1 |
My versions of gateway portknocking: |
2 |
|
3 |
First script: |
4 |
If you log in w/ ssh (pki only) from the wireless segment |
5 |
(192.168.33.0/24), an entry for your IP address is added to iptables. |
6 |
When you log out, the entry is removed. I know it's ugl but it works |
7 |
well. If the script is restarted any existing iptable entries will |
8 |
obviously get orphaned. This only works because there si no dns |
9 |
resolution for the wireless segment, otherwise `who` will resolve the |
10 |
addresses and bad things will happen. |
11 |
|
12 |
#! /usr/bin/env python |
13 |
import string,os,time |
14 |
# Dictionary value explaination (key is IP) # I= insert into iptables, |
15 |
user logged in # D= delete from iptables, user disconnected # L= don't |
16 |
do anything, user is still logged in master={} while (1): |
17 |
for i in master.keys(): |
18 |
master[i]="D" #First assume everybody left # |
19 |
loggedIn=os.popen("who | grep 192.168.33 | sed 's/.*(\(.*\))/\1/g' | |
20 |
sort -u") # |
21 |
for i in loggedIn.readlines(): |
22 |
i=i.strip() |
23 |
if master.has_key(i): |
24 |
master[i]="L" #leave this IP in iptables (change "D" value) |
25 |
else: master[i]="I" #insert this IP in iptables (new key) # |
26 |
for i in master.keys(): |
27 |
if master[i] == 'L': |
28 |
print 'ignoring IP: '+i |
29 |
continue |
30 |
elif master[i] == 'I': |
31 |
print 'new IP: '+i |
32 |
os.popen("/sbin/iptables -I FORWARD -p all -s "+i+" -j |
33 |
ACCEPT") |
34 |
else: |
35 |
print 'removing IP: '+i |
36 |
os.popen("/sbin/iptables -D FORWARD -p all -s "+i+" -j |
37 |
ACCEPT") |
38 |
time.sleep(3) |
39 |
|
40 |
+++++++++++++++++++++++++++++++++++++++++++++ |
41 |
Second Script: |
42 |
This script is a bit more complicated. An entry is added to iptables to |
43 |
match icmp traffic to playboy.com and log it. Syslog-ng will filter The |
44 |
trigger in this script is playboy.com and your mac address (grepped from |
45 |
arp -a) is added to the iptables leaf wireless2net (I use shorewall). |
46 |
|
47 |
|
48 |
#!/bin/env python |
49 |
# filename: /usr/sbin/portknock.py |
50 |
import os,time |
51 |
print "Flush the iptables chain or create it if it doesn't exist" |
52 |
a=os.popen('/sbin/iptables -F wless_portknock || /sbin/iptables -N |
53 |
wless_portknock') print "Check to see if chain is included in |
54 |
wireless2net chain" |
55 |
if os.popen('/sbin/iptables -L wireless2net | grep |
56 |
wless_portknock').readlines()==[]: os.popen('/sbin/iptables -I |
57 |
wireless2net 2 -j wless_portknock') |
58 |
|
59 |
print 'starting loop' |
60 |
master={} |
61 |
while (1): |
62 |
for r in os.popen('grep "`/usr/bin/date +"%b %e"`" |
63 |
/var/log/portknock | cut -d " " -f8 | cut -d "=" -f2 | sort |
64 |
-u').readlines(): |
65 |
if len(r)==0:continue |
66 |
r=r.strip() |
67 |
i=os.popen('arp -an | grep '+r+'| cut -d " " -f4').readline() |
68 |
i=i.strip() |
69 |
if master.has_key(i):continue |
70 |
else: |
71 |
master[i]='' |
72 |
print 'adding mac '+i+' which belongs to IP '+r |
73 |
a3=os.popen("/sbin/iptables -I wless_portknock -p all -j |
74 |
ACCEPT -m mac --mac-source "+i) |
75 |
time.sleep(3) |
76 |
|
77 |
----------------------------------------------- |
78 |
The relevent entry in the shorewall rules file |
79 |
|
80 |
ACCEPT:info:pnoc wireless net:216.163.137.3 |
81 |
icmp |
82 |
|
83 |
----------------------------------------------- |
84 |
The relevent parts of syslog-ng.conf |
85 |
|
86 |
destination portknock { file("/var/log/portknock"); }; filter |
87 |
f_portknock { match ("Shorewall:wireless2net:ACCEPT"); }; log { |
88 |
source(src); filter(f_portknock); destination(portknock); }; |
89 |
|
90 |
I tried to use tagging but the field gets trunicated so syslog-ng never |
91 |
sees it. |
92 |
|
93 |
------------------------------------------------ |
94 |
At midnight cron runs the following reset script: |
95 |
|
96 |
#!/bin/bash |
97 |
echo > /var/log/portknock |
98 |
kill `pgrep -f portknock.py` |
99 |
python /usr/sbin/portknock.py& |
100 |
|
101 |
------------------------------------------------ |
102 |
Like I said, it's complicated. Don't forget to touch /var/log/portknock |
103 |
|
104 |
-Jeff |
105 |
|
106 |
-----Original Message----- |
107 |
From: boger [mailto:boger@×××.ru] |
108 |
Sent: Tuesday, October 11, 2005 2:00 PM |
109 |
To: gentoo-security@l.g.o |
110 |
Subject: [gentoo-security] port knocking |
111 |
|
112 |
This is result of last week discussion about port knockers. |
113 |
Its my second bash script (first is my firewall), so any feedback will |
114 |
be appreshiated ;) |
115 |
|
116 |
usage: ./knocker.sh <config file name> del Path to config file is |
117 |
constant in knocker.sh. |
118 |
del - is optional, simply deletes target chain |
119 |
|
120 |
script has no limits on knock sequences, and demands statefull filtering |
121 |
enabled ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j |
122 |
ACCEPT |
123 |
|
124 |
|
125 |
|
126 |
-- |
127 |
gentoo-security@g.o mailing list |