reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository. Test the location given in the caveat below for downloading and installation. YMMV
This howto covers the setup and usage of Knock, a port knocking program. This program listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access. For more information go to http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki.
The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via OpenSSH secure shell.
Preparation and installation of Knock.
- Follow the howto for OpenSSH secure shell: http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.
- Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root using ssh later.
Add yourself (replacing myuserid) to the sudo list with
# visudo: myuserid ALL=(ALL) ALL .
Reconnect with myuserid and
#sudo su .
- BACKUP the sshd config file /opt/etc/openssh/sshd_config (this will allow you to recover in case of problems).
- Modify or add entries to the sshd_config file in opt/etc/openssh as follows:
# Explicitly set who can and who can not login by way of ssh
# If myuserid belongs to a group place mygroupid in Allowgroups as well
AllowGroups users everyone mygroupid
# Everything that isn't above
DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man
games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown
- Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny file:
sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
- Restart the SSH daemon process:
# /opt/etc/init.d/S40sshd . This will disconnect your session if you were connected with ssh. If so, reconnect using myuserid and
#sudo su .
- Install iptables http://www.nslu2-linux.org/wiki/HowTo/EnableFirewall.
REMOVE the line: $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
from the /opt/etc/iptables.sh script. This will block ssh (port 22) to your Slug.
- Install the knock package:
#ipkg install knock
caveat: my ipkg was not successful in installation. I found and installed it using:
# ipkg -d root install http://ipkg.nslu2-linux.org/feeds/unslung/cross/knock_0.5-2_armeb.ipk
- Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):
logfile = /var/log/knockd.log
sequence = 2000:udp,3000:tcp,4000:udp
seq_timeout = 15
tcpflags = syn
start_command = iptables -A INPUT -p tcp --dport 22 -j ACCEPT
cmd_timeout = 60
stop_command = iptables -D INPUT -p tcp --dport 22 -j ACCEPT
Note: With Unslung 6.8 you must include the "tcpflags = syn" directive
Lets do some port knocking.
- Restart iptables:
- Make sure that ssh is not allowed. Verify by running
#iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out. (if you still lock yourself out, you should reboot without disk, login, then reconnect and mount the disk. At that point you can repair the problem).
- Start up the knockd server process on your nslu2 (dont't run it as -d yet). Use
#knockd -i ixp0 -v .
- Run the knock client from either Linux or Windows. You can download the windows knock client from http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki).
#knock your-nslu2-ip -v 2000:udp 3000:tcp 4000:udp
On your knock client you should see:
hitting udp your-nslu2-ip:2000
hitting tcp your-nslu2-ip:3000
hitting udp your-nslu2-ip:4000
- On your nslu2 server you should see:
listening on ixp0...
your-client-ip: opencloseSSH: Stage 1
your-client-ip: opencloseSSH: Stage 2
your-client-ip: opencloseSSH: Stage 3
your-client-ip: opencloseSSH: OPEN SESAME
opencloseSSH: running command: iptables -A INPUT -p tcp --dport 22 -j ACCEPT
(after 60 seconds....)
your-client-ip: opencloseSSH: command timeout
opencloseSSH: running command: iptables -D INPUT -p tcp --dport 22 -j ACCEPT
- If you do another
#iptables -L on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh:
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
- Of course this means that you have 60 seconds to connect to your nslu2 server with Putty or ssh client of your choice.
- If your test was successful, terminate the current knockd server process. Restart the knockd server process via
#opt/etc/init.d/S05knockd. This will run knockd as a daemon.
- You should be good to go.
- Make your nslu2 administration activities portable and secure. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your nslu2 from whatever place you are at. As well, you can chose to "knock" and open/close any other ports in a similiar fashion...as your needs dictate.
- This knock procedure is also a very good method to stop SSH brute search dictionary attacks, see http://www.linuxsecurity.com/content/view/119238/151/.