forked from extern/shorewall_code
23b0f37ec2
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2672 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
130 lines
5.2 KiB
XML
130 lines
5.2 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Port Knocking</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2005-09-12</pubdate>
|
|
|
|
<copyright>
|
|
<year>2005</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<section>
|
|
<title>What is Port Knocking?</title>
|
|
|
|
<para>Port knocking is a technique whereby attempting to connect to port A
|
|
enables access to port B from that same host. For the example on which
|
|
this article is based, see <ulink
|
|
url="http://www.soloport.com/iptables.html">http://www.soloport.com/iptables.html</ulink>
|
|
which should be considered to be part of this documentation.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Implementing Port Knocking in Shorewall</title>
|
|
|
|
<para>In order to implement this solution, your iptables and kernel must
|
|
support the 'recent match' extension (see <ulink url="FAQ.htm#faq42">FAQ
|
|
42</ulink>). These instructions also assume Shorewall version 2.2.0 or
|
|
later.</para>
|
|
|
|
<para>In this example:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Attempting to connect to port 1600 enables SSH access. Access is
|
|
enabled for 60 seconds.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Attempting to connect to port 1601 disables SSH access (note
|
|
that in the article linked above, attempting to connect to port 1599
|
|
also disables access. This is an port scan defence as explained in the
|
|
article).</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
|
|
<para>To implement that approach:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Add an action named SSHKnock (see the <ulink
|
|
url="Actions.html">Action documentation</ulink>). Leave the
|
|
<filename>action.SSHKnock</filename> file empty.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Create /etc/shorewall/SSHKnock with the following
|
|
contents:</para>
|
|
|
|
<programlisting>if [ -n "$LEVEL" ]; then
|
|
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp --dport 22 -m recent --rcheck --name SSH
|
|
log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p tcp --dport ! 22
|
|
fi
|
|
run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT
|
|
run_iptables -A $CHAIN -p tcp --dport 1599 -m recent --name SSH --remove -j DROP
|
|
run_iptables -A $CHAIN -p tcp --dport 1600 -m recent --name SSH --set -j DROP
|
|
run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --name SSH --remove -j DROP</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Now if you want to protect SSH access to the firewall from the
|
|
Internet, add this rule in
|
|
<filename>/etc/shorewall/rules</filename>:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
SSHKnock net $FW tcp 22,1599,1600,1601</programlisting>
|
|
|
|
<para>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
|
|
can just add a log level as in:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
|
SSHKnock:info net $FW tcp 22,1599,1600,1601</programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you wish to use SSHKnock with a forwarded connection, you
|
|
must be using Shorewall 2.3.1 or later for fullest protection. Assume
|
|
that you forward port 22 from external IP address 206.124.146.178 to
|
|
internal system 192.168.1.5. In /etc/shorewall/rules:</para>
|
|
|
|
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
|
|
# PORT(S) DEST
|
|
DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
|
|
SSHKnock net $FW tcp 1599,1600,1601
|
|
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</programlisting>
|
|
|
|
<note>
|
|
<para>You can use SSHKnock with DNAT on earlier releases provided
|
|
that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
|
|
This rule will be quite secure provided that you specify 'norfc1918'
|
|
on your external interface.</para>
|
|
</note>
|
|
</listitem>
|
|
</orderedlist>
|
|
</section>
|
|
</article> |