Monday, March 31, 2008

knockd on Fedora Core 8

The drive in my dedicated server just crashed a few days ago. Fortunately all the data was backed up and on a different drive. The crash has given me the opportunity to reinstall and configure most of the system. Three things which were not covered by "yum install" were TrueCrypt, knockd, and psad.

I compiled the truecrypt src rpm and the knockd src rpm.

I created a new user account named rpmbuilder and followed the instructions available here.

After installing the built knockd rpm I opened /etc/knockd.conf which contains:

[options]
UseSyslog

[opencloseSSH]
sequence = 2222:udp,3333:tcp,4444:udp
seq_timeout = 15
tcpflags = syn,ack
start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
cmd_timeout = 10
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT



The above configuration will not work with the default fedora firewall enabled because it appends the rule after fedora's rule to drop all packets. If an -I is passed instead of -A then the firewall rule goes straight to the top which is just where we want our ssh rule. The Interface option needs to be set as well unless you're using eth0. Try /sbin/ifconfig to see which interfaces are configured. So my modified /etc/knockd.conf looks like:

[options]
UseSyslog
Interface = eth1

[openSSH]
sequence = 12345,54321,31337
seq_timeout = 10
tcpflags = syn
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

[closeSSH]
sequence = 31337,54321,12345
seq_timeout = 10
tcpflags = syn
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT



Save the /etc/knockd.conf file and restart knockd with "/etc/init.d/knockd restart"

Finally you want to remove ssh from the standard fedora firewall using "sudo system-config-firewall". Don't worry. You're existing ssh session will stay connected in case the setup doesn't work.

Now you just need an appropriate client to test it out with. You can get clients for many different platforms here.