Everything Internet
IPtables port knocking. Secure your linux server some more.
Hey all,
As you know, Securing a linux server isnt the hardest thing to do. However! So many people still get it wrong.
Things like,
- Bad filepermissions,
- Not disabling directory listings on apache,
- Easy to guess passwords,
- No firewall & or simple firewall rule set,
- Allowing ROOT ssh access ( and ssh access from anywhere )
Today im going to quickly cover the firewall part. Not only this, But I will briefly cover the part about allowing ANYONE! to SSH to your server!
Now,
You may have your server nicely locked down. You have disabled remote root logins from SSH yeah? Yeah?… No reallly.. Yeah ?
Have you got the firewall locked down to ONLY allow SSH connections from trusted IP addresses? ( Your home, Your work, Your friends house ) ?
Yeah?
Ok, So you have done the basics…
Good stuff.
Only one problem…
What if you need access to your server from ANY ip address, But you cant because you have it locked down so tight?
Well,
This is where port knocking comes in..
With port knocking, You can lock your firewall down like normal, However this time if you need access to it from an unknown IP you can “Knock” some other ports..
You “knock” the ports in the correct order with the correct TCP flags and your bouncer of a firewall will open port 22 ( or others ) for you..
Once you have finished, Knock again to close it.
Heres how..
Download a program called knockd ( You can do it with just IP tables, but this is simpler )
knockd will listen in and when it sees your knocks, It will insert an allow port 22 from your IP address into the iptables ruleset.
Ok,
So you have knockd installed..
( Make your you have physical access to your machine! or you may cut yourself off )
Configure it..
open up /etc/knockd.conf
Edit it like below:
[options] logfile = /var/log/knockd.log [allowSSH] sequence = 100,200,300 seq_timeout = 10 command = /usr/sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn,fin,urg [blockSSH] sequence = 300,200 seq_timeout = 5 command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
Ok great,
Thats done.
You now need a bit of software on your remote machine called Hping,
This will allow you to send specially crafted packets.
Install it now.
Done?
Lets quickly create a shell script to OPEN the port for you from a remote host.
Make sure to chmod +x these files so you can execute them ( ./openssh.sh )
- openssh.sh
#!/bin/sh # Knock on 100 with SYN|FIN|URG hping -i eth0 -c 1 -S -F -U xxx.xxx.xxx.xxx -p 100 # Knock on 200 with SYN|FIN|URG hping -i eth0 -c 1 -S -F -U xxx.xxx.xxx.xxx -p 200 # Knock on 300 with SYN|FIN|URG hping -i eth0 -c 1 -S -F -U xxx.xxx.xxx.xxx -p 300
- closessh.sh
#!/bin/sh # Knock on 300 with SYN hping -i eth0 -c 1 -S xxx.xxx.xxx.xxx -p 300 # Knock on 200 with SYN hping -i eth0 -c 1 -S xxx.xxx.xxx.xxx -p 200
DONE!
Now just use ./openssh.sh to allow an ssh connection to your remote host and when finished, Use ./closessh.sh to secure it again.
| Print article | This entry was posted by admin on August 13, 2010 at 10:12 pm, and is filed under Linux, Other, Uncategorized. Follow any responses to this post through RSS 2.0. You can leave a response or trackback from your own site. |
