[gentoo-security] Port knocking

[gentoo-security] Port knocking

[Tobias Sager]

[-- Attachment #1: Type: text/plain, Size: 2024 bytes --]

on 2005-10-04 19:16 Kirk Hoganson wrote the following:
> Yes, there are.  I use one for my work servers that is iptables based. 
> I don't have any links for you unfortunately but I have seen them.  If 
> you are really interested I can probably track down one I saw that used 
> iptables and was a combination style.  I also know of an open source 
> "magic packet" style that I could probably find a link for if you were 
> interested.

That's a possibility I once saw on slashdot:

iptables -A INPUT -p tcp --dport 1000 -m recent --remove --name PART1
iptables -A INPUT -p tcp --dport 2000 -m recent --remove --name PART2
iptables -A INPUT -p tcp --dport 3000 -m recent --remove --name PART3
iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PART1
iptables -A INPUT -p tcp --dport 2000 -m recent --set --name PART2
iptables -A INPUT -p tcp --dport 3000 -m recent --set --name PART3
iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 \
  --name PART1 --name PART2 --name PART3 -j ACCEPT

I have not tested if this works, but it looks plausible to me.
Please note this security flaw (fixed in 2.6.14) about ipt_recent:
http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/

>From the same guy, a shorewall solution for SSH attack:
http://blog.blackdown.de/2005/02/18/mitigating-ssh-brute-force-attacks-with-ipt_recent/


There are numerous knock, knock implementations listed at:
http://www.portknocking.org/view/implementations/implementations


IMHO, the problem with "normal" port knocking tools is the dependency on
client software. I would prefer a solution which can be used without
(too much) hassle (eg. using telnet and then putty or such).
This evidently is not be possible when using more sophisticated port
knocking with timing or specially crafted / encrypted packages, unless
you have a really good feel for timing.. ;-)

Cheers
Tobias

-- 
GPG-Key 0xEF37FF28 - 1024/4096 DSA/ELG-E - 16.11.2001
Fingerprint: 3C4B 155F 2621 CEAF D3A6 0CCB 937C 9597 EF37 FF28


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-security] Port knocking

[boger]

Hello Tobias,


TS> That's a possibility I once saw on slashdot:

TS> iptables -A INPUT -p tcp --dport 1000 -m recent --remove --name PART1
TS> iptables -A INPUT -p tcp --dport 2000 -m recent --remove --name PART2
TS> iptables -A INPUT -p tcp --dport 3000 -m recent --remove --name PART3
TS> iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PART1
TS> iptables -A INPUT -p tcp --dport 2000 -m recent --set --name PART2
TS> iptables -A INPUT -p tcp --dport 3000 -m recent --set --name PART3
TS> iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 \
TS>   --name PART1 --name PART2 --name PART3 -j ACCEPT

It's the best :) 
I'll add some protection from plain port scan. 
iptables -A INPUT -p tcp --dport 999 -m recent --remove --name PART1
iptables -A INPUT -p tcp --dport 1001 -m recent --remove --name PART1
...

TS> There are numerous knock, knock implementations listed at:
TS> http://www.portknocking.org/view/implementations/implementations

I've found this page not long ago, most promising temprules. I'm currently experimenting with them.   
TS> IMHO, the problem with "normal" port knocking tools is the dependency on
TS> client software. I would prefer a solution which can be used without
TS> (too much) hassle (eg. using telnet and then putty or such).
TS> This evidently is not be possible when using more sophisticated port
TS> knocking with timing or specially crafted / encrypted packages, unless
TS> you have a really good feel for timing.. ;-)
 Same to me ;)
 or even a web browser: http://somehost:123

-- 
Best regards,
 boger                            mailto:boger@ttk.ru

-- 
gentoo-security@gentoo.org mailing list

[gentoo-security] port knocking

[boger]

[-- Attachment #1: Type: text/plain, Size: 449 bytes --]

This is result of last week discussion about port knockers.
Its my second bash script (first is my firewall), so any feedback will be appreshiated ;) 

usage: ./knocker.sh <config file name> del 
Path to config file is constant in knocker.sh.
 del - is optional, simply deletes target chain 

script has no limits on knock sequences, and demands statefull filtering enabled 
ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

 

[-- Attachment #2: knocker.sh --]
[-- Type: APPLICATION/OCTET-STREAM, Size: 2182 bytes --]

#!/bin/bash
IPTABLES="/sbin/iptables"
CONFIG_DIR="/root/knock/"
CHAIN_NAME=$1
CONFIG_FILE="${CONFIG_DIR}$1"

#overrideable in config file
IFACE='eth0'
CURRENT_PORT=1
ENDING_PORT=65534
TARGET_PORT=22
TIME=60

ABUSE_PERIOD=180
ABUSE_HITCOUNT=20

# file exists
if [[ ! -f ${CONFIG_FILE} ]]; then
	echo " $CONFIG_FILE does not exist"
	exit 1 
fi

# syntax
if ! source ${CONFIG_FILE} ; then
	echo "$CONFIG_FILE failed a sanity check"
	exit 1
fi

# Helper function very usefull for debug
ipt(){ 
	if !($IPTABLES "$@"); then
		echo "$IPTABLES $@" ;
		echo "abnormal termination"
		exit 1
	fi;
# debug	
	if [[ $DEBUG == "ON" ]]; then	
		echo $@
	fi;
}

# found in emerge.sh not tested
sort() {
	LC_ALL=C /bin/sort "$@"
}  

#first, delete (possibly) existing rules 
$IPTABLES -i $IFACE -D INPUT -p tcp --syn -j $CHAIN_NAME 2>/dev/null
$IPTABLES -F $CHAIN_NAME 2>/dev/null
$IPTABLES -X $CHAIN_NAME 2>/dev/null

#check if not just delete
if [[ $2 == "del" ]]; then 
  echo "$CHAIN_NAME deleted"
  exit 0
fi

#create new chain
ipt -N $CHAIN_NAME

#first, send all incoming traffic to this chain
ipt -i $IFACE -I INPUT 1 -p tcp --syn -j $CHAIN_NAME

#########################################################
# fill chain 					 	#
#########################################################
#NAMES=""
for a in $PORTS; do
	NAME="$CHAIN_NAME$a"
	PORT=$((a - 1))
	ipt -A $CHAIN_NAME -p tcp --syn --dport $CURRENT_PORT:$PORT -m recent --set --name ABUSE
#	ipt -A $CHAIN_NAME -p tcp --syn --dport $a -m recent --remove --name $a
	ipt -A $CHAIN_NAME -p tcp --syn --dport $a -m recent --set --name $NAME
#	NAMES="$NAMES --name $a"
	CURRENT_PORT=$((a + 1))
done;
#check last range 

ipt -A $CHAIN_NAME -p tcp --dport $CURRENT_PORT:$ENDING_PORT -m recent --set --name ABUSE

# check for abusers
ipt -A $CHAIN_NAME -p tcp --dport $TARGET_PORT -m recent --rcheck --seconds $ABUSE_PERIOD --hitcount $ABUSE_HITCOUNT --name ABUSE -j RETURN

# check all names presents
for a in $PORTS; do
	NAME="$CHAIN_NAME$a"
	ipt -A $CHAIN_NAME -p tcp --dport $TARGET_PORT -m recent ! --rcheck --seconds $TIME --name $NAME -j RETURN 
done;
# finaly allow target port
ipt -A $CHAIN_NAME -p tcp --dport $TARGET_PORT -j ACCEPT



[-- Attachment #3: test --]
[-- Type: APPLICATION/OCTET-STREAM, Size: 77 bytes --]

#!/bin/bash
PORTS="1000 2000 3000"

TARGET_PORT="22"

TIME="240"

DEBUG="ON"

RE: [gentoo-security] port knocking

[Jeff Gercken]

My versions of gateway portknocking:

First script:
If you log in w/ ssh (pki only) from the wireless segment
(192.168.33.0/24), an entry for your IP address is added to iptables.
When you log out, the entry is removed.  I know it's ugl but it works
well.  If the script is restarted any existing iptable entries will
obviously get orphaned.  This only works because there si no dns
resolution for the wireless segment, otherwise `who` will resolve the
addresses and bad things will happen.

#! /usr/bin/env python
import string,os,time
# Dictionary value explaination (key is IP) # I= insert into iptables,
user logged in # D= delete from iptables, user disconnected # L= don't
do anything, user is still logged in master={} while (1):
    for i in master.keys():
        master[i]="D"  #First assume everybody left #
    loggedIn=os.popen("who | grep 192.168.33 | sed 's/.*(\(.*\))/\1/g' |
sort -u") #
    for i in loggedIn.readlines():
        i=i.strip()
        if master.has_key(i):
            master[i]="L" #leave this IP in iptables (change "D" value)
        else: master[i]="I" #insert this IP in iptables (new key) #
    for i in master.keys():
        if master[i] == 'L':
            print 'ignoring IP: '+i
            continue
        elif master[i] == 'I':
            print 'new IP: '+i
            os.popen("/sbin/iptables -I FORWARD -p all -s "+i+" -j
ACCEPT")
        else:
            print 'removing IP: '+i
            os.popen("/sbin/iptables -D FORWARD -p all -s "+i+" -j
ACCEPT")
    time.sleep(3)

+++++++++++++++++++++++++++++++++++++++++++++
Second Script:
This script is a bit more complicated.  An entry is added to iptables to
match icmp traffic to playboy.com and log it.  Syslog-ng will filter The
trigger in this script is playboy.com and your mac address (grepped from
arp -a) is added to the iptables leaf wireless2net (I use shorewall).


#!/bin/env python
# filename: /usr/sbin/portknock.py
import os,time
print "Flush the iptables chain or create it if it doesn't exist"
a=os.popen('/sbin/iptables -F wless_portknock || /sbin/iptables -N
wless_portknock') print "Check to see if chain is included in
wireless2net chain"
if os.popen('/sbin/iptables -L  wireless2net | grep
wless_portknock').readlines()==[]: os.popen('/sbin/iptables -I
wireless2net 2 -j wless_portknock')

print 'starting loop'
master={}
while (1):
    for r in os.popen('grep "`/usr/bin/date  +"%b %e"`"
/var/log/portknock | cut -d " " -f8 | cut -d "=" -f2 | sort
-u').readlines():
        if len(r)==0:continue
        r=r.strip()
        i=os.popen('arp -an | grep '+r+'| cut -d " " -f4').readline()
        i=i.strip()
        if master.has_key(i):continue
        else:
            master[i]=''
            print 'adding mac '+i+' which belongs to IP '+r
            a3=os.popen("/sbin/iptables -I wless_portknock -p all -j
ACCEPT -m mac --mac-source "+i)
    time.sleep(3)

-----------------------------------------------
The relevent entry in the shorewall rules file

ACCEPT:info:pnoc        wireless        net:216.163.137.3
icmp

-----------------------------------------------
The relevent parts of syslog-ng.conf

destination portknock { file("/var/log/portknock"); }; filter
f_portknock { match ("Shorewall:wireless2net:ACCEPT"); }; log {
source(src); filter(f_portknock); destination(portknock); };

I tried to use tagging but the field gets trunicated so syslog-ng never
sees it.

------------------------------------------------
At midnight cron runs the following reset script:

#!/bin/bash
echo > /var/log/portknock
kill `pgrep -f portknock.py`
python /usr/sbin/portknock.py&

------------------------------------------------
Like I said, it's complicated.  Don't forget to touch /var/log/portknock

-Jeff 

-----Original Message-----
From: boger [mailto:boger@ttk.ru] 
Sent: Tuesday, October 11, 2005 2:00 PM
To: gentoo-security@lists.gentoo.org
Subject: [gentoo-security] port knocking

This is result of last week discussion about port knockers.
Its my second bash script (first is my firewall), so any feedback will
be appreshiated ;) 

usage: ./knocker.sh <config file name> del Path to config file is
constant in knocker.sh.
 del - is optional, simply deletes target chain 

script has no limits on knock sequences, and demands statefull filtering
enabled ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT

 

-- 
gentoo-security@gentoo.org mailing list