Hi, I had been using shorewall and it''s working fine, now I would like to implement Port Knocking to work with shorewall. I had read shorewall-users@lists.sourceforge.net but it only have one port to be knock. I would like to have a series of knock-sequence for my firewall to open port as well as creating dnat to the internal pc in my dmz. The internal pc will be in hibernate mode which requires Wake-On-LAN magic packet to be sent from the firewall. 1. Firewall receive correct sequences of knock 2. Send Magic Packet to Internal PC (WOL) 3. Create DNAT from Inet to dmz Please advice Thank you --------------------------------- Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
mynullvoid <mynullvoid@yahoo.com> wrote on 18/10/2005 23:38:51:> Hi, > > I had been using shorewall and it''s working fine, now I would like to > implement Port Knocking to work with shorewall. I had read shorewall- > users@lists.sourceforge.net but it only have one port to be knock. > > I would like to have a series of knock-sequence for my firewall to > open port as well as creating dnat to the internal pc in my dmz. The > internal pc will be in hibernate mode which requires Wake-On-LAN magic > packet to be sent from the firewall. > > 1. Firewall receive correct sequences of knock > 2. Send Magic Packet to Internal PC (WOL) > 3. Create DNAT from Inet to dmz > > Please advice > > Thank youI think you have already read the shorewall port knocking documentation at http://www.shorewall.net/PortKnocking.html. But keep in my that what it is offered there is a sample configuration. If you need something more complex, you are on your own here. apart from that, when you fix it up, please enlighten us.
mynullvoid wrote:> I had been using shorewall and it''s working fine, now I would like to > implement Port Knocking to work with shorewall. I had read > shorewall-users@lists.sourceforge.net > <mailto:shorewall-users@lists.sourceforge.net> but it only have one port > to be knock. > > I would like to have a series of knock-sequence for my firewall to open > portMultiple port-knocking sequences don''t increase security. Port knocking is designed to foil simple-minded port-scan/dictionary attacks against port 22. Any attacker that is really interested in getting into your SSH server (and is in a position to do so) won''t be slowed down at all by what you propose. Port-scan/dictionary attacks can be *completely* defeated by enforcing the use of RSA keys by SSH clients (configure your SSH server to require RSA keys and to disallow password login). And I have yet to see anyone claim that the bandwidth consumed by these attacks against a properly configured server is a significant problem. And if you can demonstrate that it is, I can propose some remedies. Opening ports dynamically via DNAT can only be accomplished within the kernel -- and none of the Netfilter kernel developers is misguided enough to spend their time implementing what you propose. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
Yeap, I mistakenly paste it ;) Anyway, I need guide from anyone who have idea implementing at least port knocking in sequence instead of one port. Regards Eduardo Ferreira <duda@icatu.com.br> wrote: mynullvoid <mynullvoid@yahoo.com> wrote on 18/10/2005 23:38:51:> Hi, > > I had been using shorewall and it''s working fine, now I would like to > implement Port Knocking to work with shorewall. I had read shorewall- > users@lists.sourceforge.net but it only have one port to be knock. > > I would like to have a series of knock-sequence for my firewall to > open port as well as creating dnat to the internal pc in my dmz. The > internal pc will be in hibernate mode which requires Wake-On-LAN magic > packet to be sent from the firewall. > > 1. Firewall receive correct sequences of knock > 2. Send Magic Packet to Internal PC (WOL) > 3. Create DNAT from Inet to dmz > > Please advice > > Thank youI think you have already read the shorewall port knocking documentation at http://www.shorewall.net/PortKnocking.html. But keep in my that what it is offered there is a sample configuration. If you need something more complex, you are on your own here. apart from that, when you fix it up, please enlighten us. --------------------------------- Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Agreed, with your statements; but in my case it''s not ssh but the port knock will allow http(80), therefore I just need how to have at least sequence of 4 knock. Thanks Tom Eastep <teastep@shorewall.net> wrote: mynullvoid wrote:> I had been using shorewall and it''s working fine, now I would like to > implement Port Knocking to work with shorewall. I had read > shorewall-users@lists.sourceforge.net > but it only have one port > to be knock. > > I would like to have a series of knock-sequence for my firewall to open > portMultiple port-knocking sequences don''t increase security. Port knocking is designed to foil simple-minded port-scan/dictionary attacks against port 22. Any attacker that is really interested in getting into your SSH server (and is in a position to do so) won''t be slowed down at all by what you propose. Port-scan/dictionary attacks can be *completely* defeated by enforcing the use of RSA keys by SSH clients (configure your SSH server to require RSA keys and to disallow password login). And I have yet to see anyone claim that the bandwidth consumed by these attacks against a properly configured server is a significant problem. And if you can demonstrate that it is, I can propose some remedies. Opening ports dynamically via DNAT can only be accomplished within the kernel -- and none of the Netfilter kernel developers is misguided enough to spend their time implementing what you propose. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --------------------------------- Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Tom Eastep wrote:> ... > none of the Netfilter kernel developers is misguided > enough to spend their time implementing what you propose.Tom''s firing on all cylinders today! :-) Paul ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Tom Eastep escribió:> Multiple port-knocking sequences don''t increase security. Port knocking > is designed to foil simple-minded port-scan/dictionary attacks against > port 22. Any attacker that is really interested in getting into your SSH > server (and is in a position to do so) won''t be slowed down at all by > what you propose. > > Port-scan/dictionary attacks can be *completely* defeated by enforcing > the use of RSA keys by SSH clients (configure your SSH server to require > RSA keys and to disallow password login). And I have yet to see anyone > claim that the bandwidth consumed by these attacks against a properly > configured server is a significant problem. And if you can demonstrate > that it is, I can propose some remedies. > > Opening ports dynamically via DNAT can only be accomplished within the > kernel -- and none of the Netfilter kernel developers is misguided > enough to spend their time implementing what you propose. > > -TomTom has the point as always .. mynullvoid : you should listen him. -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''
mynullvoid wrote:> Agreed, with your statements; but in my case it''s not ssh but the port > knock will allow http(80), therefore I just need how to have at least > sequence of 4 knock.Port-knocking to gain WWW access? Please describe your high-level problem and we might be able to offer a solution -- but I''m guessing that port knocking isn''t it... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
The senario is: "A webserver with very P&C data which only turned on when there is a request, to further guard this webserver, when user A send correct sequence of port knock, the firewall will check if the webserver is on or off; if it''s off; the firewall will send magic packet to power on the webserver (located in dmz). Later modify the iptables to allow the http traffic to the internal webserver by doing nat. This is a part of what I want to do Thank you Tom Eastep <teastep@shorewall.net> wrote: mynullvoid wrote:> Agreed, with your statements; but in my case it''s not ssh but the port > knock will allow http(80), therefore I just need how to have at least > sequence of 4 knock.Port-knocking to gain WWW access? Please describe your high-level problem and we might be able to offer a solution -- but I''m guessing that port knocking isn''t it... -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --------------------------------- Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
mynullvoid wrote:> The senario is: "A webserver with very P&C data which only turned on > when there is a request, to further guard this webserver, when user A > send correct sequence of port knock, the firewall will check if the > webserver is on or off; if it''s off; the firewall will send magic packet > to power on the webserver (located in dmz). Later modify the iptables to > allow the http traffic to the internal webserver by doing nat. > > This is a part of what I want to do >Then you need something other than Netfilter/Shorewall. I''m unfamiliar with anything so Draconian. Possibly others on the list can point you to a solution. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
mynullvoid escribió:> The senario is: "A webserver with very P&C data which only turned on when there is a request, to further guard this webserver, when user A send correct sequence of port knock, the firewall will check if the webserver is on or off; if it''s off; the firewall will send magic packet to power on the webserver (located in dmz). Later modify the iptables to allow the http traffic to the internal webserver by doing nat. > > This is a part of what I want to do > > Thank you > >It''s not sufficient with HTTP digest auth and SSL..?? ..maybe with an additional VPN connection required ? you think the correct port knocking secuence is _so_ hard to guess for an (expert) attacker ?? Why instead of thinking on that thing you better spend time creating an adecuate security and usage policy for you webserver/network ??? This post won the daily WTF award. -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;''
Well, I won''t be doing this if my current infra is secure enough, I am not going to do this just waste time. Back to my original question, had anyone did sequence port knocking with shorewall? Cristian Rodriguez <judas_iscariote@shorewall.net> wrote: mynullvoid escribió:> The senario is: "A webserver with very P&C data which only turned on when there is a request, to further guard this webserver, when user A send correct sequence of port knock, the firewall will check if the webserver is on or off; if it''s off; the firewall will send magic packet to power on the webserver (located in dmz). Later modify the iptables to allow the http traffic to the internal webserver by doing nat. > > This is a part of what I want to do > > Thank you > >It''s not sufficient with HTTP digest auth and SSL..?? ..maybe with an additional VPN connection required ? you think the correct port knocking secuence is _so_ hard to guess for an (expert) attacker ?? Why instead of thinking on that thing you better spend time creating an adecuate security and usage policy for you webserver/network ??? This post won the daily WTF award. -- Cristian Rodriguez R. perl -e ''$_=pack(c5,0105,0107,0123,0132,(1<<3)+2);y[A-Z][N-ZA-M];print;'' --------------------------------- Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
Cristian Rodriguez wrote:> ... > This post won the daily WTF award.Indeed! :-) Paul ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
Tom Eastep wrote:> mynullvoid wrote: >>The senario is: "A webserver with very P&C data which only turned on >>when there is a request, to further guard this webserver, when user A >>send correct sequence of port knock, the firewall will check if the >>webserver is on or off; if it''s off; the firewall will send magic packet >>to power on the webserver (located in dmz). Later modify the iptables to >>allow the http traffic to the internal webserver by doing nat. >> >>This is a part of what I want to do >> > > Then you need something other than Netfilter/Shorewall. > > I''m unfamiliar with anything so Draconian. Possibly others on the list > can point you to a solution.I''ve never done anything like this, but i would implement it this way: - your special super secret web server is called SECRET - have a 2nd web server in your DMZ called SQUIRREL - SQUIRREL requires an SSL login with mutual certificate authentication (i.e. bidirectional verification) as well as user name & password. This is a much more effective security mechanism than port knocking. - When the user correctly logs into SQUIRREL, provide them with a button to press which says "Wake up SECRET web server". - SQUIRREL would send a WoL packet to SECRET and get it going, instruct the firewall to add NAT rules, then redirect the user''s browser session to SECRET (once it is up & running). - On logout, SECRET would shut down if there were no other user sessions present. Good luck getting this to work. Paul ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
I suddenly have visions of "secret squirrel"...and his side kick....something...something...mole... -----Original Message----- From: shorewall-users-admin@lists.sourceforge.net [mailto:shorewall-users-admin@lists.sourceforge.net] On Behalf Of Paul Gear Sent: Tuesday, October 18, 2005 11:35 PM To: shorewall-users@lists.sourceforge.net Subject: [Shorewall-users] Re: Port Knocking with WOL Tom Eastep wrote:> mynullvoid wrote: >>The senario is: "A webserver with very P&C data which only turned on >>when there is a request, to further guard this webserver, when user A >>send correct sequence of port knock, the firewall will check if the >>webserver is on or off; if it''s off; the firewall will send magic >>packet to power on the webserver (located in dmz). Later modify the >>iptables to allow the http traffic to the internal webserver by doing nat. >> >>This is a part of what I want to do >> > > Then you need something other than Netfilter/Shorewall. > > I''m unfamiliar with anything so Draconian. Possibly others on the list > can point you to a solution.I''ve never done anything like this, but i would implement it this way: - your special super secret web server is called SECRET - have a 2nd web server in your DMZ called SQUIRREL - SQUIRREL requires an SSL login with mutual certificate authentication (i.e. bidirectional verification) as well as user name & password. This is a much more effective security mechanism than port knocking. - When the user correctly logs into SQUIRREL, provide them with a button to press which says "Wake up SECRET web server". - SQUIRREL would send a WoL packet to SECRET and get it going, instruct the firewall to add NAT rules, then redirect the user''s browser session to SECRET (once it is up & running). - On logout, SECRET would shut down if there were no other user sessions present. Good luck getting this to work. Paul ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl
mynullvoid wrote:> Well, I won''t be doing this if my current infra is secure enough, I am > not going to do this just waste time. Back to my original question, had > anyone did sequence port knocking with shorewall? >I''m sorry -- just because someone wants to hang themselves doesn''t require me to supply the rope. But if you study the example on the web site, you can probably understand how to hang yourself without my rope (hint: you need a separate ''recent'' set for each knock in the sequence -- each successful knock adds the source IP address to the next set in the sequence). -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key