1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

knock daemon

Discussion in 'Tomato Firmware' started by jan.n, Jul 15, 2009.

  1. jan.n

    jan.n Addicted to LI Member

    Has anyone ever thought about a knock daemon? Or is one implemented in one of the mods?
     
  2. rhester72

    rhester72 Network Guru Member

  3. jan.n

    jan.n Addicted to LI Member

    Cool, thank you very much. Do you also have an example config file handy?
    I'm especially interested in the iptables command I'd have to use...
     
  4. mrap

    mrap Addicted to LI Member

  5. jan.n

    jan.n Addicted to LI Member

    Ahem, yeah, thx a lot. No problem installing or starting it, I'm just unsure about the iptables command I have to use.

    BTW: Is libpcap already installed in vanilla tomato 1.25?
     
  6. rhester72

    rhester72 Network Guru Member

    libpcap is statically compiled into my knockd build, since it is not included with Tomato.

    Rodney
     
  7. jan.n

    jan.n Addicted to LI Member

    Rodney, you rock! Now all I have to do is experiment with a knockd.conf :)
     
  8. i1135t

    i1135t Network Guru Member

    I had problems extracting from the gz file, but it appears to be a tar, not gz. I removed the .gz and untarred it, but when I ran it in tomato, I get this error:
    Code:
    unexpected word (expecting ")")
    What am I doing wrong?
     
  9. jan.n

    jan.n Addicted to LI Member

    Code:
    tar xfz knock-0.5-tomato.tar.gz
    Worked well and gave me 2 files, knockd and knock. If you like you can of course first gunzip the file and secondly tar xf it...
     
  10. i1135t

    i1135t Network Guru Member

    Thanks... I'm still learning linux... :)
     
  11. i1135t

    i1135t Network Guru Member

    Ok, I cannot get the knock daemon to work. Here is what I have... I've set it up to copy all knock* from my /mnt to /etc in my init script and execute these commands:
    Code:
    ## KnockD
    cp /mnt/FLASHDRIVE/knock* /etc/
    cd /etc/
    ./knockd -d -i vlan1 -c /etc/knockd.conf
    My knockd.conf is:
    Code:
    [options]
            logfile = /var/log/knockd.log
    
    [opencloseSSH]
            sequence      = 22
            seq_timeout   = 15
            tcpflags      = syn,ack
            start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
            cmd_timeout   = 10
            stop_command  = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
    It loads fine in memory as I see it loaded, but when I check the iptables for the "INPUT" chain BEFORE and AFTER the knock they are the same. I even tested it through the "Shields UP" website, but it never opens. The knock command that I am issuing is:
    Code:
    knock -v myip 22
    Please help.
     
  12. thor2002ro

    thor2002ro Addicted to LI Member

    man ... you must be really paranoid for using thins...
     
  13. i1135t

    i1135t Network Guru Member

    No, but I don't want my SSH/telnet port open 24/7 to the world. This helps me open and close that port at will. It also makes it a lot easier and more secure when I need to troubleshoot my router remotely. It would be a nice add-on to your build, hint hint. :)
     
  14. thor2002ro

    thor2002ro Addicted to LI Member

    this could be easily exploited .....i cold modify nmap upon scaning to knock every scanned port... so sorry to say its pointless
     
  15. i1135t

    i1135t Network Guru Member

    No offense, but I don't think you understand how this works. Nmap cannot do what you are asking, as it must know the correct knock sequence to open the port. The only way for someone to hack it is to perform a m-i-t-m attack during the knock sequence. This daemon will minimize the chances of someone trying to hack into the router by only opening the port when needed vs having it open all the time. Again, the purpose of this utility is for remote troubleshooting like, rebooting my router, if all other resources were unavailable, such as VPN.
     
  16. thor2002ro

    thor2002ro Addicted to LI Member

    lol ever heard of dropbear login retry counts? i doubt someone can hack even a 3-4 character passward with only 2-3 login retrys then 30-60min ban

    verry efficient alternative :p
     
  17. jan.n

    jan.n Addicted to LI Member

    While you're right with dropbear login retry counts you miss the point of knockd. Again, no offense, but please note that knockd can do so much more than just open a ssh port and close it afterwards. It can open / close services much less secure to just the IP knocking... Hell it can even use one-time knocking sequences!

    IMHO it's a great concept :)
     
  18. i1135t

    i1135t Network Guru Member

    While that is an efficient alternative, being a security conscience guy, having multiple layers of security will give me the upper hand of less likely being hacked. So in the end, I will be the one smiling knowing that my router is more secure than others. Call me paranoid, but I will still continue smiling. :)

    Anyways, getting off topic, has anyone who got the knock daemon working help me? Thanks for any suggestions.
     
  19. thor2002ro

    thor2002ro Addicted to LI Member

    Sorry to say this BUT:

    "I declare you officialy paranoid " :biggrin:

    sry for the offtopic
     
  20. jan.n

    jan.n Addicted to LI Member

    The question is not if you're paranoid, the question is: Are you paranoid enough? :wink1:

    OK, back on track:
    Start your knockd with --verbose and --debug and look at the log what happens.
    Furthermore, you really want a knock sequence that is more than one port long.
    You could knock 22897 58435 36523:udp and THEN open up port 22...

    This might be interesting to read:
    http://www.dd-wrt.com/wiki/index.php/Knockd
     
  21. i1135t

    i1135t Network Guru Member

    OK, this is what I have:
    Code:
    root@tomato:/tmp/etc# ./knockd --verbose --debug -d -i vlan1 -c /etc/knockd.conf
    config: new section: 'options'
    config: log file: /var/log/knockd.log
    config: new section: 'opencloseSSH'
    config: opencloseSSH: sequence: x:tcp
    config: opencloseSSH: seq_timeout: 15
    config: tcp flag: SYN
    config: tcp flag: ACK
    config: opencloseSSH: start_command: /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
    config: opencloseSSH: cmd_timeout: 10
    config: opencloseSSH: stop_command: /usr/sbin/iptables -D INPUT -s %IP% -p tcp - -syn --dport 22 -j ACCEPT
    ethernet interface detected
    Local IP: 68.x.x.x
    root@tomato:/tmp/etc# cat /var/log/knockd.log
    [2009-07-18 12:09] starting up, listening on vlan1
    I'm just testing right now, so that's why I am keeping the knock sequence simple. I will change it later once I can get it working, but right now, no luck. I am stumped... In the DDWRT wiki, it says I have to declare the library path, but I don't know how I am supposed to do that in tomato being the files were compiled with the libraries included and not installed through ipkg, right? If I do need to do something with the following, how do I do it? Do I add these to my init script?
    Code:
    LD_LIBRARY_PATH=/lib:/usr/lib
    export LD_LIBRARY_PATH
    
    Or do I just just need to declare this variable in my init script?
    Code:
    export LD_LIBRARY_PATH=/lib:/usr/lib
     
  22. rhester72

    rhester72 Network Guru Member

    You should not need to set a library path, as the libraries are indeed statically compiled.

    Rodney
     
  23. i1135t

    i1135t Network Guru Member

    Ok, I still cannot get it to work. Can someone please provide proper steps to get it to work so that I know what I am doing wrong. I have tried everything I know. Thanks.
     
  24. jan.n

    jan.n Addicted to LI Member

    I'm visiting my cousin today and will provide details on how to setup knockd when I'm back this evening.
    Edit: Typo
     
  25. jan.n

    jan.n Addicted to LI Member

    Tomato knockd HOWTO
    1) Get and extract the files from http://multics.dynalias.com/tomato/knock-0.5-tomato.tar.gz
    2) Copy them to a persistent storage (I use a cifs mount)
    3) Write a knockd.conf (example below)
    4) Start knockd like this: knockd --verbose --debug -c /path/to/knockd.conf -i vlan1 (Do not make it a daemon. You can do that later - if everything works.)
    5) Try to knock from OUTSIDE your lan and look at knockd's output
    Code:
    knock your.host 10293,56473,25142
    6) Doesn't work? Check the output. Perhaps it can give you a clue.
    A line containing the words "OPEN SESAME" indicates a successful knock. It is followed by line showing which command was run.

    Hint: Check the infrastructure from where you knock. Firewalls that filter outgoing traffic are possible pitfalls:
    I wanted to knock from my office PC using knocks containing a udp sequence. That didn't work because outbound udp is filtered.

    Code:
    [options]
            logfile = /var/log/knockd.log
    
      [openSSH]
            sequence    = 10293,56473,25142
            seq_timeout = 10
            tcpflags    = syn
            command     = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
    
      [closeSSH]
            sequence    = 34909,14214,6123
            seq_timeout = 10
            tcpflags    = syn
            command     = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
    Edit: Fixed closeSSH command
     
  26. i1135t

    i1135t Network Guru Member

    Thanks jan.n, I got it working.. it was the config file.. it had to have the exact format as you laid out in your example... I checked all my settings and it was correct, except the spacing of lines... kinda wierd.. but thanks.. it now works.. :)
     
  27. rhester72

    rhester72 Network Guru Member

    Shouldn't CloseSSH be a REJECT instead of an ACCEPT?

    Rodney
     
  28. i1135t

    i1135t Network Guru Member

    No, it's right as ACCEPT, but it should be -D not -A.
     
  29. jan.n

    jan.n Addicted to LI Member

    Corrected in my above post...
     
  30. gawd0wns

    gawd0wns LI Guru Member

    Thanks for this HowTO. My isp doesn't allow the running of servers of any kind, not even personal use SSH or VPN servers, and they actively portscan common ports to try and detect them. This tool will prove useful :)
     
  31. baldrickturnip

    baldrickturnip LI Guru Member

    couldn't you just discard requests from their IP range ?
     
  32. Toastman

    Toastman Super Moderator Staff Member Member

    What a crummy ISP !
     
  33. gawd0wns

    gawd0wns LI Guru Member

    Since there are only two ISPs which monopolize internet service in my city, I frequently find myself within their range, so I can't do it that way. This is a great, simple solution.
     
  34. DervMan

    DervMan LI Guru Member

    The link to the tomato knock download is busted, anyone know where it's gone?
     
  35. rhester72

    rhester72 Network Guru Member

    See signature.

    Rodney
     
  36. DervMan

    DervMan LI Guru Member

    I've downloaded the knockd and knockd.conf. Copied it to a cifs share but when I run it get the following error.


    Reading earlier posts libpcap is included.....
     
  37. rhester72

    rhester72 Network Guru Member

    It's available under PRECOMPILED/lib (to be copied to /opt/usr/lib), or if you'd like to save yourself the trouble, just get the knockd binary from PRECOMPILED-static. (All of this is mentioned in the README ;)

    Rodney
     
  38. Gruelius

    Gruelius Connected Client Member

  39. Bird333

    Bird333 Network Guru Member

    Attached Files:

Share This Page