Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
port knocking needs many knocks to open
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
njcwotx
Guru
Guru


Joined: 25 Feb 2005
Posts: 565
Location: Texas

PostPosted: Mon Oct 04, 2010 4:30 pm    Post subject: port knocking needs many knocks to open Reply with quote

I implemented port knocking on an external interface on a gentoo box recently and I have it working. But, I noticed that I often have to resend the knock sequence 3-5 times before the port opens.

when this first started, I used tcpdump to confirm the packets are reaching the host. I always see every knock packet appear in the dump.

What I have determined by looking at the knockd.log is this:

----------first attempt:
# knock myip port:proto port:proto port:proto port:proto

# cat knockd.log
openSSH: Stage 1

----------second attempt:

# knock myip port:proto port:proto port:proto port:proto
# knock myip port:proto port:proto port:proto port:proto

# cat knockd.log
openSSH: Stage 1
openSSH: Stage 1


-----------third attempt:

# knock myip port:proto port:proto port:proto port:proto
# knock myip port:proto port:proto port:proto port:proto
# knock myip port:proto port:proto port:proto port:proto
# knock myip port:proto port:proto port:proto port:proto

# cat knockd.log
openSSH: Stage 1
openSSH: Stage 1
openSSH: Stage 2
openSSH: Stage 3



-----------fourth attempt:

# knock myip port:proto port:proto port:proto port:proto
# knock myip port:proto port:proto port:proto port:proto
# knock myip port:proto port:proto port:proto port:proto
# knock myip port:proto port:proto port:proto port:proto
# knock myip port:proto port:proto port:proto port:proto
# knock myip port:proto port:proto port:proto port:proto

# cat knockd.log
openSSH: Stage 1
openSSH: Stage 1
openSSH: Stage 1
openSSH: Stage 2
openSSH: Stage 1
openSSH: Stage 1
openSSH: Stage 2
openSSH: Stage 3
openSSH: Stage 4
openSSH: OPEN SESAME
openSSH: running command: iptables ssh open to that ip
(i am able to login)
openSSH: command timeout
openSSH: running command iptables ssh close to that ip

From what I can see, the daemon is only registering the first stage or 2 and stops seeing the packets but the log does not enter the sequence timeout log entry either. The remote client is generating no other traffic to the host nor is there any other ssh session running. At the moment, I can get in if I run the knock command like 5 times before attempting to login. Typically this leaves 1 or 2 firewall entries in iptables for the duration of the window I have set.

All in all, its not a problem as the usage of this will be only for my use, but I really dont want to have to spam several knocks before a login. Im also just curious as to being able to tune this out. I considered increasing the seq_timeout value, but I am confident that the number of seconds is plenty based on the fact I have seen the packets in tcpdump come in quickly and in the correct order.
_________________
Drinking from the fountain of knowldege.
Sometimes sipping.
Sometimes gulping.
Always thirsting.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6380

PostPosted: Tue Oct 05, 2010 6:33 pm    Post subject: Reply with quote

I also had such a problem with knock. My solution was to use iptable's recent module instead. See e.g. this firewall script
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Tue Oct 05, 2010 7:00 pm    Post subject: Reply with quote

I've seen this issue before. Are you using the knock client to knock or using something like netcat?
My resolution to this was to create a knock script that will knock and the check if port 22 is open. The script will loop around until it confirms that port 22 is open then it will attempt the ssh to the box.
I can post an example if you like
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum