From: "Jeff Gercken" <JeffG@kizan.com>
To: <gentoo-security@lists.gentoo.org>
Subject: RE: [gentoo-security] port knocking
Date: Thu, 20 Oct 2005 15:42:38 -0400 [thread overview]
Message-ID: <EDF30175FE4D804B83444FB153172A507ED2D5@louexch.KiZAN.net> (raw)
My versions of gateway portknocking:
First script:
If you log in w/ ssh (pki only) from the wireless segment
(192.168.33.0/24), an entry for your IP address is added to iptables.
When you log out, the entry is removed. I know it's ugl but it works
well. If the script is restarted any existing iptable entries will
obviously get orphaned. This only works because there si no dns
resolution for the wireless segment, otherwise `who` will resolve the
addresses and bad things will happen.
#! /usr/bin/env python
import string,os,time
# Dictionary value explaination (key is IP) # I= insert into iptables,
user logged in # D= delete from iptables, user disconnected # L= don't
do anything, user is still logged in master={} while (1):
for i in master.keys():
master[i]="D" #First assume everybody left #
loggedIn=os.popen("who | grep 192.168.33 | sed 's/.*(\(.*\))/\1/g' |
sort -u") #
for i in loggedIn.readlines():
i=i.strip()
if master.has_key(i):
master[i]="L" #leave this IP in iptables (change "D" value)
else: master[i]="I" #insert this IP in iptables (new key) #
for i in master.keys():
if master[i] == 'L':
print 'ignoring IP: '+i
continue
elif master[i] == 'I':
print 'new IP: '+i
os.popen("/sbin/iptables -I FORWARD -p all -s "+i+" -j
ACCEPT")
else:
print 'removing IP: '+i
os.popen("/sbin/iptables -D FORWARD -p all -s "+i+" -j
ACCEPT")
time.sleep(3)
+++++++++++++++++++++++++++++++++++++++++++++
Second Script:
This script is a bit more complicated. An entry is added to iptables to
match icmp traffic to playboy.com and log it. Syslog-ng will filter The
trigger in this script is playboy.com and your mac address (grepped from
arp -a) is added to the iptables leaf wireless2net (I use shorewall).
#!/bin/env python
# filename: /usr/sbin/portknock.py
import os,time
print "Flush the iptables chain or create it if it doesn't exist"
a=os.popen('/sbin/iptables -F wless_portknock || /sbin/iptables -N
wless_portknock') print "Check to see if chain is included in
wireless2net chain"
if os.popen('/sbin/iptables -L wireless2net | grep
wless_portknock').readlines()==[]: os.popen('/sbin/iptables -I
wireless2net 2 -j wless_portknock')
print 'starting loop'
master={}
while (1):
for r in os.popen('grep "`/usr/bin/date +"%b %e"`"
/var/log/portknock | cut -d " " -f8 | cut -d "=" -f2 | sort
-u').readlines():
if len(r)==0:continue
r=r.strip()
i=os.popen('arp -an | grep '+r+'| cut -d " " -f4').readline()
i=i.strip()
if master.has_key(i):continue
else:
master[i]=''
print 'adding mac '+i+' which belongs to IP '+r
a3=os.popen("/sbin/iptables -I wless_portknock -p all -j
ACCEPT -m mac --mac-source "+i)
time.sleep(3)
-----------------------------------------------
The relevent entry in the shorewall rules file
ACCEPT:info:pnoc wireless net:216.163.137.3
icmp
-----------------------------------------------
The relevent parts of syslog-ng.conf
destination portknock { file("/var/log/portknock"); }; filter
f_portknock { match ("Shorewall:wireless2net:ACCEPT"); }; log {
source(src); filter(f_portknock); destination(portknock); };
I tried to use tagging but the field gets trunicated so syslog-ng never
sees it.
------------------------------------------------
At midnight cron runs the following reset script:
#!/bin/bash
echo > /var/log/portknock
kill `pgrep -f portknock.py`
python /usr/sbin/portknock.py&
------------------------------------------------
Like I said, it's complicated. Don't forget to touch /var/log/portknock
-Jeff
-----Original Message-----
From: boger [mailto:boger@ttk.ru]
Sent: Tuesday, October 11, 2005 2:00 PM
To: gentoo-security@lists.gentoo.org
Subject: [gentoo-security] port knocking
This is result of last week discussion about port knockers.
Its my second bash script (first is my firewall), so any feedback will
be appreshiated ;)
usage: ./knocker.sh <config file name> del Path to config file is
constant in knocker.sh.
del - is optional, simply deletes target chain
script has no limits on knock sequences, and demands statefull filtering
enabled ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT
--
gentoo-security@gentoo.org mailing list
next reply other threads:[~2005-10-20 19:53 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-10-20 19:42 Jeff Gercken [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-10-11 18:00 [gentoo-security] port knocking boger
2005-10-02 21:10 [gentoo-security] [OT?] automatically firewalling off IPs Jeremy Brake
2005-10-02 21:19 ` MaxieZ
2005-10-03 13:01 ` David vasil
2005-10-03 13:18 ` rpfc
2005-10-03 17:06 ` Kirk Hoganson
2005-10-04 16:25 ` boger
2005-10-04 17:16 ` Kirk Hoganson
2005-10-04 19:45 ` [gentoo-security] Port knocking Tobias Sager
2005-10-04 20:20 ` boger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=EDF30175FE4D804B83444FB153172A507ED2D5@louexch.KiZAN.net \
--to=jeffg@kizan.com \
--cc=gentoo-security@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox