portknocking question

Hi there,

I have really specific needs and wondering if somebody has written a port knocker out there already that fits the criteria of what I am looking for.

Portknocker capabilities:

1) User needs to telnet to specific port and/or log into a website. 2) Learns the IP address that the user is coming from in step 1. 3) Opens ssh port to specifically to the IP address grabbed in step 1 but also keeps ssh port open to statically defined IPs in /etc/rc.firewall . 4) As soon as the user disconnects from the ssh port the IP address in step 1 no longer can access the ssh port unless they log back in like the procedure in step 1.

I reviewed two programs doorman and knock (found in FreeBSD /usr/ports/security)

Doorman Review: I am unable to figure out how to configure the ability to capture the IP address of where the UDP packet was sent. Therefore this program does not completely match what I am looking for, or I do not understanding how to configure it.

Knock Review: This is nice but still requires closing the port as a step when done. It would be nice to automatically close the ssh port when the user disconnects from the ssh port. Also I am not clear but I don't think there is a way to grab the source IP address, right?

Anybody know of other programs I could check out?



Reply to
Noah Garrett Wallach
Loading thread data ...
[Please don't post the same article to multiple newsgroups. If you must, put up to five newsgroup names, comma separated as I've done here, and set the Followup-To: header - which I haven't done here because I've no idea where you are reading]

Well, let's stop for a moment and ask what _Operating_System_ you are using? You posted to a Linux newsgroup, but your headers say Mac OSX, and you mention FreeBSD below. That really does make a difference.

The normal technique is to attempt to telnet to an otherwise closed port, and let your firewall react by opening a different port for perhaps one minute to that address from where you attempted the telnet. If you don't mind being accused of "Security By Obscurity", this _could_be_ some something like

Telnet remote.host 25096 Connection Refused SSH remote.host 9629 Login:

In this example, you can also put traps at ports 9625 and 9635 that _close_ the firewall access to 9629. This catches port scanners. OBVIOUSLY, USE RANDOM NUMBERS FOR THOSE PORTS. I happen to have chosen those by looking at the size of a file in my home directory that was 2509629 bytes.

Normal routine is to open the SSH port for NEW connections for a minute. The firewall rule that allows _establisted_ connections handles the connection after the one minute.

You should also be able to do it directly with your firewall rules, but it's highly dependent on which operating system you are using.

You are posting from a search engine. Did you think to try searching there for the terms "port+knocking" and the name of your O/S ?

Web Results 1 - 10 of about 592,000 for port+knocking Linux. (0.15 seconds)

Web Results 1 - 10 of about 267,000 for port+knocking OSX. (0.21 seconds)

Web Results 1 - 10 of about 148,000 for port+knocking FreeBSD. (0.15 seconds)

Web Results 1 - 10 of about 79,000 for port+knocking OpenBSD. (0.15 seconds)

Web Results 1 - 10 of about 66,200 for port+knocking NetBSD. (0.25 seconds)

Notice - it varies by O/S. Who would have thought?

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.