Thursday, July 29, 2010

Port-knocking server

knockd is a port-knock server. It listens to all traffic on an ethernet interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port.

The knock RPM package from DAG doesn't have an init script. So here is one I created.


Some example output:


[root@base ~]# service knockd restart
Shutting down knockd:                        [  OK  ]
Starting knockd:                             [  OK  ]
[root@base ~]# service knockd status
knockd (pid  2539) is running...

Chain KNOCKD (1 references)
target     prot opt source               destination
ACCEPPT     tcp  --  1.1.1.1         anywhere            tcp dpt:ssh

[root@base ~]# service knockd purge
Purge will remove 1 following rules in 10 seconds. Press Ctrl-C to cancel.

Chain KNOCKD (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  1.1.1.1          anywhere            tcp dpt:ssh



Make sure you change your $CHAIN and $OPTIONS for your knockd before using the script.


#!/bin/bash
#
# knockd       Start and stop the knockd service.
#
# chkconfig:   - 35 65
# description: Knockd add rule to open SSH to specific IP
# processname: knockd
# config: /etc/knockd.conf
#
. /etc/init.d/functions

OPTIONS=" -i external0 -d"
CHAIN="KNOCKD"

start() {
    echo -n "Starting knockd: "
    if [ $UID -ne 0 ]; then
            RETVAL=1
            failure
    else
            /usr/sbin/knockd $OPTIONS
            RETVAL=$?
            [ $RETVAL -eq 0 ] && touch /var/lock/subsys/knockd
    fi;
    echo
    return $RETVAL
}

stop() {
    echo -n "Shutting down knockd: "
    if [ $UID -ne 0 ]; then
            RETVAL=1
            failure
    else
            killproc /usr/sbin/knockd
            RETVAL=$?
            [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/knockd
    fi;
    echo
    return $RETVAL
}

knockdstatus() {
    if [ $UID -ne 0 ]; then
            RETVAL=1
            failure
    else
            /sbin/iptables -L $CHAIN | sed ''/ACCEPT/s//`printf "\033[32mACCEPPT\033[0m"`/''
    fi;
    echo
    return $RETVAL
}

case "$1" in
start)
    start
    ;;
stop)
    stop
    ;;
status)
    status /usr/bin/knockd
    echo
    knockdstatus
    ;;
restart)
    stop
    start
    ;;
purge)
    LINES=$(/sbin/iptables -L $CHAIN --line-numbers | grep ACCEPT | tail -n1 | awk '{print $1}')
    if [ -n "$LINES" ]; then
            echo -e "\033[31mPurge will remove $LINES following rules in 10 seconds. Press Ctrl-C to cancel.\033[0m\n"
            /sbin/iptables -L $CHAIN
            sleep 10;
            while [ "$LINES" -gt 0 ]
            do
                    /sbin/iptables -D $CHAIN $LINES
                    let "LINES-=1"
            done
    else
            echo "Empty Chain: $CHAIN"
    fi;
    ;;
*)
    echo "Usage: $0 {start|stop|status|purge"
    exit 1
    ;;
esac
exit $?

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)