* new match extension to implement port knocking in one rule
@ 2006-10-11 3:40 federikkom
2006-10-11 5:33 ` Rennie deGraaf
0 siblings, 1 reply; 2+ messages in thread
From: federikkom @ 2006-10-11 3:40 UTC (permalink / raw)
To: netfilter-devel
Hi everybody, we have been working in a netfilter extension to implement port knocking in a easy way. The idea is to set everything in just one iptables rule:
for instance, if you want port knocking to allow SSH connections:
(1) the quick and easy way:
$ iptables -A INPUT -m state --state NEW -m pknock --name SSH --knockports 2002,2001,2004 -p tcp --dport 22 -j ACCEPT
after "knocking" ports 2002, 2001 and 2004 in sequence, you are allowed to connect to port 22.
We are also working in a more secure way to "knock" using hmacs:
(2) the more secure way: you knock with a UDP packet, payload containing an hmac (see the README.txt for more details)
$ iptables -A INPUT -m state --state NEW -m pknock --name SSH --knockports 2000 --opensecret <your_opensecret> --closesecret <your_closesecret> -p udp -j DROP
$ iptables -A INPUT -m state --state NEW -m pknock --name SSH --checkip -p tcp --dport 22 -j ACCEPT
The project is hosted at berlios:
http://developer.berlios.de/projects/portknocko/
and you can check the source code out here:
svn checkout svn://svn.berlios.de/portknocko/trunk
hope you like the idea!
any feedback is welcome!
regards,
Luis Aquiles Floreani and J. Federico Hernandez
__________________________________________________
Preguntá. Respondé. Descubrí.
Todo lo que querías saber, y lo que ni imaginabas,
está en Yahoo! Respuestas (Beta).
¡Probalo ya!
http://www.yahoo.com.ar/respuestas
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: new match extension to implement port knocking in one rule
2006-10-11 3:40 new match extension to implement port knocking in one rule federikkom
@ 2006-10-11 5:33 ` Rennie deGraaf
0 siblings, 0 replies; 2+ messages in thread
From: Rennie deGraaf @ 2006-10-11 5:33 UTC (permalink / raw)
To: federikkom; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 553 bytes --]
federikkom wrote:
> Hi everybody, we have been working in a netfilter extension to implement port knocking in a easy way. The idea is to set everything in just one iptables rule:
>
<snip>
If you're interested in port knocking, you might want to read this
paper: http://www.acsac.org/2005/abstracts/156.html It covers security
issues relating to port knocking in detail, and presents an architecture
for solving most of them.
Full disclosure: I wrote that paper. Feel free to contact me if you
have questions.
Rennie deGraaf
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-10-11 5:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-11 3:40 new match extension to implement port knocking in one rule federikkom
2006-10-11 5:33 ` Rennie deGraaf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.