RE: [gentoo-security] port knocking - gentoo-security

From:	Jeff Gercken <JeffG@×××××.com>
To:	gentoo-security@l.g.o
Subject:	RE: [gentoo-security] port knocking
Date:	Thu, 20 Oct 2005 19:53:59
Message-Id:	`EDF30175FE4D804B83444FB153172A507ED2D5@louexch.KiZAN.net`

1

My versions of gateway portknocking:

2

3

First script:

4

If you log in w/ ssh (pki only) from the wireless segment

5

(192.168.33.0/24), an entry for your IP address is added to iptables.

6

When you log out, the entry is removed.  I know it's ugl but it works

7

well.  If the script is restarted any existing iptable entries will

8

obviously get orphaned.  This only works because there si no dns

9

resolution for the wireless segment, otherwise `who` will resolve the

10

addresses and bad things will happen.

11

12

#! /usr/bin/env python

13

import string,os,time

14

# Dictionary value explaination (key is IP) # I= insert into iptables,

15

user logged in # D= delete from iptables, user disconnected # L= don't

16

do anything, user is still logged in master={} while (1):

17

    for i in master.keys():

18

        master[i]="D"  #First assume everybody left #

19

    loggedIn=os.popen("who | grep 192.168.33 | sed 's/.*(\(.*\))/\1/g' |

20

sort -u") #

21

    for i in loggedIn.readlines():

22

        i=i.strip()

23

        if master.has_key(i):

24

            master[i]="L" #leave this IP in iptables (change "D" value)

25

        else: master[i]="I" #insert this IP in iptables (new key) #

26

    for i in master.keys():

27

        if master[i] == 'L':

28

            print 'ignoring IP: '+i

29

            continue

30

        elif master[i] == 'I':

31

            print 'new IP: '+i

32

            os.popen("/sbin/iptables -I FORWARD -p all -s "+i+" -j

33

ACCEPT")

34

        else:

35

            print 'removing IP: '+i

36

            os.popen("/sbin/iptables -D FORWARD -p all -s "+i+" -j

37

ACCEPT")

38

    time.sleep(3)

39

40

+++++++++++++++++++++++++++++++++++++++++++++

41

Second Script:

42

This script is a bit more complicated.  An entry is added to iptables to

43

match icmp traffic to playboy.com and log it.  Syslog-ng will filter The

44

trigger in this script is playboy.com and your mac address (grepped from

45

arp -a) is added to the iptables leaf wireless2net (I use shorewall).

46

47

48

#!/bin/env python

49

# filename: /usr/sbin/portknock.py

50

import os,time

51

print "Flush the iptables chain or create it if it doesn't exist"

52

a=os.popen('/sbin/iptables -F wless_portknock || /sbin/iptables -N

53

wless_portknock') print "Check to see if chain is included in

54

wireless2net chain"

55

if os.popen('/sbin/iptables -L  wireless2net | grep

56

wless_portknock').readlines()==[]: os.popen('/sbin/iptables -I

57

wireless2net 2 -j wless_portknock')

58

59

print 'starting loop'

60

master={}

61

while (1):

62

    for r in os.popen('grep "`/usr/bin/date  +"%b %e"`"

63

/var/log/portknock | cut -d " " -f8 | cut -d "=" -f2 | sort

64

-u').readlines():

65

        if len(r)==0:continue

66

        r=r.strip()

67

        i=os.popen('arp -an | grep '+r+'| cut -d " " -f4').readline()

68

        i=i.strip()

69

        if master.has_key(i):continue

70

        else:

71

            master[i]=''

72

            print 'adding mac '+i+' which belongs to IP '+r

73

            a3=os.popen("/sbin/iptables -I wless_portknock -p all -j

74

ACCEPT -m mac --mac-source "+i)

75

    time.sleep(3)

76

77

-----------------------------------------------

78

The relevent entry in the shorewall rules file

79

80

ACCEPT:info:pnoc        wireless        net:216.163.137.3

81

icmp

82

83

-----------------------------------------------

84

The relevent parts of syslog-ng.conf

85

86

destination portknock { file("/var/log/portknock"); }; filter

87

f_portknock { match ("Shorewall:wireless2net:ACCEPT"); }; log {

88

source(src); filter(f_portknock); destination(portknock); };

89

90

I tried to use tagging but the field gets trunicated so syslog-ng never

91

sees it.

92

93

------------------------------------------------

94

At midnight cron runs the following reset script:

95

96

#!/bin/bash

97

echo > /var/log/portknock

98

kill `pgrep -f portknock.py`

99

python /usr/sbin/portknock.py&

100

101

------------------------------------------------

102

Like I said, it's complicated.  Don't forget to touch /var/log/portknock

103

104

-Jeff 

105

106

-----Original Message-----

107

From: boger [mailto:boger@×××.ru] 

108

Sent: Tuesday, October 11, 2005 2:00 PM

109

To: gentoo-security@l.g.o

110

Subject: [gentoo-security] port knocking

111

112

This is result of last week discussion about port knockers.

113

Its my second bash script (first is my firewall), so any feedback will

114

be appreshiated ;) 

115

116

usage: ./knocker.sh <config file name> del Path to config file is

117

constant in knocker.sh.

118

 del - is optional, simply deletes target chain 

119

120

script has no limits on knock sequences, and demands statefull filtering

121

enabled ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j

122

ACCEPT

--

127

gentoo-security@g.o mailing list

1	My versions of gateway portknocking:
2
3	First script:
4	If you log in w/ ssh (pki only) from the wireless segment
5	(192.168.33.0/24), an entry for your IP address is added to iptables.
6	When you log out, the entry is removed. I know it's ugl but it works
7	well. If the script is restarted any existing iptable entries will
8	obviously get orphaned. This only works because there si no dns
9	resolution for the wireless segment, otherwise `who` will resolve the
10	addresses and bad things will happen.
11
12	#! /usr/bin/env python
13	import string,os,time
14	# Dictionary value explaination (key is IP) # I= insert into iptables,
15	user logged in # D= delete from iptables, user disconnected # L= don't
16	do anything, user is still logged in master={} while (1):
17	for i in master.keys():
18	master[i]="D" #First assume everybody left #
19	loggedIn=os.popen("who \| grep 192.168.33 \| sed 's/.(\(.\))/\1/g' \|
20	sort -u") #
21	for i in loggedIn.readlines():
22	i=i.strip()
23	if master.has_key(i):
24	master[i]="L" #leave this IP in iptables (change "D" value)
25	else: master[i]="I" #insert this IP in iptables (new key) #
26	for i in master.keys():
27	if master[i] == 'L':
28	print 'ignoring IP: '+i
29	continue
30	elif master[i] == 'I':
31	print 'new IP: '+i
32	os.popen("/sbin/iptables -I FORWARD -p all -s "+i+" -j
33	ACCEPT")
34	else:
35	print 'removing IP: '+i
36	os.popen("/sbin/iptables -D FORWARD -p all -s "+i+" -j
37	ACCEPT")
38	time.sleep(3)
39
40	+++++++++++++++++++++++++++++++++++++++++++++
41	Second Script:
42	This script is a bit more complicated. An entry is added to iptables to
43	match icmp traffic to playboy.com and log it. Syslog-ng will filter The
44	trigger in this script is playboy.com and your mac address (grepped from
45	arp -a) is added to the iptables leaf wireless2net (I use shorewall).
46
47
48	#!/bin/env python
49	# filename: /usr/sbin/portknock.py
50	import os,time
51	print "Flush the iptables chain or create it if it doesn't exist"
52	a=os.popen('/sbin/iptables -F wless_portknock \|\| /sbin/iptables -N
53	wless_portknock') print "Check to see if chain is included in
54	wireless2net chain"
55	if os.popen('/sbin/iptables -L wireless2net \| grep
56	wless_portknock').readlines()==[]: os.popen('/sbin/iptables -I
57	wireless2net 2 -j wless_portknock')
58
59	print 'starting loop'
60	master={}
61	while (1):
62	for r in os.popen('grep "`/usr/bin/date +"%b %e"`"
63	/var/log/portknock \| cut -d " " -f8 \| cut -d "=" -f2 \| sort
64	-u').readlines():
65	if len(r)==0:continue
66	r=r.strip()
67	i=os.popen('arp -an \| grep '+r+'\| cut -d " " -f4').readline()
68	i=i.strip()
69	if master.has_key(i):continue
70	else:
71	master[i]=''
72	print 'adding mac '+i+' which belongs to IP '+r
73	a3=os.popen("/sbin/iptables -I wless_portknock -p all -j
74	ACCEPT -m mac --mac-source "+i)
75	time.sleep(3)
76
77	-----------------------------------------------
78	The relevent entry in the shorewall rules file
79
80	ACCEPT:info:pnoc wireless net:216.163.137.3
81	icmp
82
83	-----------------------------------------------
84	The relevent parts of syslog-ng.conf
85
86	destination portknock { file("/var/log/portknock"); }; filter
87	f_portknock { match ("Shorewall:wireless2net:ACCEPT"); }; log {
88	source(src); filter(f_portknock); destination(portknock); };
89
90	I tried to use tagging but the field gets trunicated so syslog-ng never
91	sees it.
92
93	------------------------------------------------
94	At midnight cron runs the following reset script:
95
96	#!/bin/bash
97	echo > /var/log/portknock
98	kill `pgrep -f portknock.py`
99	python /usr/sbin/portknock.py&
100
101	------------------------------------------------
102	Like I said, it's complicated. Don't forget to touch /var/log/portknock
103
104	-Jeff
105
106	-----Original Message-----
107	From: boger [mailto:boger@×××.ru]
108	Sent: Tuesday, October 11, 2005 2:00 PM
109	To: gentoo-security@l.g.o
110	Subject: [gentoo-security] port knocking
111
112	This is result of last week discussion about port knockers.
113	Its my second bash script (first is my firewall), so any feedback will
114	be appreshiated ;)
115
116	usage: ./knocker.sh <config file name> del Path to config file is
117	constant in knocker.sh.
118	del - is optional, simply deletes target chain
119
120	script has no limits on knock sequences, and demands statefull filtering
121	enabled ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j
122	ACCEPT
123
124
125
126	--
127	gentoo-security@g.o mailing list

Gentoo Archives: gentoo-security