Gentoo Archives: gentoo-security

From: Tobias Sager <moixa@×××.ch>
To: gentoo-security@l.g.o
Subject: [gentoo-security] Port knocking
Date: Tue, 04 Oct 2005 19:51:42
Message-Id: 4342DBEF.7050907@gmx.ch
In Reply to: Re: [gentoo-security] [OT?] automatically firewalling off IPs by Kirk Hoganson
1 on 2005-10-04 19:16 Kirk Hoganson wrote the following:
2 > Yes, there are. I use one for my work servers that is iptables based.
3 > I don't have any links for you unfortunately but I have seen them. If
4 > you are really interested I can probably track down one I saw that used
5 > iptables and was a combination style. I also know of an open source
6 > "magic packet" style that I could probably find a link for if you were
7 > interested.
8
9 That's a possibility I once saw on slashdot:
10
11 iptables -A INPUT -p tcp --dport 1000 -m recent --remove --name PART1
12 iptables -A INPUT -p tcp --dport 2000 -m recent --remove --name PART2
13 iptables -A INPUT -p tcp --dport 3000 -m recent --remove --name PART3
14 iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PART1
15 iptables -A INPUT -p tcp --dport 2000 -m recent --set --name PART2
16 iptables -A INPUT -p tcp --dport 3000 -m recent --set --name PART3
17 iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 \
18 --name PART1 --name PART2 --name PART3 -j ACCEPT
19
20 I have not tested if this works, but it looks plausible to me.
21 Please note this security flaw (fixed in 2.6.14) about ipt_recent:
22 http://blog.blackdown.de/2005/05/09/fixing-the-ipt_recent-netfilter-module/
23
24 >From the same guy, a shorewall solution for SSH attack:
25 http://blog.blackdown.de/2005/02/18/mitigating-ssh-brute-force-attacks-with-ipt_recent/
26
27
28 There are numerous knock, knock implementations listed at:
29 http://www.portknocking.org/view/implementations/implementations
30
31
32 IMHO, the problem with "normal" port knocking tools is the dependency on
33 client software. I would prefer a solution which can be used without
34 (too much) hassle (eg. using telnet and then putty or such).
35 This evidently is not be possible when using more sophisticated port
36 knocking with timing or specially crafted / encrypted packages, unless
37 you have a really good feel for timing.. ;-)
38
39 Cheers
40 Tobias
41
42 --
43 GPG-Key 0xEF37FF28 - 1024/4096 DSA/ELG-E - 16.11.2001
44 Fingerprint: 3C4B 155F 2621 CEAF D3A6 0CCB 937C 9597 EF37 FF28

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-security] Port knocking boger <boger@×××.ru>