mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-15 10:51:02 +01:00
357f02fc59
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3673 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
268 lines
10 KiB
XML
268 lines
10 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Port Knocking and Other Uses of 'Recent Match'</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2006-03-15</pubdate>
|
|
|
|
<copyright>
|
|
<year>2005</year>
|
|
|
|
<year>2006</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>What is Port Knocking?</title>
|
|
|
|
<para>Port knocking is a technique whereby attempting to connect to port A
|
|
enables access to port B from that same host. For the example on which
|
|
this article is based, see <ulink
|
|
url="http://www.soloport.com/iptables.html">http://www.soloport.com/iptables.html</ulink>
|
|
which should be considered to be part of this documentation.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Implementing Port Knocking in Shorewall</title>
|
|
|
|
<para>In order to implement this solution, your iptables and kernel must
|
|
support the 'recent match' extension (see <ulink url="FAQ.htm#faq42">FAQ
|
|
42</ulink>). These instructions also assume Shorewall version 2.2.0 or
|
|
later.</para>
|
|
|
|
<para>In this example:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Attempting to connect to port 1600 enables SSH access. Access is
|
|
enabled for 60 seconds.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Attempting to connect to port 1601 disables SSH access (note
|
|
that in the article linked above, attempting to connect to port 1599
|
|
also disables access. This is an port scan defence as explained in the
|
|
article).</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>To implement that approach:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Add an action named SSHKnock (see the <ulink
|
|
url="Actions.html">Action documentation</ulink>). Leave the
|
|
<filename>action.SSHKnock</filename> file empty.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Create /etc/shorewall/SSHKnock with the following
|
|
contents:</para>
|
|
|
|
<programlisting>if [ -n "$LEVEL" ]; then
|
|
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp --dport 22 -m recent --rcheck --name SSH
|
|
log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p tcp --dport ! 22
|
|
fi
|
|
run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT
|
|
run_iptables -A $CHAIN -p tcp --dport 1599 -m recent --name SSH --remove -j DROP
|
|
run_iptables -A $CHAIN -p tcp --dport 1600 -m recent --name SSH --set -j DROP
|
|
run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --name SSH --remove -j DROP</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Now if you want to protect SSH access to the firewall from the
|
|
Internet, add this rule in
|
|
<filename>/etc/shorewall/rules</filename>:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
SSHKnock net $FW tcp 22,1599,1600,1601</programlisting>
|
|
|
|
<para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
|
|
can just add a log level as in:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
SSHKnock:info net $FW tcp 22,1599,1600,1601</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you wish to use SSHKnock with a forwarded connection, you
|
|
must be using Shorewall 2.3.1 or later for fullest protection. Assume
|
|
that you forward port 22 from external IP address 206.124.146.178 to
|
|
internal system 192.168.1.5. In /etc/shorewall/rules:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
|
# PORT(S) DEST
|
|
DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
|
|
SSHKnock net $FW tcp 1599,1600,1601
|
|
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
|
|
|
|
<note>
|
|
<para>You can use SSHKnock with DNAT on earlier releases provided
|
|
that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
|
|
This rule will be quite secure provided that you specify 'norfc1918'
|
|
on your external interface.</para>
|
|
</note>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Limiting Per-IP Connection Rate</title>
|
|
|
|
<para>Suppose that you wish to limit the number of connections to port 22
|
|
to 3/minute from individual internet hosts to the firewall.</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Add an action named SSHLimit (see the <ulink
|
|
url="Actions.html">Action documentation</ulink>). Leave the
|
|
<filename>action.SSHLimit</filename> file empty.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Create /etc/shorewall/SSHLimit with the following
|
|
contents:</para>
|
|
|
|
<programlisting>run_iptables -A $CHAIN -m recent --name SSHA --set
|
|
if [ -n "$LEVEL" ]; then
|
|
run_iptables -N $CHAIN%
|
|
log_rule_limit $LEVEL $CHAIN% SSHLimit REJECT "" "" -A
|
|
run_iptables -A $CHAIN% -j reject
|
|
run_iptables -A $CHAIN -m recent --name SSHA --update --seconds 60 --hitcount 4 -j $CHAIN%
|
|
else
|
|
run_iptables -A $CHAIN -m recent --update --name SSHA --seconds 60 --hitcount 4 -j reject
|
|
fi
|
|
run_iptables -A $CHAIN -j ACCEPT</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Add this rule to /etc/shorewall/rules:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
SSHLimit net $FW tcp 22</programlisting>
|
|
|
|
<para>If you wish to log the rejects at the 'info' level then use this
|
|
rule instead:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
SSHLimit:info net $FW tcp 22</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you wish to use SSHLimit with a forwarded connection, you
|
|
must be using Shorewall 2.3.1 or later for fullest protection. Assume
|
|
that you forward port 22 from external IP address 206.124.146.178 to
|
|
internal system 192.168.1.5. In /etc/shorewall/rules:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
|
# PORT(S) DEST
|
|
DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
|
|
SSHLimit net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
|
|
|
|
<note>
|
|
<para>You can use SSHLimit with DNAT on earlier releases provided
|
|
that you omit the ORIGINAL DEST entry on the second SSHLimit rule.
|
|
This rule will be quite secure provided that you specify 'norfc1918'
|
|
on your external interface.</para>
|
|
</note>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para id="Limit">The above can be generalized into a flexible 'Limit'
|
|
target.</para>
|
|
|
|
<note>
|
|
<para>'Limit' as described here is included as a standard part of
|
|
Shorewall beginning with version 3.0.4. The following is included to
|
|
show how 'Limit' is implemented; if you are running Shorewall 3.0.4 or
|
|
later, you can omit the following two steps.</para>
|
|
</note>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Add an action named Limit. Leave the action.Limit file
|
|
empty.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Create /etc/shorewall/Limit with the following contents:</para>
|
|
|
|
<programlisting>set -- $(separate_list $TAG)
|
|
|
|
run_iptables -A $CHAIN -m recent --name $1 --set
|
|
|
|
if [ -n "$LEVEL" ]; then
|
|
run_iptables -N $CHAIN%
|
|
log_rule_limit $LEVEL $CHAIN% $1 REJECT "" "" -A
|
|
run_iptables -A $CHAIN% -j reject
|
|
run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN%
|
|
else
|
|
run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j reject
|
|
fi
|
|
|
|
run_iptables -A $CHAIN -j ACCEPT</programlisting>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>Now if you want to limit the number of connections to port 22 to
|
|
3/munute from individual internet hosts to the filrewall, you can add this
|
|
rule:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
|
|
|
|
<para>If you want rejected connections to be logged at the info level, use
|
|
this rule instead:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
|
|
|
|
<para>As you can see, you pass four pieces of information to the Limit
|
|
action:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The log level. If you don't want to log, specify "none".</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The name of the recent set that you want to use ("SSHA" in this
|
|
example).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The maximum number of connections to accept (3 in this
|
|
example).</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The number of seconds over which you are willing to accept that
|
|
many connections (60 in this example).</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
</article> |