This plain ∞ groff(1) HTML output has only been fixed slightly — i am sorry for false list indentions etc.!
S-port-knock [v0.8.1, 2024-07-19] — simple port knock
SYNOPSIS
s-port-knock
DESCRIPTION
A simple port knock implementation. It requires modern implementations of openssl(1) and ssh-keygen(1), and also a suitable sh(1). Please run s-port-knock.sh as above for a usage summary, and the EXAMPLE below.
BIG FAT WARNING
This software MUST be protected by suitable firewall rules! Any network packet sent to it causes a sh(1)ell script to run! For example the author uses this Linux firewall rule which effectively allows only one packet per source address per minute (and causes a hour-long block otherwise).
# port_knock:
input only server
if fwcore_has_i port_knock; then
: ${FWCORE_PORT_KNOCK:?port_knock needs FWCORE_PORT_KNOCK}
if ipaddr_split ap "${FWCORE_PORT_KNOCK}"; then
add_rule -p udp --dport ${port} \
-m recent --name port_knock --set \
-m recent --name port_knock \
--rcheck --seconds 60 --reap --hitcount 2 \
-m recent --name alien_super --set -j DROP
add_rule -p udp --dport ${port} -j f_m1
fi
fi
EXAMPLE
On servers:
. If the packets
seems sane,
. the OpenSSL private key is used to decrypt the random key,
. the random key is used to decrypt the signature,
. the "ssh-keygen -Y" mechanism is used to find a
principal for the
signature in the "allowed signers" file.
. (If a $MAGIC string is required, the signature is also
verified.)
. On any stage a
failure causes the act_block() action,
. upon overall success the act_allow() action is
applied.
# cd /tmp/
# $CC -o zt s-port-knock-bin.c
# head -n1
˜/.ssh/authorized_keys > .Zpub1
# { printf ’uid1 ’; cat .Zpub1; } > .Zsigs
# echo MAGIC= > .Z.rc
#
./s-port-knock.sh create-server-key .Zk
# PORT_KNOCK_BIN=./zt \
PORT_KNOCK_SHELL=/bin/bash PORT_KNOCK_RC=./.Z.rc \
./s-port-knock.sh start-server -v 10000 s-port-knock.sh \
.Zk-pri.pem .Zsigs
On clients:
. Creates a
signature for a SSH public key via "ssh-keygen
-Y",
. (if a $MAGIC string is required, includes that in the
signature),
. encrypts that with a random key,
. and encrypts the random key for a dedicated target server
via an
(its) OpenSSL public key,
. sends the resulting packet to that server,
. invokes the $PORT_KNOCK_RC act_sent() hook; if that does
not return 0,
the packet is sent again, etc.
# cd /tmp/
# PORT_KNOCK_BIN=./zt \
PORT_KNOCK_RC=./.Z.rc \
./s-port-knock.sh knock localhost 10000 .Zk-pub.pem
.Zpub1
SEE ALSO
openssl(1), ssh-keygen(1).
AUTHORS
Steffen Nurpmeso <steffen@sdaoden.eu>.
Copyright (c) 1997 - 2024, Steffen Nurpmeso <steffen@sdaoden.eu>
@(#)site/code-port-knock.html-w42 1.1 2024-07-19T00:26:42+0000