DSM-G600, DNS-3xx and NSA-220 Hack Forum
Unfortunately no one can be told what fun_plug is - you have to see it for yourself.
You are not logged in.
Announcement
IRC Channel #funplug on irc.freenode.org
#1 2008-03-13 12:08:04
- Wintermute
- New member
- Registered: 2008-03-13
- Posts: 4
Knockd..
Has anyone cross-compiled a port knocking package?
Ex. Knockd ( http://packages.debian.org/knockd -> http://www.zeroflux.org/proj/knock/file … 0.5.tar.gz )
I'd like it to open my SSH only after the correct sequence has been telnet'ed or similar.
/überparanoid
Offline
#3 2008-03-13 21:07:25
- Wintermute
- New member
- Registered: 2008-03-13
- Posts: 4
Re: Knockd..
eh.. Thanks for your input.
Never mind the original post, I setup and compiled it myself.
I'll stick it here if anybody else needs it.
The .conf file is just an example.
start deamon by
./knockd -d -c knockd.conf -i egiga0
Using this conf, you can from any client telnet to ports 7000, then 8000, then 9000 to start dropbear.
9000, 8000, 7000 to stop..
You'll see from the conf file how it works..
Offline
#4 2008-03-14 02:26:30
- HaydnH
- Member
- Registered: 2007-09-28
- Posts: 187
Re: Knockd..
I've been thinking about this post since this morning as I've never heard of knockd before and have been trying to think if it's a good idea or not... in the end I've decided that surely having ports open on your firewall/forwarded through nat to the dns-323 for this to work is a bad thing? You can tell if a nat firewall is forwarding ports - even if it's only by the few ms extra that it takes to reject the connection, so narrowing down which ports are open won't be a problem, and then hitting them in the right order won't take long unless you have loads of ports open/forwarded which is definitely not a good thing. I can see that this may be a good thing if you have a red side/dmz box (i.e: something open to the world anyway and not requiring ports forwarded to it - remember ftp is enabled by default on the dns-323 which sends passwords plain text so red-side = bad!) that will receive the "knocks" on the ports anyway... but surely it's better to keep as many ports closed as possible rather than having 11 ports open, 10 for the knock sequence and 1 for ssh (as an example)
Offline
#5 2008-03-14 09:22:10
- Wintermute
- New member
- Registered: 2008-03-13
- Posts: 4
Re: Knockd..
I agree with what you say given you are a victim of a direct attack, i.e the hackers want exactly your data and know that there is a port knock protected computer behind the your ip.
Given a random scan of ports I'd say a "Dropbear" reply will receive more attention then a "connection refused".
Agree?
My setup; 2 separete intervals with 10 ports each, forwarded by my router. A correct knock of 5 will open ssh on one of the 20 ports.
Not safe?
- If not, what do you see as the main security concern? Some kind of TCP stack overflow / abuse on the open ports?
Last edited by Wintermute (2008-03-14 09:25:19)
Offline
#6 2008-03-14 10:48:47
- JRT
- New member
- Registered: 2008-03-13
- Posts: 4
Re: Knockd..
Hi Wintermute,
there is an untested version from the optware feed but I can see that you have compiled your own.
http://ipkg.nslu2-linux.org/feeds/optwa … /unstable/
Offline