-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, all!
I''m currently trying to implement a sequential portknocking.
I''ve already read through the thread in the archives[0], the Shorewall
portknocking guide[1](ipt_recent is enabled, etc.), the Shorewall
actions guide[2] (though, admittedly, a good portion of it went over my
head). I can''t seem to get sequential portknocking working- in other
words, I want to have portA knocked to open portB, which will open
portC, and when portC is knocked then 22/TCP will be opened. there are
also two "trap ports" which close off 22/TCP, one below 22/TCP and one
above the knocking ports, in attempt to protect against portscanning.
I''ve created the empty action.SSHKnock file, and these are the
contents[3] of SSHKnock (scrubbed of the actual port numbers due to
archival and security reasons). I also am only using two knock ports
instead of three until I can figure out the general chain processing:
use Shorewall::Chains;
if ( $level ) {
log_rule_limit( $level,
$chainref,
''SSHKnock'',
''ACCEPT'',
'''',
$tag,
''add'',
''-p tcp --dport 22 -m recent --rcheck --name SSH
'' );
log_rule_limit( $level,
$chainref,
''SSHKnock'',
''DROP'',
'''',
$tag,
''add'',
''-p tcp --dport ! 22 '' );
}
add_rule( $chainref, ''-p tcp --dport $port1 -m recent --rcheck
--seconds
3 --name SSH1 -j ACCEPT'' );
add_rule( $chainref, ''-p tcp --dport $port2 -m recent --rcheck
--seconds
3 --name SSH2 -j ACCEPT'' );
add_rule( $chainref, ''-p tcp --dport 22 -m recent --rcheck --seconds
15 --name SSH -j ACCEPT'' );
add_rule( $chainref, ''-p tcp --dport $trap1 -m recent
--name SSH --remove -j DROP'' );
add_rule( $chainref, ''-p tcp --dport $trap2 -m recent
--name SSH --remove -j DROP'' );
add_rule( $chainref, ''-p tcp --dport $port1 -m recent
--name SSH1 --set -j DROP'' );
add_rule( $chainref, ''-p tcp --dport $port2 -m recent
--name SSH2 --set -j DROP'' );
1;
[0]
https://mail.shorewall.net/pipermail/shorewall-users/2004-August/013958.html
and associated
[1] http://www.shorewall.net/PortKnocking.html
[2] http://www.shorewall.net/Actions.html
[3] My mail client may have mangled the contents; all the "add_rule"
lines are on one line each.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mEqMACgkQ8u2Zh4MtlQpTogCfXRv2hQPuOyctypDho4ddpOyx
+0QAoJUGZaEx9vxML/uUVJC3lAcLSY1B
=tUUH
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
Hi,
Unless you are doing this to learn Shorewall's internals, such an approach
doesn't sound to me as the best one. There are daemons available for Linux
which implement port-knocking with libpcap, completely bypassing iptables. I
believe this solution would be more convenient to deploy.
Robert Kawecki
----- Reply message -----
Od: "brent timothy saner" <brent.saner@gmail.com>
Do: <shorewall-users@lists.sourceforge.net>
Temat: [Shorewall-users] Extended Portknocking
Data: śr., kwi 13, 2011 23:16
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello, all!
I'm currently trying to implement a sequential portknocking.
I've already read through the thread in the archives[0], the Shorewall
portknocking guide[1](ipt_recent is enabled, etc.), the Shorewall
actions guide[2] (though, admittedly, a good portion of it went over my
head). I can't seem to get sequential portknocking working- in other
words, I want to have portA knocked to open portB, which will open
portC, and when portC is knocked then 22/TCP will be opened. there are
also two "trap ports" which close off 22/TCP, one below 22/TCP and one
above the knocking ports, in attempt to protect against portscanning.
I've created the empty action.SSHKnock file, and these are the
contents[3] of SSHKnock (scrubbed of the actual port numbers due to
archival and security reasons). I also am only using two knock ports
instead of three until I can figure out the general chain processing:
use Shorewall::Chains;
if ( $level ) {
log_rule_limit( $level,
$chainref,
'SSHKnock',
'ACCEPT',
'',
$tag,
'add',
'-p tcp --dport 22 -m recent --rcheck --name SSH '
);
log_rule_limit( $level,
$chainref,
'SSHKnock',
'DROP',
'',
$tag,
'add',
'-p tcp --dport ! 22 ' );
}
add_rule( $chainref, '-p tcp --dport $port1 -m recent --rcheck --seconds
3 --name SSH1 -j ACCEPT' );
add_rule( $chainref, '-p tcp --dport $port2 -m recent --rcheck --seconds
3 --name SSH2 -j ACCEPT' );
add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds
15 --name SSH -j ACCEPT' );
add_rule( $chainref, '-p tcp --dport $trap1 -m recent
--name SSH --remove -j DROP' );
add_rule( $chainref, '-p tcp --dport $trap2 -m recent
--name SSH --remove -j DROP' );
add_rule( $chainref, '-p tcp --dport $port1 -m recent
--name SSH1 --set -j DROP' );
add_rule( $chainref, '-p tcp --dport $port2 -m recent
--name SSH2 --set -j DROP' );
1;
[0]
https://mail.shorewall.net/pipermail/shorewall-users/2004-August/013958.html
and associated
[1] http://www.shorewall.net/PortKnocking.html
[2] http://www.shorewall.net/Actions.html
[3] My mail client may have mangled the contents; all the "add_rule"
lines are on one line each.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk2mEqMACgkQ8u2Zh4MtlQpTogCfXRv2hQPuOyctypDho4ddpOyx
+0QAoJUGZaEx9vxML/uUVJC3lAcLSY1B
=tUUH
-----END PGP SIGNATURE-----
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Benefiting from Server Virtualization: Beyond Initial Workload
Consolidation -- Increasing the use of server virtualization is a top
priority.Virtualization can reduce costs, simplify management, and improve
application availability and disaster protection. Learn more about boosting
the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
On Wed, Apr 13, 2011 at 11:16 PM, brent timothy saner <brent.saner@gmail.com> wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, all! > > I''m currently trying to implement a sequential portknocking. > I''ve already read through the thread in the archives[0], the Shorewall > portknocking guide[1](ipt_recent is enabled, etc.), the Shorewall > actions guide[2] (though, admittedly, a good portion of it went over my > head). I can''t seem to get sequential portknocking working- in other > words, I want to have portA knocked to open portB, which will open > portC, and when portC is knocked then 22/TCP will be opened. there are > also two "trap ports" which close off 22/TCP, one below 22/TCP and one > above the knocking ports, in attempt to protect against portscanning. > > I''ve created the empty action.SSHKnock file, and these are the > contents[3] of SSHKnock (scrubbed of the actual port numbers due to > archival and security reasons). I also am only using two knock ports > instead of three until I can figure out the general chain processing: >Maybe this will help you: use Shorewall::Chains; if ( $level ) { log_rule_limit( $level, $chainref, ''SSHKnock'', ''ACCEPT'', '''', $tag, ''add'', ''-p tcp --dport 22 -m recent --rcheck --name KNOCK1 '' ); log_rule_limit( $level, $chainref, ''SSHKnock'', ''DROP'', '''', $tag, ''add'', ''-p tcp ! --dport 22 '' ); } # Define a chain (with the name assigned by shorewall) containing the knock my $name_knock_second = ''KNOCK2''; my $chainref_second = new_manual_chain( $name_knock_second ); add_rule( $chainref_second, ''-m recent --name KNOCK1 --remove'' ); add_rule( $chainref_second, ''-m recent --name KNOCK2 --set'' ); # ... Here define as many knocks as you like my $name_knock_third = ''KNOCK3''; my $chainref_third = new_manual_chain( $name_knock_third ); add_rule( $chainref_third, ''-m recent --name KNOCK2 --remove'' ); add_rule( $chainref_third, ''-m recent --name KNOCK3 --set'' ); # Once again, the first knock add_rule( $chainref, ''-m recent --update --name KNOCK1'' ); # Define actions for knock add_rule( $chainref, ''-p tcp --dport 1111 -m recent --set --name KNOCK1'' ); add_rule( $chainref, "-p tcp --dport 3333 -m recent --rcheck --name KNOCK1 -j $chainref_second->{name}" ); add_rule( $chainref, "-p tcp --dport 2222 -m recent --rcheck --name KNOCK2 -j $chainref_third->{name}" ); # Who completes the sequence, will have access to the port for 60 seconds add_rule( $chainref, ''-p tcp --dport 22 -m recent --rcheck --seconds 60 --name KNOCK3 -j ACCEPT'' ); 1; Regards, Vlado ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/14/11 03:00, Vlado Peshov wrote:> On Wed, Apr 13, 2011 at 11:16 PM, brent timothy saner > <brent.saner@gmail.com <mailto:brent.saner@gmail.com>> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello, all! > > I''m currently trying to implement a sequential portknocking. > I''ve already read through the thread in the archives[0], the Shorewall > portknocking guide[1](ipt_recent is enabled, etc.), the Shorewall > actions guide[2] (though, admittedly, a good portion of it went over my > head). I can''t seem to get sequential portknocking working- in other > words, I want to have portA knocked to open portB, which will open > portC, and when portC is knocked then 22/TCP will be opened. there are > also two "trap ports" which close off 22/TCP, one below 22/TCP and one > above the knocking ports, in attempt to protect against portscanning. > > I''ve created the empty action.SSHKnock file, and these are the > contents[3] of SSHKnock (scrubbed of the actual port numbers due to > archival and security reasons). I also am only using two knock ports > instead of three until I can figure out the general chain processing: > > > Maybe this will help you: > > use Shorewall::Chains; > > if ( $level ) { > log_rule_limit( $level, > $chainref, > ''SSHKnock'', > ''ACCEPT'', > '''', > $tag, > ''add'', > ''-p tcp --dport 22 -m recent --rcheck --name > KNOCK1 '' ); > > log_rule_limit( $level, > $chainref, > ''SSHKnock'', > ''DROP'', > '''', > $tag, > ''add'', > ''-p tcp ! --dport 22 '' ); > } > > # Define a chain (with the name assigned by shorewall) containing the knock > my $name_knock_second = ''KNOCK2''; > my $chainref_second = new_manual_chain( $name_knock_second ); > add_rule( $chainref_second, ''-m recent --name KNOCK1 --remove'' ); > add_rule( $chainref_second, ''-m recent --name KNOCK2 --set'' ); > > # ... Here define as many knocks as you like > my $name_knock_third = ''KNOCK3''; > my $chainref_third = new_manual_chain( $name_knock_third ); > add_rule( $chainref_third, ''-m recent --name KNOCK2 --remove'' ); > add_rule( $chainref_third, ''-m recent --name KNOCK3 --set'' ); > > # Once again, the first knock > add_rule( $chainref, ''-m recent --update --name KNOCK1'' ); > > # Define actions for knock > add_rule( $chainref, ''-p tcp --dport 1111 -m recent --set --name KNOCK1'' ); > add_rule( $chainref, "-p tcp --dport 3333 -m recent --rcheck --name > KNOCK1 -j $chainref_second->{name}" ); > add_rule( $chainref, "-p tcp --dport 2222 -m recent --rcheck --name > KNOCK2 -j $chainref_third->{name}" ); > > # Who completes the sequence, will have access to the port for 60 seconds > add_rule( $chainref, ''-p tcp --dport 22 -m recent --rcheck --seconds 60 > --name KNOCK3 -j ACCEPT'' ); > > 1; > > Regards, > VladoVlado- I''ll give this a shot; THANK YOU ahead of time whether it works or not; I think this was just what I needed to get a swift start in the direction I need to go. I think I just needed some template to put two and two together. I''ll let you know how it turns out. :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk2mq+4ACgkQ8u2Zh4MtlQq4GgCZAaOsdMexGiw57jYiqGI9q3Ju wAgAn0TxQhpuUf1Pyz3Yj403cMiB9/ob =VPv3 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
On Thu, Apr 14, 2011 at 10:10 AM, brent timothy saner <brent.saner@gmail.com> wrote:> > I''ll give this a shot; THANK YOU ahead of time whether it works or not; > I think this was just what I needed to get a swift start in the > direction I need to go. I think I just needed some template to put two > and two together. I''ll let you know how it turns out. :)I am using this on debian lenny and squeeze(not with those ports of course :) ). Rules line is like this: SSHKnock:info net $FW tcp 22,1111,3333,2222 Regards, Vlado ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev
On Thu, Apr 14, 2011 at 10:28 AM, Vlado Peshov <vlatkop@gmail.com> wrote:> I am using this on debian lenny and squeeze(not with those ports of course > :) ). Rules line is like this: > > SSHKnock:info net $FW tcp 22,1111,3333,2222 >Here is also the article: http://www.esdebian.org/wiki/port-knocking where I took the idea and netfilter/iptables implementation for the code I pasted here. It is on Spanish, but I used google translate. Normally I also used the main documentation site: http://www.shorewall.net/PortKnocking.html Regards, Vlado ------------------------------------------------------------------------------ Benefiting from Server Virtualization: Beyond Initial Workload Consolidation -- Increasing the use of server virtualization is a top priority.Virtualization can reduce costs, simplify management, and improve application availability and disaster protection. Learn more about boosting the value of server virtualization. http://p.sf.net/sfu/vmware-sfdev2dev