2005-05-13 20:27:08 +02:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
|
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
<article>
|
|
|
|
<!--$Id$-->
|
|
|
|
|
|
|
|
<articleinfo>
|
2005-12-06 19:05:05 +01:00
|
|
|
<title>Port Knocking and Other Uses of 'Recent Match'</title>
|
2005-05-13 20:27:08 +02:00
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
<author>
|
|
|
|
<firstname>Tom</firstname>
|
|
|
|
|
|
|
|
<surname>Eastep</surname>
|
|
|
|
</author>
|
|
|
|
</authorgroup>
|
|
|
|
|
2006-07-07 03:04:16 +02:00
|
|
|
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
2005-05-13 20:27:08 +02:00
|
|
|
|
|
|
|
<copyright>
|
|
|
|
<year>2005</year>
|
|
|
|
|
2006-03-15 18:39:26 +01:00
|
|
|
<year>2006</year>
|
|
|
|
|
2005-05-13 20:27:08 +02:00
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
|
|
</copyright>
|
|
|
|
|
|
|
|
<legalnotice>
|
|
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
|
|
document under the terms of the GNU Free Documentation License, Version
|
2005-07-02 11:28:25 +02:00
|
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
2005-05-13 20:27:08 +02:00
|
|
|
Texts. A copy of the license is included in the section entitled
|
|
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
|
|
License</ulink></quote>.</para>
|
|
|
|
</legalnotice>
|
|
|
|
</articleinfo>
|
|
|
|
|
2006-09-09 00:52:55 +02:00
|
|
|
<note>
|
|
|
|
<para>The feature described in this article require '<ulink
|
|
|
|
url="http://snowman.net/projects/ipt_recent/">Recent Match</ulink>' in
|
|
|
|
your iptables and kernel. See the output of <command>shorewall show
|
2007-06-26 01:37:55 +02:00
|
|
|
capabilities</command> to see if you have that match.</para>
|
2006-09-09 00:52:55 +02:00
|
|
|
</note>
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="What">
|
2005-05-13 20:27:08 +02:00
|
|
|
<title>What is Port Knocking?</title>
|
|
|
|
|
|
|
|
<para>Port knocking is a technique whereby attempting to connect to port A
|
|
|
|
enables access to port B from that same host. For the example on which
|
|
|
|
this article is based, see <ulink
|
|
|
|
url="http://www.soloport.com/iptables.html">http://www.soloport.com/iptables.html</ulink>
|
|
|
|
which should be considered to be part of this documentation.</para>
|
|
|
|
</section>
|
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="How">
|
2005-05-13 20:27:08 +02:00
|
|
|
<title>Implementing Port Knocking in Shorewall</title>
|
|
|
|
|
|
|
|
<para>In order to implement this solution, your iptables and kernel must
|
|
|
|
support the 'recent match' extension (see <ulink url="FAQ.htm#faq42">FAQ
|
2007-08-31 17:24:45 +02:00
|
|
|
42</ulink>).</para>
|
2005-05-13 20:27:08 +02:00
|
|
|
|
|
|
|
<para>In this example:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
2005-06-27 00:10:48 +02:00
|
|
|
<para>Attempting to connect to port 1600 enables SSH access. Access is
|
|
|
|
enabled for 60 seconds.</para>
|
2005-05-13 20:27:08 +02:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Attempting to connect to port 1601 disables SSH access (note
|
|
|
|
that in the article linked above, attempting to connect to port 1599
|
|
|
|
also disables access. This is an port scan defence as explained in the
|
2005-05-14 16:44:36 +02:00
|
|
|
article).</para>
|
2005-05-13 20:27:08 +02:00
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
|
|
|
|
|
|
|
<para>To implement that approach:</para>
|
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>Add an action named SSHKnock (see the <ulink
|
|
|
|
url="Actions.html">Action documentation</ulink>). Leave the
|
|
|
|
<filename>action.SSHKnock</filename> file empty.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Create /etc/shorewall/SSHKnock with the following
|
2007-06-26 01:37:55 +02:00
|
|
|
contents.</para>
|
|
|
|
|
|
|
|
<para>If using Shorewall-shell:</para>
|
2005-05-13 20:27:08 +02:00
|
|
|
|
|
|
|
<programlisting>if [ -n "$LEVEL" ]; then
|
|
|
|
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp --dport 22 -m recent --rcheck --name SSH
|
|
|
|
log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p tcp --dport ! 22
|
|
|
|
fi
|
2005-06-27 00:10:48 +02:00
|
|
|
run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT
|
|
|
|
run_iptables -A $CHAIN -p tcp --dport 1599 -m recent --name SSH --remove -j DROP
|
|
|
|
run_iptables -A $CHAIN -p tcp --dport 1600 -m recent --name SSH --set -j DROP
|
|
|
|
run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --name SSH --remove -j DROP</programlisting>
|
2007-06-26 01:37:55 +02:00
|
|
|
|
|
|
|
<para>If using Shorewall-perl:<programlisting>use Shorewall::Chains;
|
|
|
|
|
|
|
|
if ( $level ) {
|
|
|
|
log_rule_limit( $level,
|
|
|
|
$chainref,
|
|
|
|
'SSHKnock',
|
|
|
|
'ACCEPT',
|
|
|
|
'',
|
|
|
|
$tag,
|
|
|
|
'add',
|
2007-10-10 21:40:53 +02:00
|
|
|
'-p tcp --dport 22 -m recent --rcheck --name SSH ' );
|
2007-06-26 01:37:55 +02:00
|
|
|
|
|
|
|
log_rule_limit( $level,
|
|
|
|
$chainref,
|
2007-08-27 22:03:39 +02:00
|
|
|
'SSHKnock',
|
2007-08-27 22:07:33 +02:00
|
|
|
'DROP',
|
2007-06-26 01:37:55 +02:00
|
|
|
'',
|
|
|
|
$tag,
|
|
|
|
'add',
|
2007-10-10 21:40:53 +02:00
|
|
|
'-p tcp --dport ! 22 ' );
|
2007-06-26 01:37:55 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT' );
|
|
|
|
add_rule( $chainref, '-p tcp --dport 1599 -m recent --name SSH --remove -j DROP' );
|
|
|
|
add_rule( $chainref, '-p tcp --dport 1600 -m recent --name SSH --set -j DROP' );
|
|
|
|
add_rule( $chainref, '-p tcp --dport 1601 -m recent --name SSH --remove -j DROP' );
|
|
|
|
|
|
|
|
1;</programlisting></para>
|
2005-05-13 20:27:08 +02:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Now if you want to protect SSH access to the firewall from the
|
|
|
|
Internet, add this rule in
|
|
|
|
<filename>/etc/shorewall/rules</filename>:</para>
|
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
2005-09-12 20:43:26 +02:00
|
|
|
SSHKnock net $FW tcp 22,1599,1600,1601</programlisting>
|
2005-05-13 20:27:08 +02:00
|
|
|
|
|
|
|
<para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
|
|
|
|
can just add a log level as in:</para>
|
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
2005-09-12 20:43:26 +02:00
|
|
|
SSHKnock:info net $FW tcp 22,1599,1600,1601</programlisting>
|
2005-05-13 20:27:08 +02:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>If you wish to use SSHKnock with a forwarded connection, you
|
|
|
|
must be using Shorewall 2.3.1 or later for fullest protection. Assume
|
|
|
|
that you forward port 22 from external IP address 206.124.146.178 to
|
2005-05-14 16:44:36 +02:00
|
|
|
internal system 192.168.1.5. In /etc/shorewall/rules:</para>
|
2005-05-13 20:27:08 +02:00
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
|
|
|
# PORT(S) DEST
|
|
|
|
DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
|
2005-09-12 20:43:26 +02:00
|
|
|
SSHKnock net $FW tcp 1599,1600,1601
|
2005-05-13 20:27:08 +02:00
|
|
|
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
|
|
|
|
|
|
|
|
<note>
|
|
|
|
<para>You can use SSHKnock with DNAT on earlier releases provided
|
|
|
|
that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
|
|
|
|
This rule will be quite secure provided that you specify 'norfc1918'
|
|
|
|
on your external interface.</para>
|
|
|
|
</note>
|
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
2007-10-28 20:17:37 +01:00
|
|
|
|
|
|
|
<para>For another way to implement Port Knocking, see the <ulink
|
|
|
|
url="ManualChains.html">Manual Chain</ulink> documentation.</para>
|
2005-05-13 20:27:08 +02:00
|
|
|
</section>
|
2005-11-20 22:23:05 +01:00
|
|
|
|
2006-09-05 00:40:17 +02:00
|
|
|
<section id="Limit">
|
2005-11-20 22:23:05 +01:00
|
|
|
<title>Limiting Per-IP Connection Rate</title>
|
|
|
|
|
2006-09-06 18:28:52 +02:00
|
|
|
<important>
|
|
|
|
<para>Debian users. This feature is broken in the Debian version 3.0.7
|
|
|
|
of Shorewall (and possibly in other versions). The file
|
|
|
|
<filename>/usr/share/shorewall/Limit</filename> was inadvertently
|
|
|
|
dropped from the .deb. That file may be obtained from <ulink
|
2007-08-06 06:19:54 +02:00
|
|
|
url="http://shorewall.svn.sourceforge.net/viewvc/*checkout*/shorewall/tags/3.0.7/Shorewall/Limit?revision=3888">Shorewall
|
|
|
|
SVN</ulink> and installed manually.</para>
|
2006-09-06 18:28:52 +02:00
|
|
|
</important>
|
|
|
|
|
2006-09-09 00:52:55 +02:00
|
|
|
<para>Beginning with Shorewall 3.0.4, Shorewall has a 'Limit' <ulink
|
|
|
|
url="Actions.html">action</ulink>. Limit is invoked with a comma-separated
|
|
|
|
list in place of a logging tag. The list has three elements:</para>
|
2005-11-20 22:23:05 +01:00
|
|
|
|
|
|
|
<orderedlist>
|
|
|
|
<listitem>
|
2006-09-05 00:36:14 +02:00
|
|
|
<para>The name of a 'recent' set; you select the set name which must
|
|
|
|
conform to the rules for a valid chain name. Different rules that
|
|
|
|
specify the same set name will use the same set of counters.</para>
|
2005-11-20 22:23:05 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2006-09-05 00:36:14 +02:00
|
|
|
<para>The number of connections permitted in a specified time
|
|
|
|
period.</para>
|
2005-11-20 22:23:05 +01:00
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
2006-09-05 00:36:14 +02:00
|
|
|
<para>The time period, expressed in seconds.</para>
|
2005-11-20 22:23:05 +01:00
|
|
|
</listitem>
|
|
|
|
</orderedlist>
|
2005-12-06 22:29:53 +01:00
|
|
|
|
2006-09-05 00:36:14 +02:00
|
|
|
<para>Connections that exceed the specified rate are dropped.</para>
|
2005-12-06 22:29:53 +01:00
|
|
|
|
2006-09-05 00:36:14 +02:00
|
|
|
<para>For example,to use a recent set name of <emphasis
|
2006-09-09 00:52:55 +02:00
|
|
|
role="bold">SSHA</emphasis>, and to limiting SSH to 3 per minute, use this
|
|
|
|
entry in <filename>/etc/shorewall/rules</filename>:</para>
|
2005-12-06 22:29:53 +01:00
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
|
|
Limit:none:SSHA,3,60 net $FW tcp 22</programlisting>
|
|
|
|
|
2006-09-05 00:36:14 +02:00
|
|
|
<para>If you want dropped connections to be logged at the info level, use
|
2005-12-06 22:29:53 +01:00
|
|
|
this rule instead:</para>
|
|
|
|
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
|
|
Limit:info:SSHA,3,60 net $FW tcp 22</programlisting>
|
|
|
|
|
2006-09-05 00:36:14 +02:00
|
|
|
<para>To summarize, you pass four pieces of information to the Limit
|
2005-12-06 22:29:53 +01:00
|
|
|
action:</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>The log level. If you don't want to log, specify "none".</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The name of the recent set that you want to use ("SSHA" in this
|
|
|
|
example).</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The maximum number of connections to accept (3 in this
|
|
|
|
example).</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The number of seconds over which you are willing to accept that
|
|
|
|
many connections (60 in this example).</para>
|
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
2006-09-06 18:28:52 +02:00
|
|
|
|
2007-06-28 22:41:32 +02:00
|
|
|
<section id="LimitImp">
|
2006-09-06 18:28:52 +02:00
|
|
|
<title>How Limit is Implemented</title>
|
|
|
|
|
|
|
|
<para>For those who are curious, the Limit action is implemented in
|
|
|
|
Shorewall 3.0 and Shorewall 3.2 as follows:</para>
|
|
|
|
|
|
|
|
<itemizedlist>
|
|
|
|
<listitem>
|
|
|
|
<para>The file
|
|
|
|
<filename>/usr/share/shorewall/action</filename>.Limit is
|
|
|
|
empty.</para>
|
|
|
|
</listitem>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The file <filename>/usr/share/shorewall/Limit</filename> is as
|
|
|
|
follows:</para>
|
|
|
|
|
|
|
|
<programlisting>set -- $(separate_list $TAG)
|
|
|
|
|
|
|
|
[ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag"
|
|
|
|
|
|
|
|
run_iptables -A $CHAIN -m recent --name $1 --set
|
|
|
|
|
|
|
|
if [ -n "$LEVEL" ]; then
|
|
|
|
run_iptables -N $CHAIN%
|
|
|
|
log_rule_limit $LEVEL $CHAIN% $1 DROP "" "" -A
|
|
|
|
run_iptables -A $CHAIN% -j DROP
|
|
|
|
run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN%
|
|
|
|
else
|
|
|
|
run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP
|
|
|
|
fi
|
|
|
|
|
2007-06-26 01:37:55 +02:00
|
|
|
run_iptables -A $CHAIN -j ACCEPT</programlisting>
|
2006-09-06 18:28:52 +02:00
|
|
|
</listitem>
|
|
|
|
</itemizedlist>
|
|
|
|
|
|
|
|
<para>In Shorewall 3.3, Limit is made into a built-in action; basically
|
|
|
|
that means that the above code now lives inside of Shorewall rather than
|
|
|
|
in a separate file.</para>
|
2007-06-26 01:37:55 +02:00
|
|
|
|
|
|
|
<para>For completeness, here's the above
|
|
|
|
<filename>/usr/share/shorewall/Limit</filename> for use with
|
|
|
|
Shorewall-perl:</para>
|
|
|
|
|
|
|
|
<programlisting>my @tag = split /,/, $tag;
|
|
|
|
|
|
|
|
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
|
|
|
|
unless @tag == 3;
|
|
|
|
|
|
|
|
my $set = $tag[0];
|
|
|
|
|
|
|
|
for ( @tag[1,2] ) {
|
|
|
|
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
|
|
|
|
}
|
|
|
|
|
|
|
|
my $count = $tag[1] + 1;
|
|
|
|
|
|
|
|
add_rule $chainref, "-m recent --name $set --set";
|
|
|
|
|
|
|
|
if ( $level ) {
|
|
|
|
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
|
|
|
|
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
|
|
|
|
add_rule $xchainref, '-j DROP';
|
|
|
|
add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
|
|
|
|
} else {
|
|
|
|
add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
|
|
|
|
}
|
|
|
|
|
|
|
|
add_rule $chainref, '-j ACCEPT';
|
|
|
|
|
|
|
|
1; </programlisting>
|
2006-09-06 18:28:52 +02:00
|
|
|
</section>
|
2005-11-20 22:23:05 +01:00
|
|
|
</section>
|
2007-08-27 22:03:39 +02:00
|
|
|
</article>
|