NSLU2-Linux
view · edit · print · history

HowTo.SecurityByPortKnocking History

Hide minor edits - Show changes to markup

September 10, 2007, at 02:55 AM by frustrated --
Changed lines 53-54 from:
  1. Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):\\
to:
  1. Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):\\
September 10, 2007, at 02:55 AM by frustrated --
Deleted line 43:
Changed lines 52-53 from:

Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):\\

to:
  1. Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):\\
September 10, 2007, at 02:54 AM by frustrated --
Deleted line 51:

#http://ipkg.nslu2-linux.org/feeds/unslung/cross/knock_0.5-2_armeb.ipk \\

September 10, 2007, at 02:53 AM by frustrated --
Added line 53:

# ipkg -d root install http://ipkg.nslu2-linux.org/feeds/unslung/cross/knock_0.5-2_armeb.ipk \\

September 10, 2007, at 02:52 AM by frustrated --
Changed line 51 from:

'caveat: my ipkg was not successful in installation. I found and installed it using: '\\

to:

caveat: my ipkg was not successful in installation. I found and installed it using: \\

September 10, 2007, at 02:51 AM by frustrated -- added ipkg installation location option for knockd
Changed lines 1-2 from:

reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository.

to:

reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository. Test the location given in the caveat below for downloading and installation. YMMV

Added lines 51-52:

'caveat: my ipkg was not successful in installation. I found and installed it using: '
#http://ipkg.nslu2-linux.org/feeds/unslung/cross/knock_0.5-2_armeb.ipk \\

September 10, 2007, at 02:39 AM by frustrated --
Changed lines 1-2 from:

# reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository.

to:

reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository.

September 10, 2007, at 02:38 AM by frustrated --
Changed lines 1-2 from:

reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository.

to:

# reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository.

September 10, 2007, at 02:37 AM by frustrated -- caveat of availability of knockd ipkg install for OpenSlug 3.10beta
Added lines 1-2:

reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository.

July 04, 2006, at 01:32 AM by dlubinsk -- Added groupid directive in config file
Changed lines 22-23 from:

AllowGroups users everyone \\

to:

# If myuserid belongs to a group place mygroupid in Allowgroups as well
AllowGroups users everyone mygroupid \\

July 04, 2006, at 01:09 AM by dlubinsk --
Changed lines 33-37 from:

'''sshd: .cn, .cn.net, .cn.com, .jp, .jp.com

to:

sshd: .cn, .cn.net, .cn.com, .jp, .jp.com

July 04, 2006, at 01:08 AM by dlubinsk --
Changed lines 34-37 from:


to:
July 04, 2006, at 01:07 AM by dlubinsk --
Changed lines 34-37 from:

sshd: UNKNOWN '''

to:


July 04, 2006, at 12:41 AM by dlubinsk --
Changed lines 14-16 from:
  1. BACKUP a copy of the file /opt/etc/openssh/sshd_config (this will allow you to recover in case of problems).
  2. Modify or add entries to the sshd_conf file in opt/etc/openssh as follows: \\
to:
  1. BACKUP the sshd config file /opt/etc/openssh/sshd_config (this will allow you to recover in case of problems).
  2. Modify or add entries to the sshd_config file in opt/etc/openssh as follows: \\
July 04, 2006, at 12:38 AM by dlubinsk -- Changed location of sshd.conf to sshd_conf (new version of ssh)
Changed lines 14-16 from:
  1. BACKUP a copy of the file you change in the next section. I changed /opt/etc/openssh/sshd_config (assuming this was the file that was meant) and can not get access via ssh anymore. i can get access via telnet but, for some reason - i am a newbie - nano won't work so I'm not sure how to undo the edits i made to the file.
  2. Modify or add entries to the sshd.conf file in opt/etc as follows: \\
to:
  1. BACKUP a copy of the file /opt/etc/openssh/sshd_config (this will allow you to recover in case of problems).
  2. Modify or add entries to the sshd_conf file in opt/etc/openssh as follows: \\
July 01, 2006, at 07:11 PM by metamind --
Changed lines 14-16 from:
  1. BACKUP a copy of the file you change in the next section. I changed /opt/etc/openssh/sshd_config (assuming this was the file that was meant) and can not get access via ssh anymore. i can get access via telnet but,

for some reason - i am a newbie - nano won't work so I'm not sure how to undo the edits i made to the file.

to:
  1. BACKUP a copy of the file you change in the next section. I changed /opt/etc/openssh/sshd_config (assuming this was the file that was meant) and can not get access via ssh anymore. i can get access via telnet but, for some reason - i am a newbie - nano won't work so I'm not sure how to undo the edits i made to the file.
July 01, 2006, at 07:10 PM by metamind --
Changed lines 14-16 from:
to:
  1. BACKUP a copy of the file you change in the next section. I changed /opt/etc/openssh/sshd_config (assuming this was the file that was meant) and can not get access via ssh anymore. i can get access via telnet but,

for some reason - i am a newbie - nano won't work so I'm not sure how to undo the edits i made to the file.

Deleted line 17:
  ( for me the file was /opt/etc/openssh/sshd_config)
July 01, 2006, at 06:31 PM by metamind --
Added line 16:
  ( for me the file was /opt/etc/openssh/sshd_config)
June 20, 2006, at 02:00 AM by don lubinski -- Added tcpflags=syn must have parm for unslung 6.8 (problem 1st identified by Kurt Bennater)
Added line 54:
        tcpflags      = syn \\
Changed lines 58-60 from:
to:


Note: With Unslung 6.8 you must include the "tcpflags = syn" directive

May 30, 2006, at 02:13 AM by don lubinski -- Changed knockd site location
Changed line 71 from:
  1. Run the knock client from either Linux or Windows. You can download the windows knock client from http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). \\
to:
  1. Run the knock client from either Linux or Windows. You can download the windows knock client from http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki). \\
May 30, 2006, at 02:10 AM by don lubinski -- Fixed link to knockd author site
Changed lines 1-2 from:

This howto covers the setup and usage of Knock, a port knocking program. This program listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access. For more information go to http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki.

to:

This howto covers the setup and usage of Knock, a port knocking program. This program listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access. For more information go to http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki.

October 10, 2005, at 02:00 AM by don lubinski -- Near final draft
Changed lines 110-111 from:
  1. Make your nslu2 administration activities portable and secure. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your nslu2 from whatever place you are at.
to:
  1. Make your nslu2 administration activities portable and secure. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your nslu2 from whatever place you are at. As well, you can chose to "knock" and open/close any other ports in a similiar fashion...as your needs dictate.
October 04, 2005, at 08:11 AM by eFfeM -- added remark on how to repair things if you locked yourself out
Changed lines 65-67 from:
  1. Make sure that ssh is not allowed. Verify by running #iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
to:
  1. Make sure that ssh is not allowed. Verify by running #iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out. (if you still lock yourself out, you should reboot without disk, login, then reconnect and mount the disk. At that point you can repair the problem).
October 02, 2005, at 07:09 PM by don lubinski --
Changed lines 11-15 from:

Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL
Logout and login with myuserid and #sudo su .

  1. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed): \\
to:

Add yourself (replacing myuserid) to the sudo list with # visudo: myuserid ALL=(ALL) ALL .
Reconnect with myuserid and #sudo su .

  1. Modify or add entries to the sshd.conf file in opt/etc as follows: \\
Changed lines 29-35 from:
to:
  1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny file:

    sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
    sshd: UNKNOWN

Changed lines 45-46 from:
  1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny file: \\
to:
  1. Install the knock package: #ipkg install knock
    Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):\\
Deleted lines 47-53:

sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
sshd: UNKNOWN

  1. Install the knock package: #ipkg install knock
    Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):
    \\
Changed lines 60-61 from:

Test your port knock configuration.

to:

Lets do some port knocking.

Changed lines 110-111 from:
  1. Make your nslu2 administration activities portable and secure. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place you are at.
to:
  1. Make your nslu2 administration activities portable and secure. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your nslu2 from whatever place you are at.
October 02, 2005, at 06:48 PM by don lubinski --
Changed lines 27-30 from:


Restart the SSH daemon process: # /opt/etc/init.d/S40sshd

to:
  1. Restart the SSH daemon process: # /opt/etc/init.d/S40sshd . This will disconnect your session if you were connected with ssh. If so, reconnect using myuserid and #sudo su .
October 02, 2005, at 05:06 PM by don lubinski --
Changed lines 9-15 from:
  1. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed): \\
to:
  1. Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root using ssh later.
    Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL
    Logout and login with myuserid and #sudo su .
  2. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed): \\
Changed line 21 from:

AllowUsers myuserid \\

to:

AllowUsers myuserid \\

Changed lines 27-32 from:
  1. Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root using ssh later.
    Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL
to:


Restart the SSH daemon process: # /opt/etc/init.d/S40sshd

October 02, 2005, at 04:00 AM by don lubinski --
Changed line 38 from:
  1. Install the knock package: ipkg install knock \\
to:
  1. Install the knock package: #ipkg install knock \\
Changed lines 55-63 from:
  1. Restart iptables: /opt/etc/init.d/S30iptables
  2. Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
  3. Start up the knockd server process on your nslu2 (dont't run it as -d yet). Use knockd -i ixp0 -v .
to:
  1. Restart iptables: #/opt/etc/init.d/S30iptables
  2. Make sure that ssh is not allowed. Verify by running #iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
  3. Start up the knockd server process on your nslu2 (dont't run it as -d yet). Use #knockd -i ixp0 -v .
Changed line 66 from:

knock your-nslu2-ip -v 2000:udp 3000:tcp 4000:udp \\

to:

#knock your-nslu2-ip -v 2000:udp 3000:tcp 4000:udp \\

Changed line 88 from:
  1. If you do another iptables -L on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh: \\
to:
  1. If you do another #iptables -L on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh: \\
Changed lines 96-99 from:
  1. If your test was successful, terminate the current knockd server process. Restart the knockd server process via opt/etc/init.d/S05knockd. This will run knockd as a daemon.
to:
  1. If your test was successful, terminate the current knockd server process. Restart the knockd server process via #opt/etc/init.d/S05knockd. This will run knockd as a daemon.
October 02, 2005, at 03:56 AM by don lubinski --
Changed lines 103-104 from:
  1. Make your nslu2 administration activities portable. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place you are at.
to:
  1. Make your nslu2 administration activities portable and secure. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place you are at.
October 02, 2005, at 03:55 AM by don lubinski --
Changed lines 102-104 from:

Tips:

  1. Make your nslu2 administration activities portable. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place your at.
to:

Tips:

  1. Make your nslu2 administration activities portable. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place you are at.
October 02, 2005, at 03:48 AM by don lubinski --
Changed line 88 from:
  1. If you do another "iptables -L" on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh: \\
to:
  1. If you do another iptables -L on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh: \\
Changed lines 90-92 from:

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

to:

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

Changed lines 96-99 from:
  1. If your test was successful, terminate the current knockd server process. Restart the knockd server process via "opt/etc/init.d/S05knockd". This will run knockd as a daemon.
to:
  1. If your test was successful, terminate the current knockd server process. Restart the knockd server process via opt/etc/init.d/S05knockd. This will run knockd as a daemon.
October 02, 2005, at 03:47 AM by don lubinski --
Changed line 66 from:

knock''' '''''your-nslu2-ip''''' '''-v 2000:udp 3000:tcp 4000:udp \\

to:

knock your-nslu2-ip -v 2000:udp 3000:tcp 4000:udp \\

Changed lines 70-74 from:

hitting udp your-nslu2-ip:2000
hitting tcp your-nslu2-ip:3000
hitting udp your-nslu2-ip:4000

to:

hitting udp your-nslu2-ip:2000
hitting tcp your-nslu2-ip:3000
hitting udp your-nslu2-ip:4000

Changed line 83 from:

(after 60 seconds....)\\

to:

(after 60 seconds....)\\

October 02, 2005, at 03:41 AM by don lubinski --
Changed line 11 from:

PermitRootLogin no \\

to:

'''PermitRootLogin no \\

Changed lines 20-22 from:

DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown

to:

DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown '''

Changed lines 24-26 from:

Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL

to:

Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL

Changed line 28 from:

REMOVE the line: $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT \\

to:

REMOVE the line: $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT \\

Changed line 32 from:
  1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny file: \\
to:
  1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny file: \\
Changed lines 34-38 from:

sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
sshd: UNKNOWN

  1. Install the knock package: ipkg install knock. \\
to:

sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
sshd: UNKNOWN

  1. Install the knock package: ipkg install knock \\
Changed line 41 from:

[options]\\

to:

'''[options]\\

Changed lines 49-52 from:
        stop_command  = iptables -D INPUT -p tcp --dport 22 -j ACCEPT 
to:
        stop_command  = iptables -D INPUT -p tcp --dport 22 -j ACCEPT''' 
Changed lines 55-63 from:
  1. Restart iptables: /opt/etc/init.d/S30iptables
  2. Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
  3. Start up the knockd server process on your nslu2 (dont't run it as -d yet). Use "knockd -i ixp0 -v ".
to:
  1. Restart iptables: /opt/etc/init.d/S30iptables
  2. Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
  3. Start up the knockd server process on your nslu2 (dont't run it as -d yet). Use knockd -i ixp0 -v .
Changed line 66 from:

knock your-nslu2-ip -v 2000:udp 3000:tcp 4000:udp \\

to:

knock''' '''''your-nslu2-ip''''' '''-v 2000:udp 3000:tcp 4000:udp \\

October 02, 2005, at 03:29 AM by don lubinski --
Changed lines 96-99 from:
  1. If your test was successful, terminate the current knockd server process. Start the knockd server process via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
to:
  1. If your test was successful, terminate the current knockd server process. Restart the knockd server process via "opt/etc/init.d/S05knockd". This will run knockd as a daemon.
October 02, 2005, at 02:02 AM by don lubinski --
Changed lines 103-104 from:
  1. Make your administration activities portable. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place your at.
to:
  1. Make your nslu2 administration activities portable. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place your at.
October 02, 2005, at 02:01 AM by don lubinski --
Changed lines 61-63 from:
  1. Start up the knockd server process on your nslu2(dont't run it as -d yet). Run "knockd -i ixp0 -v ".
to:
  1. Start up the knockd server process on your nslu2 (dont't run it as -d yet). Use "knockd -i ixp0 -v ".
Changed lines 70-74 from:

hitting udp your-ip:2000
hitting tcp your-ip:3000
hitting udp your-ip:4000

to:

hitting udp your-nslu2-ip:2000
hitting tcp your-nslu2-ip:3000
hitting udp your-nslu2-ip:4000

October 02, 2005, at 01:58 AM by don lubinski --
Changed line 32 from:
  1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny: \\
to:
  1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny file: \\
October 02, 2005, at 01:56 AM by don lubinski --
Changed lines 61-63 from:
  1. Start up the knockd serverprocess on your nslu2(dont't run it as -d yet). Run "knockd -i ixp0 -v ".
to:
  1. Start up the knockd server process on your nslu2(dont't run it as -d yet). Run "knockd -i ixp0 -v ".
Changed lines 93-99 from:
  1. Of course this means that you have 60 seconds to connect to your server with Putty or ssh client of your choice.
  2. If your test was successful, terminate the current knockd server. Start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
to:
  1. Of course this means that you have 60 seconds to connect to your nslu2 server with Putty or ssh client of your choice.
  2. If your test was successful, terminate the current knockd server process. Start the knockd server process via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
Changed lines 102-104 from:

Notes:

  1. Make yourself portable. You can load a USB stick up with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place your at.
to:

Tips:

  1. Make your administration activities portable. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place your at.
October 02, 2005, at 01:51 AM by don lubinski --
Changed lines 61-63 from:
  1. Start up the knockd process (dont't run it as -d yet). Run "knockd -i ixp0 -v ".
to:
  1. Start up the knockd serverprocess on your nslu2(dont't run it as -d yet). Run "knockd -i ixp0 -v ".
October 02, 2005, at 01:50 AM by don lubinski --
Changed lines 52-64 from:
  1. Test your port knock configuration. \\
to:

Test your port knock configuration.

  1. Restart iptables: /opt/etc/init.d/S30iptables
  2. Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
  3. Start up the knockd process (dont't run it as -d yet). Run "knockd -i ixp0 -v ".
  4. Run the knock client from either Linux or Windows. You can download the windows knock client from http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). \\
Changed line 66 from:
  1. Restart iptables: /opt/etc/init.d/S30iptables \\
to:

knock your-nslu2-ip -v 2000:udp 3000:tcp 4000:udp \\

Changed lines 68-90 from:
  1. Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
  2. Start up the knockd process (dont't run it as -d yet). Run "knockd -i ixp0 -v ".
  3. Use a knock client to perform a test knock: knock your-ip -v 2000:udp 3000:tcp 4000:udp//You can do this from a Windows machine if you want (download the windows knock client from

http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). You should see hitting udp your-ip:2000 hitting tcp your-ip:3000 hitting udp your-ip:4000

  1. On your server you should see:

listening on ixp0... your-client-ip: opencloseSSH: Stage 1 your-client-ip: opencloseSSH: Stage 2 your-client-ip: opencloseSSH: Stage 3 your-client-ip: opencloseSSH: OPEN SESAME opencloseSSH: running command: iptables -A INPUT -p tcp --dport 22 -j ACCEPT your-client-ip: opencloseSSH: command timeout opencloseSSH: running command: iptables -D INPUT -p tcp --dport 22 -j ACCEPT

  1. If you do another "iptables -L" on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh:

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

  1. Of course this means that you have 60 seconds to connect to your server with Putty or ssh client of your choice.
  2. If your test was successful, terminate the current knockd server. Start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
to:

On your knock client you should see:

hitting udp your-ip:2000
hitting tcp your-ip:3000
hitting udp your-ip:4000

  1. On your nslu2 server you should see:

    listening on ixp0...
    your-client-ip: opencloseSSH: Stage 1
    your-client-ip: opencloseSSH: Stage 2
    your-client-ip: opencloseSSH: Stage 3
    your-client-ip: opencloseSSH: OPEN SESAME
    opencloseSSH: running command: iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    (after 60 seconds....)
    your-client-ip: opencloseSSH: command timeout
    opencloseSSH: running command: iptables -D INPUT -p tcp --dport 22 -j ACCEPT
  2. If you do another "iptables -L" on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh:

    ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
  3. Of course this means that you have 60 seconds to connect to your server with Putty or ssh client of your choice.
  4. If your test was successful, terminate the current knockd server. Start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
Changed lines 103-104 from:
  1. I carry a USB stick with the knock client and Putty installed. This gives me the ability to "knock" and remote ssh administer my NSLU2 from whatever place I'm at.
to:
  1. Make yourself portable. You can load a USB stick up with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place your at.
October 02, 2005, at 01:11 AM by don lubinski --
Added lines 5-6:

Preparation and installation of Knock.

Changed lines 32-52 from:
  1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny:
sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
sshd: UNKNOWN
  1. Install the knock package: ipkg install knock.
Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):
[options]
logfile = /var/log/knockd.log
[opencloseSSH]
sequence = 2000:udp,3000:tcp,4000:udp
seq_timeout = 15
start_command = iptables -A INPUT -p tcp --dport 22 -j ACCEPT
cmd_timeout = 60
stop_command = iptables -D INPUT -p tcp --dport 22 -j ACCEPT
  1. Test your port knock configuration.
    1. Restart iptables: /opt/etc/init.d/S30iptables
to:
  1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny:

    sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
    sshd: UNKNOWN
  2. Install the knock package: ipkg install knock.
    Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):

    [options]
    logfile = /var/log/knockd.log

    [opencloseSSH]
    sequence = 2000:udp,3000:tcp,4000:udp
    seq_timeout = 15
    start_command = iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    cmd_timeout = 60
    stop_command = iptables -D INPUT -p tcp --dport 22 -j ACCEPT
  3. Test your port knock configuration.

    ## Restart iptables: /opt/etc/init.d/S30iptables
    \\
October 02, 2005, at 12:58 AM by don lubinski --
Changed lines 7-25 from:
  1. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed):
PermitRootLogin no
# Explicitly set who can and who can not login by way of ssh
AllowGroups users everyone
AllowUsers myuserid
# Everything that isn't above
DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown.
  1. Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root using ssh later.
Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL

  1. Install iptables http://www.nslu2-linux.org/wiki/HowTo/EnableFirewall.
REMOVE the line: $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
from the /opt/etc/iptables.sh script. This will block ssh (port 22) to your Slug.
to:
  1. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed):

    PermitRootLogin no

    # Explicitly set who can and who can not login by way of ssh
    AllowGroups users everyone
    AllowUsers myuserid

    # Everything that isn't above
    DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite
    DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown
  2. Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root using ssh later.
    Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL
  3. Install iptables http://www.nslu2-linux.org/wiki/HowTo/EnableFirewall.
    REMOVE the line: $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
    from the /opt/etc/iptables.sh script. This will block ssh (port 22) to your Slug.
Changed lines 49-58 from:
  • Restart iptables: /opt/etc/init.d/S30iptables
  • Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
  • Start up the knockd process (dont't run it as -d yet). Run "knockd -i ixp0 -v ".
  • Use a knock client to perform a test knock: knock your-ip -v 2000:udp 3000:tcp 4000:udp

You can do this from a Windows machine if you want (download the windows knock client from http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). You should see: // hitting udp your-ip:2000

to:
  1. Restart iptables: /opt/etc/init.d/S30iptables
  2. Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
  3. Start up the knockd process (dont't run it as -d yet). Run "knockd -i ixp0 -v ".
  4. Use a knock client to perform a test knock: knock your-ip -v 2000:udp 3000:tcp 4000:udp//You can do this from a Windows machine if you want (download the windows knock client from

http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). You should see [=hitting udp your-ip:2000

Changed lines 59-60 from:

hitting udp your-ip:4000

  • On your server you should see:
to:

hitting udp your-ip:4000=]

  1. On your server you should see:
Changed line 69 from:
  • If you do another "iptables -L" on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh:
to:
  1. If you do another "iptables -L" on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh:
Changed lines 71-73 from:
  • Of course this means that you have 60 seconds to connect to your server with Putty or ssh client of your choice.
  • If your test was successful, terminate the current knockd server. Start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
to:
  1. Of course this means that you have 60 seconds to connect to your server with Putty or ssh client of your choice.
  2. If your test was successful, terminate the current knockd server. Start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
October 01, 2005, at 10:41 PM by don lubinski --
Changed line 32 from:
  • Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):
to:
Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):
Added line 44:
Added line 46:
Added line 48:
Added line 50:
Changed line 53 from:

http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). You should see:

to:

http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). You should see: //

October 01, 2005, at 10:34 PM by don lubinski --
Changed line 19 from:
  1. Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root later.
to:
  1. Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root using ssh later.
October 01, 2005, at 10:28 PM by don lubinski --
Deleted line 16:
October 01, 2005, at 10:27 PM by don lubinski --
Changed lines 3-6 from:

The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via OpenSSH? secure shell.

  1. Follow the howto for OpenSSH? secure shell: http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.
to:

The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via OpenSSH secure shell.

  1. Follow the howto for OpenSSH secure shell: http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.
October 01, 2005, at 10:25 PM by don lubinski --
Added line 19:
Changed lines 34-43 from:

[options]

        logfile = /var/log/knockd.log

[opencloseSSH]

        sequence      = 2000:udp,3000:tcp,4000:udp
        seq_timeout   = 15
        start_command = iptables -A INPUT -p tcp --dport 22 -j ACCEPT
        cmd_timeout   = 60
        stop_command  = iptables -D INPUT -p tcp --dport 22 -j ACCEPT
to:
[options]
logfile = /var/log/knockd.log
[opencloseSSH]
sequence = 2000:udp,3000:tcp,4000:udp
seq_timeout = 15
start_command = iptables -A INPUT -p tcp --dport 22 -j ACCEPT
cmd_timeout = 60
stop_command = iptables -D INPUT -p tcp --dport 22 -j ACCEPT
Changed line 46 from:
  • Do a "iptables -L" and make sure that ssh IS NOT allowed.
to:
  • Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
Changed lines 48-50 from:
  • Use the knock client to perform a knock: knock your-ip -v 2000:udp 3000:tcp 4000:udp

You can do this from a Windows machine if you want. Download the windows know client from http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki. You should see:

to:
  • Use a knock client to perform a test knock: knock your-ip -v 2000:udp 3000:tcp 4000:udp

You can do this from a Windows machine if you want (download the windows knock client from http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). You should see:

Changed lines 65-67 from:
  • Of course this means that you have 60 seconds to connect to your server with Putty or client of your choice.
  • If your test is successful start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
to:
  • Of course this means that you have 60 seconds to connect to your server with Putty or ssh client of your choice.
  • If your test was successful, terminate the current knockd server. Start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
Changed lines 71-72 from:
  1. I carry a USB stick with the knock client and Putty installed. This gives me the ability to "knock" and remote ssh administer my nslu slug from whatever place I'm at.
to:
  1. I carry a USB stick with the knock client and Putty installed. This gives me the ability to "knock" and remote ssh administer my NSLU2 from whatever place I'm at.
October 01, 2005, at 10:04 PM by don lubinski --
Changed lines 3-6 from:

The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via ssh.

  1. Follow the howto for OPENSSH?, http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.
to:

The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via OpenSSH? secure shell.

  1. Follow the howto for OpenSSH? secure shell: http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.
October 01, 2005, at 10:02 PM by don lubinski --
Changed lines 3-4 from:

The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via OpenSSH? secure shell (port 22).

to:

The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via ssh.

October 01, 2005, at 09:59 PM by don lubinski --
Changed lines 3-4 from:

The example for Knock that will be described here deals with "locking down" remote command line access via OpenSSH? secure shell (port 22). This is a good method to stop SSH brute search dictionary attacks, see http://www.linuxsecurity.com/content/view/119238/151/.

to:

The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via OpenSSH? secure shell (port 22).

Changed lines 69-77 from:

Notes: I carry a USB stick with the knock client and Putty installed. This gives me the ability to "knock" and remote ssh administer my nslu slug from whatever place I'm at.

to:

Notes:

  1. I carry a USB stick with the knock client and Putty installed. This gives me the ability to "knock" and remote ssh administer my nslu slug from whatever place I'm at.
  2. This knock procedure is also a very good method to stop SSH brute search dictionary attacks, see http://www.linuxsecurity.com/content/view/119238/151/.
October 01, 2005, at 09:55 PM by don lubinski --
Changed lines 46-52 from:
  • Start up the knockd process. Run "knockd -i ipxo -v ".
  • Use a knock client
to:
  • Start up the knockd process (dont't run it as -d yet). Run "knockd -i ixp0 -v ".
  • Use the knock client to perform a knock: knock your-ip -v 2000:udp 3000:tcp 4000:udp

You can do this from a Windows machine if you want. Download the windows know client from http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki. You should see: hitting udp your-ip:2000 hitting tcp your-ip:3000 hitting udp your-ip:4000

  • On your server you should see:

listening on ixp0... your-client-ip: opencloseSSH: Stage 1 your-client-ip: opencloseSSH: Stage 2 your-client-ip: opencloseSSH: Stage 3 your-client-ip: opencloseSSH: OPEN SESAME opencloseSSH: running command: iptables -A INPUT -p tcp --dport 22 -j ACCEPT your-client-ip: opencloseSSH: command timeout opencloseSSH: running command: iptables -D INPUT -p tcp --dport 22 -j ACCEPT

  • If you do another "iptables -L" on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh:

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

  • Of course this means that you have 60 seconds to connect to your server with Putty or client of your choice.
  • If your test is successful start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
  1. You should be good to go.

Notes: I carry a USB stick with the knock client and Putty installed. This gives me the ability to "knock" and remote ssh administer my nslu slug from whatever place I'm at.

October 01, 2005, at 09:22 PM by don lubinski --
Changed lines 18-19 from:
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown

to:
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown.
Changed lines 31-35 from:
to:
  1. Install the knock package: ipkg install knock.
  • Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):

[options]

        logfile = /var/log/knockd.log

[opencloseSSH]

        sequence      = 2000:udp,3000:tcp,4000:udp
        seq_timeout   = 15
        start_command = iptables -A INPUT -p tcp --dport 22 -j ACCEPT
        cmd_timeout   = 60
        stop_command  = iptables -D INPUT -p tcp --dport 22 -j ACCEPT
  1. Test your port knock configuration.
  • Restart iptables: /opt/etc/init.d/S30iptables
  • Do a "iptables -L" and make sure that ssh IS NOT allowed.
  • Start up the knockd process. Run "knockd -i ipxo -v ".
  • Use a knock client
October 01, 2005, at 09:03 PM by don lubinski --
Changed lines 7-8 from:
  1. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed):
to:
  1. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed):
Changed lines 18-19 from:
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown
to:
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown

Changed lines 21-22 from:
Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL
to:
Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL

Changed lines 32-34 from:
to:
October 01, 2005, at 08:48 PM by don lubinski --
Added line 8:
Added line 10:
Added line 14:
Added line 17:
Added lines 19-34:
  1. Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root later.
Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL
  1. Install iptables http://www.nslu2-linux.org/wiki/HowTo/EnableFirewall.
REMOVE the line: $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
from the /opt/etc/iptables.sh script. This will block ssh (port 22) to your Slug.
  1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny:
sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
sshd: UNKNOWN
October 01, 2005, at 08:14 PM by don lubinski --
Changed lines 13-14 from:
DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown
to:
DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite
DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown
October 01, 2005, at 08:13 PM by don lubinski --
Changed lines 7-20 from:
  1. Modify the sshd.conf file in opt/etc as follows:
Change this entry:
Add these sections with your userid rather then "myuserid":

# Explicitly set who can and who can not login by way of ssh AllowGroups users everyone AllowUsers myuserid

[=# Everything that isn't above DenyGroups? root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite

to:
  1. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed):
PermitRootLogin no
# Explicitly set who can and who can not login by way of ssh
AllowGroups users everyone
AllowUsers myuserid
# Everything that isn't above
[=DenyGroups? root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite
October 01, 2005, at 08:03 PM by don lubinski --
Changed lines 5-6 from:

1. Follow the howto for OPENSSH?, http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.

to:
  1. Follow the howto for OPENSSH?, http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.
  2. Modify the sshd.conf file in opt/etc as follows:
Change this entry:
Add these sections with your userid rather then "myuserid":

# Explicitly set who can and who can not login by way of ssh AllowGroups users everyone AllowUsers myuserid

# Everything that isn't above DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown

October 01, 2005, at 06:56 PM by don lubinski --
Changed lines 3-4 from:

The example that will be described here deals with "locking down" remote command line access via OpenSSH? secure shell (port 22). This is a good method to stop SSH brute search dictionary attacks.

to:

The example for Knock that will be described here deals with "locking down" remote command line access via OpenSSH? secure shell (port 22). This is a good method to stop SSH brute search dictionary attacks, see http://www.linuxsecurity.com/content/view/119238/151/.

1. Follow the howto for OPENSSH?, http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.

October 01, 2005, at 06:20 PM by don lubinski -- 1st page
Added lines 1-4:

This howto covers the setup and usage of Knock, a port knocking program. This program listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access. For more information go to http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki.

The example that will be described here deals with "locking down" remote command line access via OpenSSH? secure shell (port 22). This is a good method to stop SSH brute search dictionary attacks.

view · edit · print · history · Last edited by frustrated.
Based on work by frustrated, dlubinsk, metamind, don lubinski, and eFfeM.
Originally by don lubinski.
Page last modified on September 10, 2007, at 02:55 AM