[olug] PortKnocker Script

Thom Harrison id4spam at cox.net
Sat Apr 3 16:47:11 UTC 2004 

The Port Knocker scripts can be downloaded from my ftp site too.  
They're in /knock

linux:/srv/ftp/custom/cmds # ftp thom.homelinux.com
Connected to ip68-225-168-172.om.om.cox.net.
220 "Welcome to Smopuim FTP service."
Name (thom.homelinux.com:root): ftp
331 Please specify the password.
Password: ftp$thom
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd knock
250 Directory successfully changed.
ftp> dir
229 Entering Extended Passive Mode (|||11422|)
150 Here comes the directory listing.
-r--r--r--    1 ftp      ftp          2561 Jan 18 12:28 firewall
-r--r--r--    1 ftp      ftp          9437 Dec 10 13:38 knockclient
-r--r--r--    1 ftp      ftp          8773 Jan 17 21:02 knockserver
-r--r--r--    1 ftp      ftp          4438 Dec 10 13:38 lufshome
-r--r--r--    1 ftp      ftp          2705 Jan 17 21:01 sftphome
-r--r--r--    1 ftp      ftp          4332 Jan 19 01:10 sshhome
226 Directory send OK.

The firewall script is to show the IPTABLES -P commands.  The firewall 
basically needs to set the defaults.  The subsequent commands each allow 
some kind of connection.  This is required for the knockserver script to 
add additional rules on the fly.

 >From the server type:  knockserver -f /var/log/messages

You'll have to install some Perl Modules for this to work.
For instance, knockserver has the following lines:

use File::Tail;
use Crypt::CBC;
use Schedule::At;
use Math::VecStat qw(sum);
use POSIX qw(strftime);
use Pod::Usage;

Type the following:

# cpan
cpan> install File::Tail
cpan> install Crypt::CBC
etc...

I've got some scripts that will to the knocking from a client too.  
They'll probably need modifying though.  For instance, they're going to 
try and connect to thom.homelinux.com

Feel free to test the client by connecting to my server.  You'll get an 
ssh login (sorry ftp/ftp$thom won't work for ssh).  Once you've verified 
that, you'll probably want to change:
use constant KEY          => "5y%h^23b";
iv         =>"l4725836",
That way you'll have your own superduper secret password.  ( more secret 
than mine anyway ).  As I recall, I purposely used 8 distinct digits for 
the iv #.  Some special characters may also cause you trouble in the 
password.

Please let me know if you have any problems.  And I'll update my notes.

Thom

More information about the OLUG mailing list