell? > > I''ll check out version 4. Is 3 upgradeable to 4? I suspect I''ll be rewriting my config files, and thats fine with me. >While Tom''s point in his other email is valid (that switching to -perl is the way to go), it may be a little easier to upgrade to the latest -shell first, especially on the live firewall. But your goal ought to be to get to -perl sometime in the near future. Regards, -Roberto -- Roberto C. Sánchez http://people.connexer.com/~roberto http://www.connexer.com ------------------------------------------------------------------------- Check out the new SourceForge.net Marketplace. It''s the best place to buy or sell services for just about anything Open Source. http://sourceforge.net/services/buy/index.php