1. Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):\\

1. Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):\\

# ipkg -d root install http://ipkg.nslu2-linux.org/feeds/unslung/cross/knock_0.5-2_armeb.ipk \\

caveat: my ipkg was not successful in installation. I found and installed it using: \\

reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository. Test the location given in the caveat below for downloading and installation. YMMV

'caveat: my ipkg was not successful in installation. I found and installed it using: '
#http://ipkg.nslu2-linux.org/feeds/unslung/cross/knock_0.5-2_armeb.ipk \\

reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository.

# reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository.

reader beware: This howto may be aged. The knock package does not appear to available for standard ipkg install at least from a OpenSlug 3.10-beta repository.

# If myuserid belongs to a group place mygroupid in Allowgroups as well
AllowGroups users everyone mygroupid \\

sshd: .cn, .cn.net, .cn.com, .jp, .jp.com

1. BACKUP the sshd config file /opt/etc/openssh/sshd_config (this will allow you to recover in case of problems).
2. Modify or add entries to the sshd_config file in opt/etc/openssh as follows: \\

1. BACKUP a copy of the file /opt/etc/openssh/sshd_config (this will allow you to recover in case of problems).
2. Modify or add entries to the sshd_conf file in opt/etc/openssh as follows: \\

1. BACKUP a copy of the file you change in the next section. I changed /opt/etc/openssh/sshd_config (assuming this was the file that was meant) and can not get access via ssh anymore. i can get access via telnet but, for some reason - i am a newbie - nano won't work so I'm not sure how to undo the edits i made to the file.

1. BACKUP a copy of the file you change in the next section. I changed /opt/etc/openssh/sshd_config (assuming this was the file that was meant) and can not get access via ssh anymore. i can get access via telnet but,

for some reason - i am a newbie - nano won't work so I'm not sure how to undo the edits i made to the file.

  ( for me the file was /opt/etc/openssh/sshd_config)

        tcpflags      = syn \\

Note: With Unslung 6.8 you must include the "tcpflags = syn" directive

1. Run the knock client from either Linux or Windows. You can download the windows knock client from http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki). \\

This howto covers the setup and usage of Knock, a port knocking program. This program listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access. For more information go to http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki.

1. Make your nslu2 administration activities portable and secure. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your nslu2 from whatever place you are at. As well, you can chose to "knock" and open/close any other ports in a similiar fashion...as your needs dictate.

1. Make sure that ssh is not allowed. Verify by running #iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out. (if you still lock yourself out, you should reboot without disk, login, then reconnect and mount the disk. At that point you can repair the problem).
   

Add yourself (replacing myuserid) to the sudo list with # visudo: myuserid ALL=(ALL) ALL .
Reconnect with myuserid and #sudo su .

1. Modify or add entries to the sshd.conf file in opt/etc as follows: \\

1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny file:
   
   sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
   sshd: UNKNOWN
   

1. Install the knock package: #ipkg install knock
   Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):\\

Lets do some port knocking.

1. Make your nslu2 administration activities portable and secure. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your nslu2 from whatever place you are at.

1. Restart the SSH daemon process: # /opt/etc/init.d/S40sshd . This will disconnect your session if you were connected with ssh. If so, reconnect using myuserid and #sudo su .
   

1. Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root using ssh later.
   Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL
   Logout and login with myuserid and #sudo su .
   
2. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed): \\

AllowUsers myuserid \\

Restart the SSH daemon process: # /opt/etc/init.d/S40sshd

1. Install the knock package: #ipkg install knock \\

1. Restart iptables: #/opt/etc/init.d/S30iptables
   
2. Make sure that ssh is not allowed. Verify by running #iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
   
3. Start up the knockd server process on your nslu2 (dont't run it as -d yet). Use #knockd -i ixp0 -v .
   

#knock your-nslu2-ip -v 2000:udp 3000:tcp 4000:udp \\

1. If you do another #iptables -L on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh: \\

1. If your test was successful, terminate the current knockd server process. Restart the knockd server process via #opt/etc/init.d/S05knockd. This will run knockd as a daemon.
   

1. Make your nslu2 administration activities portable and secure. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place you are at.

Tips:

1. Make your nslu2 administration activities portable. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place you are at.

1. If you do another iptables -L on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh: \\

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

1. If your test was successful, terminate the current knockd server process. Restart the knockd server process via opt/etc/init.d/S05knockd. This will run knockd as a daemon.
   

knock your-nslu2-ip -v 2000:udp 3000:tcp 4000:udp \\

hitting udp your-nslu2-ip:2000
hitting tcp your-nslu2-ip:3000
hitting udp your-nslu2-ip:4000

(after 60 seconds....)\\

'''PermitRootLogin no \\

DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown '''

Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL

REMOVE the line: $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT \\

1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny file: \\

sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
sshd: UNKNOWN

1. Install the knock package: ipkg install knock \\

'''[options]\\

        stop_command  = iptables -D INPUT -p tcp --dport 22 -j ACCEPT''' 

1. Restart iptables: /opt/etc/init.d/S30iptables
   
2. Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
   
3. Start up the knockd server process on your nslu2 (dont't run it as -d yet). Use knockd -i ixp0 -v .
   

knock''' '''''your-nslu2-ip''''' '''-v 2000:udp 3000:tcp 4000:udp \\

1. If your test was successful, terminate the current knockd server process. Restart the knockd server process via "opt/etc/init.d/S05knockd". This will run knockd as a daemon.
   

1. Make your nslu2 administration activities portable. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place your at.

1. Start up the knockd server process on your nslu2 (dont't run it as -d yet). Use "knockd -i ixp0 -v ".
   

hitting udp your-nslu2-ip:2000
hitting tcp your-nslu2-ip:3000
hitting udp your-nslu2-ip:4000

1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny file: \\

1. Start up the knockd server process on your nslu2(dont't run it as -d yet). Run "knockd -i ixp0 -v ".
   

1. Of course this means that you have 60 seconds to connect to your nslu2 server with Putty or ssh client of your choice.
   
2. If your test was successful, terminate the current knockd server process. Start the knockd server process via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
   

Tips:

1. Make your administration activities portable. You can load up a USB stick with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place your at.

1. Start up the knockd serverprocess on your nslu2(dont't run it as -d yet). Run "knockd -i ixp0 -v ".
   

Test your port knock configuration.

1. Restart iptables: /opt/etc/init.d/S30iptables
   
2. Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
   
3. Start up the knockd process (dont't run it as -d yet). Run "knockd -i ixp0 -v ".
   
4. Run the knock client from either Linux or Windows. You can download the windows knock client from http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). \\

knock your-nslu2-ip -v 2000:udp 3000:tcp 4000:udp \\

On your knock client you should see:

hitting udp your-ip:2000
hitting tcp your-ip:3000
hitting udp your-ip:4000

1. On your nslu2 server you should see:
   
   listening on ixp0...
   your-client-ip: opencloseSSH: Stage 1
   your-client-ip: opencloseSSH: Stage 2
   your-client-ip: opencloseSSH: Stage 3
   your-client-ip: opencloseSSH: OPEN SESAME
   opencloseSSH: running command: iptables -A INPUT -p tcp --dport 22 -j ACCEPT
   (after 60 seconds....)
   your-client-ip: opencloseSSH: command timeout
   opencloseSSH: running command: iptables -D INPUT -p tcp --dport 22 -j ACCEPT
   
2. If you do another "iptables -L" on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh:
   
   ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
   
3. Of course this means that you have 60 seconds to connect to your server with Putty or ssh client of your choice.
   
4. If your test was successful, terminate the current knockd server. Start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.
   

1. Make yourself portable. You can load a USB stick up with the knock client and Putty. This gives you the ability to "knock" and remote ssh administer your NSLU2 from whatever place your at.

Preparation and installation of Knock.

1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny:
   
   sshd: .cn, .cn.net, .cn.com, .jp, .jp.com
   sshd: UNKNOWN
   
2. Install the knock package: ipkg install knock.
   Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):
   
   [options]
   logfile = /var/log/knockd.log
   
   [opencloseSSH]
   sequence = 2000:udp,3000:tcp,4000:udp
   seq_timeout = 15
   start_command = iptables -A INPUT -p tcp --dport 22 -j ACCEPT
   cmd_timeout = 60
   stop_command = iptables -D INPUT -p tcp --dport 22 -j ACCEPT
   
3. Test your port knock configuration.
   
   ## Restart iptables: /opt/etc/init.d/S30iptables
   \\

1. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed):
   
   PermitRootLogin no
   
   # Explicitly set who can and who can not login by way of ssh
   AllowGroups users everyone
   AllowUsers myuserid
   
   # Everything that isn't above
   DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite
   DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown
   
2. Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root using ssh later.
   Add yourself to the sudo list with visudo: myuserid ALL=(ALL) ALL
   
3. Install iptables http://www.nslu2-linux.org/wiki/HowTo/EnableFirewall.
   REMOVE the line: $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
   from the /opt/etc/iptables.sh script. This will block ssh (port 22) to your Slug.
   

1. Restart iptables: /opt/etc/init.d/S30iptables
2. Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.
3. Start up the knockd process (dont't run it as -d yet). Run "knockd -i ixp0 -v ".
4. Use a knock client to perform a test knock: knock your-ip -v 2000:udp 3000:tcp 4000:udp//You can do this from a Windows machine if you want (download the windows knock client from

http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). You should see [=hitting udp your-ip:2000

hitting udp your-ip:4000=]

1. On your server you should see:

1. If you do another "iptables -L" on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh:

1. Of course this means that you have 60 seconds to connect to your server with Putty or ssh client of your choice.
2. If your test was successful, terminate the current knockd server. Start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.

http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). You should see: //

1. Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root using ssh later.

The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via OpenSSH secure shell.

1. Follow the howto for OpenSSH secure shell: http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.

• Make sure that ssh is not allowed. Verify by running iptables -L; there should be NO entries for ssh. Be careful not to completely lock yourself out at this point, root and ssh ARE locked out.

• Use a knock client to perform a test knock: knock your-ip -v 2000:udp 3000:tcp 4000:udp

You can do this from a Windows machine if you want (download the windows knock client from http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki). You should see:

• Of course this means that you have 60 seconds to connect to your server with Putty or ssh client of your choice.
• If your test was successful, terminate the current knockd server. Start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.

1. I carry a USB stick with the knock client and Putty installed. This gives me the ability to "knock" and remote ssh administer my NSLU2 from whatever place I'm at.

The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via OpenSSH? secure shell.

1. Follow the howto for OpenSSH? secure shell: http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.

The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via ssh.

The example for Knock that will be described here deals with setting up a secure way to administer your Slug with remote command line access via OpenSSH? secure shell (port 22).

Notes:

1. I carry a USB stick with the knock client and Putty installed. This gives me the ability to "knock" and remote ssh administer my nslu slug from whatever place I'm at.
2. This knock procedure is also a very good method to stop SSH brute search dictionary attacks, see http://www.linuxsecurity.com/content/view/119238/151/.

• Start up the knockd process (dont't run it as -d yet). Run "knockd -i ixp0 -v ".
• Use the knock client to perform a knock: knock your-ip -v 2000:udp 3000:tcp 4000:udp

You can do this from a Windows machine if you want. Download the windows know client from http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki. You should see: hitting udp your-ip:2000 hitting tcp your-ip:3000 hitting udp your-ip:4000

• On your server you should see:

listening on ixp0... your-client-ip: opencloseSSH: Stage 1 your-client-ip: opencloseSSH: Stage 2 your-client-ip: opencloseSSH: Stage 3 your-client-ip: opencloseSSH: OPEN SESAME opencloseSSH: running command: iptables -A INPUT -p tcp --dport 22 -j ACCEPT your-client-ip: opencloseSSH: command timeout opencloseSSH: running command: iptables -D INPUT -p tcp --dport 22 -j ACCEPT

• If you do another "iptables -L" on the server AFTER your knock and BEFORE the cmd-timeout of 60 seconds you should see a line permitting ssh:

ACCEPT tcp -- anywhere anywhere tcp dpt:ssh

• Of course this means that you have 60 seconds to connect to your server with Putty or client of your choice.
• If your test is successful start the knockd server via "opt/etc/init.d/S05knockd" supplied. This will run knockd as a daemon.

1. You should be good to go.

Notes: I carry a USB stick with the knock client and Putty installed. This gives me the ability to "knock" and remote ssh administer my nslu slug from whatever place I'm at.

1. Install the knock package: ipkg install knock.

• Configure your etc/knockd.conf as follows (change the knocking sequence to your own preference):

[options]

        logfile = /var/log/knockd.log

[opencloseSSH]

        sequence      = 2000:udp,3000:tcp,4000:udp
        seq_timeout   = 15
        start_command = iptables -A INPUT -p tcp --dport 22 -j ACCEPT
        cmd_timeout   = 60
        stop_command  = iptables -D INPUT -p tcp --dport 22 -j ACCEPT

1. Test your port knock configuration.

• Restart iptables: /opt/etc/init.d/S30iptables
• Do a "iptables -L" and make sure that ssh IS NOT allowed.
• Start up the knockd process. Run "knockd -i ipxo -v ".
• Use a knock client

1. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed):

1. Install sudo http://www.nslu2-linux.org/wiki/Unslung/Sudo. You need to do this because you will not be allowed to log in with root later.

1. Install iptables http://www.nslu2-linux.org/wiki/HowTo/EnableFirewall.

1. Limit sshd's accessing domains you know you don't need in /etc/hosts.deny. For example, I know that no one from China should be logging into my sshd, so create/edit your hosts.deny:

1. Modify or add entries to the sshd.conf file in opt/etc as follows (change myuserid as needed):

1. Follow the howto for OPENSSH?, http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.
2. Modify the sshd.conf file in opt/etc as follows:

# Explicitly set who can and who can not login by way of ssh AllowGroups users everyone AllowUsers myuserid

# Everything that isn't above DenyGroups root bin daemon sys adm tty disk lp mem kmem wheel floppy mail news uucp man games slocate utmp smmsp mysql rpc sshd shadow ftp nogroup console xcdwrite DenyUsers root bin daemon adm lp sync shutdown halt mail news uucp operator games ftp smmsp mysql rpc sshd nobody test guest user admin apache www wwwrun httpd irc unknown

The example for Knock that will be described here deals with "locking down" remote command line access via OpenSSH? secure shell (port 22). This is a good method to stop SSH brute search dictionary attacks, see http://www.linuxsecurity.com/content/view/119238/151/.

1. Follow the howto for OPENSSH?, http://www.nslu2-linux.org/wiki/HowTo/UseOpenSSHForRemoteAccess.

This howto covers the setup and usage of Knock, a port knocking program. This program listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access. For more information go to http://www.zeroflux.org/cgi-bin/cvstrac/knock/wiki.

The example that will be described here deals with "locking down" remote command line access via OpenSSH? secure shell (port 22). This is a good method to stop SSH brute search dictionary attacks.