shorewall_code/Shorewall-docs2/PortKnocking.xml

259 lines
10 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Port Knocking and Other Uses of 'Recent Match'</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate>2005-12-06</pubdate>
<copyright>
<year>2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section>
<title>What is Port Knocking?</title>
<para>Port knocking is a technique whereby attempting to connect to port A
enables access to port B from that same host. For the example on which
this article is based, see <ulink
url="http://www.soloport.com/iptables.html">http://www.soloport.com/iptables.html</ulink>
which should be considered to be part of this documentation.</para>
</section>
<section>
<title>Implementing Port Knocking in Shorewall</title>
<para>In order to implement this solution, your iptables and kernel must
support the 'recent match' extension (see <ulink url="FAQ.htm#faq42">FAQ
42</ulink>). These instructions also assume Shorewall version 2.2.0 or
later.</para>
<para>In this example:</para>
<orderedlist>
<listitem>
<para>Attempting to connect to port 1600 enables SSH access. Access is
enabled for 60 seconds.</para>
</listitem>
<listitem>
<para>Attempting to connect to port 1601 disables SSH access (note
that in the article linked above, attempting to connect to port 1599
also disables access. This is an port scan defence as explained in the
article).</para>
</listitem>
</orderedlist>
<para>To implement that approach:</para>
<orderedlist>
<listitem>
<para>Add an action named SSHKnock (see the <ulink
url="Actions.html">Action documentation</ulink>). Leave the
<filename>action.SSHKnock</filename> file empty.</para>
</listitem>
<listitem>
<para>Create /etc/shorewall/SSHKnock with the following
contents:</para>
<programlisting>if [ -n "$LEVEL" ]; then
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp --dport 22 -m recent --rcheck --name SSH
log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p tcp --dport ! 22
fi
run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT
run_iptables -A $CHAIN -p tcp --dport 1599 -m recent --name SSH --remove -j DROP
run_iptables -A $CHAIN -p tcp --dport 1600 -m recent --name SSH --set -j DROP
run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --name SSH --remove -j DROP</programlisting>
</listitem>
<listitem>
<para>Now if you want to protect SSH access to the firewall from the
Internet, add this rule in
<filename>/etc/shorewall/rules</filename>:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSHKnock net $FW tcp 22,1599,1600,1601</programlisting>
<para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
can just add a log level as in:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSHKnock:info net $FW tcp 22,1599,1600,1601</programlisting>
</listitem>
<listitem>
<para>If you wish to use SSHKnock with a forwarded connection, you
must be using Shorewall 2.3.1 or later for fullest protection. Assume
that you forward port 22 from external IP address 206.124.146.178 to
internal system 192.168.1.5. In /etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
SSHKnock net $FW tcp 1599,1600,1601
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
<note>
<para>You can use SSHKnock with DNAT on earlier releases provided
that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
This rule will be quite secure provided that you specify 'norfc1918'
on your external interface.</para>
</note>
</listitem>
</orderedlist>
</section>
<section>
<title>Limiting Per-IP Connection Rate</title>
<para>Suppose that you wish to limit the number of connections to port 22
to 3/minute from individual internet hosts to the firewall.</para>
<orderedlist>
<listitem>
<para>Add an action named SSHLimit (see the <ulink
url="Actions.html">Action documentation</ulink>). Leave the
<filename>action.SSHLimit</filename> file empty.</para>
</listitem>
<listitem>
<para>Create /etc/shorewall/SSHLimit with the following
contents:</para>
<programlisting>run_iptables -A $CHAIN -m recent --name SSHA --set
if [ -n "$LEVEL" ]; then
run_iptables -N $CHAIN%
log_rule_limit $LEVEL $CHAIN% SSHLimit REJECT "" "" -A
run_iptables -A $CHAIN% -j reject
run_iptables -A $CHAIN -m recent --name SSHA --update --seconds 60 --hitcount 4 -j $CHAIN%
else
run_iptables -A $CHAIN -m recent --update --name SSHA --seconds 60 --hitcount 4 -j reject
fi
run_iptables -A $CHAIN -j ACCEPT</programlisting>
</listitem>
<listitem>
<para>Add this rule to /etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSHLimit net $FW tcp 22</programlisting>
<para>If you wish to log the rejects at the 'info' level then use this
rule instead:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
SSHLimit:info net $FW tcp 22</programlisting>
</listitem>
<listitem>
<para>If you wish to use SSHLimit with a forwarded connection, you
must be using Shorewall 2.3.1 or later for fullest protection. Assume
that you forward port 22 from external IP address 206.124.146.178 to
internal system 192.168.1.5. In /etc/shorewall/rules:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
SSHLimit net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
<note>
<para>You can use SSHLimit with DNAT on earlier releases provided
that you omit the ORIGINAL DEST entry on the second SSHLimit rule.
This rule will be quite secure provided that you specify 'norfc1918'
on your external interface.</para>
</note>
</listitem>
</orderedlist>
<para id="Limit">The above can be generalized into a flexible 'Limit'
target.</para>
<orderedlist>
<listitem>
<para>Add an action named Limit. Leave the action.Limit file
empty.</para>
</listitem>
<listitem>
<para>Create /etc/shorewall/Limit with the following contents:</para>
<programlisting>set -- $(separate_list $TAG)
run_iptables -A $CHAIN -m recent --name $1 --set
if [ -n "$LEVEL" ]; then
run_iptables -N $CHAIN%
log_rule_limit $LEVEL $CHAIN% $1 REJECT "" "" -A
run_iptables -A $CHAIN% -j reject
run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN%
else
run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j reject
fi
run_iptables -A $CHAIN -j ACCEPT</programlisting>
</listitem>
</orderedlist>
<para>Now if you want to limit the number of connections to port 22 to
3/munute from individual internet hosts to the filrewall, you can add this
rule:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
<para>If you want rejected connections to be logged at the info level, use
this rule instead:</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
<para>As you can see, you pass four pieces of information to the Limit
action:</para>
<itemizedlist>
<listitem>
<para>The log level. If you don't want to log, specify "none".</para>
</listitem>
<listitem>
<para>The name of the recent set that you want to use ("SSHA" in this
example).</para>
</listitem>
<listitem>
<para>The maximum number of connections to accept (3 in this
example).</para>
</listitem>
<listitem>
<para>The number of seconds over which you are willing to accept that
many connections (60 in this example).</para>
</listitem>
</itemizedlist>
</section>
</article>