[PLUG] Scriptless Portknocking

Jeff Moore Jeff.Moore at chemeketa.edu
Mon Jul 18 16:31:52 UTC 2005


Hi all,

   Just saw this and had to share it with all of you.. 
   I have been interested in portknocking for a while now but hate the fact that you have to run scripts to check log files etc... It just seems clunky, at least for my needs. I only wanted to use it as an extra level of basic connection protection. You can really do some neat things with port knocking like sending encrypted passwords via icmp packets etc. But this wasnt what I was looking for. I just wanted something that would block John Q Scanner from seeing ssh open and then taking his time to try to crack it. Plus I didnt want to have to install a little script on every client to access the machines. 
   Well to make a long story short I ran accross this little fedora iptables entry:

-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -m recent --rcheck --name SSH -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9022 -m recent --name SSH --remove -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9023 -m recent --name SSH --set -j DROP
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 9024 -m recent --name SSH --remove -j DROP

   I wasnt aware of the --name and --rcheck ability in IPTABLES. With these you can telnet to port 9023 (line3) and it will start tagging all packets from your host(and only your host) with the name SSH. Then you will be allowed to access port 22 (SSH) via the --rcheck (line1). When you are finished just telnet to 9022 or 9044 to stop tagging your traffic (closing the ssh port). One thing to note is the double entries for the shutdown. At first I wasnt sure why there were two then I though of scans.. Whether its a top down or bottom up scan it will always turn the naming off. 
   Sorry I just got so excited when I saw this. How elegant and powerful this is! 
   Hope you all enjoy it as much as I have...

Thanks for your time,
Jeff M.



More information about the PLUG mailing list