1 |
Hello Tobias, |
2 |
|
3 |
|
4 |
TS> That's a possibility I once saw on slashdot: |
5 |
|
6 |
TS> iptables -A INPUT -p tcp --dport 1000 -m recent --remove --name PART1 |
7 |
TS> iptables -A INPUT -p tcp --dport 2000 -m recent --remove --name PART2 |
8 |
TS> iptables -A INPUT -p tcp --dport 3000 -m recent --remove --name PART3 |
9 |
TS> iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PART1 |
10 |
TS> iptables -A INPUT -p tcp --dport 2000 -m recent --set --name PART2 |
11 |
TS> iptables -A INPUT -p tcp --dport 3000 -m recent --set --name PART3 |
12 |
TS> iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 \ |
13 |
TS> --name PART1 --name PART2 --name PART3 -j ACCEPT |
14 |
|
15 |
It's the best :) |
16 |
I'll add some protection from plain port scan. |
17 |
iptables -A INPUT -p tcp --dport 999 -m recent --remove --name PART1 |
18 |
iptables -A INPUT -p tcp --dport 1001 -m recent --remove --name PART1 |
19 |
... |
20 |
|
21 |
TS> There are numerous knock, knock implementations listed at: |
22 |
TS> http://www.portknocking.org/view/implementations/implementations |
23 |
|
24 |
I've found this page not long ago, most promising temprules. I'm currently experimenting with them. |
25 |
TS> IMHO, the problem with "normal" port knocking tools is the dependency on |
26 |
TS> client software. I would prefer a solution which can be used without |
27 |
TS> (too much) hassle (eg. using telnet and then putty or such). |
28 |
TS> This evidently is not be possible when using more sophisticated port |
29 |
TS> knocking with timing or specially crafted / encrypted packages, unless |
30 |
TS> you have a really good feel for timing.. ;-) |
31 |
Same to me ;) |
32 |
or even a web browser: http://somehost:123 |
33 |
|
34 |
-- |
35 |
Best regards, |
36 |
boger mailto:boger@×××.ru |
37 |
|
38 |
-- |
39 |
gentoo-security@g.o mailing list |