<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Port Knocking and Other Uses of 'Recent Match'</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id257527"></a>Port Knocking and Other Uses of 'Recent Match'</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2005, 2006 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id292637"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#What">What is Port Knocking?</a></span></dt><dt><span class="section"><a href="#How">Implementing Port Knocking in Shorewall</a></span></dt><dt><span class="section"><a href="#Limit">Limiting Per-IP Connection Rate</a></span></dt><dd><dl><dt><span class="section"><a href="#LimitImp">How Limit is Implemented</a></span></dt></dl></dd></dl></div><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>The feature described in this article require '<a class="ulink" href="http://snowman.net/projects/ipt_recent/" target="_self">Recent Match</a>' in
your iptables and kernel. See the output of <span class="command"><strong>shorewall show
capabilities</strong></span> to see if you have that match.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="What"></a>What is Port Knocking?</h2></div></div></div><p>Port knocking is a technique whereby attempting to connect to port A
enables access to port B from that same host. For the example on which
this article is based, see <a class="ulink" href="http://www.soloport.com/iptables.html" target="_self">http://www.soloport.com/iptables.html</a>
which should be considered to be part of this documentation.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="How"></a>Implementing Port Knocking in Shorewall</h2></div></div></div><p>In order to implement this solution, your iptables and kernel must
support the 'recent match' extension (see <a class="ulink" href="FAQ.htm#faq42" target="_self">FAQ
42</a>).</p><p>In this example:</p><div class="orderedlist"><ol type="1"><li><p>Attempting to connect to port 1600 enables SSH access. Access is
enabled for 60 seconds.</p></li><li><p>Attempting to connect to port 1601 disables SSH access (note
that in the article linked above, attempting to connect to port 1599
also disables access. This is an port scan defence as explained in the
article).</p></li></ol></div><p>To implement that approach:</p><div class="orderedlist"><ol type="1"><li><p>Add an action named SSHKnock (see the <a class="ulink" href="Actions.html" target="_self">Action documentation</a>). Leave the
<code class="filename">action.SSHKnock</code> file empty.</p></li><li><p>Create /etc/shorewall/SSHKnock with the following
contents.</p><p>If using Shorewall-shell:</p><pre class="programlisting">if [ -n "$LEVEL" ]; then
log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT "" "$TAG" -A -p tcp --dport 22 -m recent --rcheck --name SSH
log_rule_limit $LEVEL $CHAIN SSHKnock DROP "" "$TAG" -A -p tcp --dport ! 22
fi
run_iptables -A $CHAIN -p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT
run_iptables -A $CHAIN -p tcp --dport 1599 -m recent --name SSH --remove -j DROP
run_iptables -A $CHAIN -p tcp --dport 1600 -m recent --name SSH --set -j DROP
run_iptables -A $CHAIN -p tcp --dport 1601 -m recent --name SSH --remove -j DROP</pre><p>If using Shorewall-perl:</p><pre class="programlisting">use Shorewall::Chains;
if ( $level ) {
log_rule_limit( $level,
$chainref,
'SSHKnock',
'ACCEPT',
'',
$tag,
'add',
'-p tcp --dport 22 -m recent --rcheck --name SSH ' );
log_rule_limit( $level,
$chainref,
'SSHKnock',
'DROP',
'',
$tag,
'add',
'-p tcp --dport ! 22 ' );
}
add_rule( $chainref, '-p tcp --dport 22 -m recent --rcheck --seconds 60 --name SSH -j ACCEPT' );
add_rule( $chainref, '-p tcp --dport 1599 -m recent --name SSH --remove -j DROP' );
add_rule( $chainref, '-p tcp --dport 1600 -m recent --name SSH --set -j DROP' );
add_rule( $chainref, '-p tcp --dport 1601 -m recent --name SSH --remove -j DROP' );
1;</pre></li><li><p>Now if you want to protect SSH access to the firewall from the
Internet, add this rule in
<code class="filename">/etc/shorewall/rules</code>:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S)
SSHKnock net $FW tcp 22,1599,1600,1601</pre><p>If you want to log the DROPs and ACCEPTs done by SSHKnock, you
can just add a log level as in:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S)
SSHKnock:info net $FW tcp 22,1599,1600,1601</pre></li><li><p>If you wish to use SSHKnock with a forwarded connection, you
must be using Shorewall 2.3.1 or later for fullest protection. Assume
that you forward port 22 from external IP address 206.124.146.178 to
internal system 192.168.1.5. In /etc/shorewall/rules:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL
# PORT(S) DEST
DNAT- net loc:192.168.1.5 tcp 22 - 206.124.146.178
SSHKnock net $FW tcp 1599,1600,1601
SSHKnock net loc:192.168.1.5 tcp 22 - 206.124.146.178</pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>You can use SSHKnock with DNAT on earlier releases provided
that you omit the ORIGINAL DEST entry on the second SSHKnock rule.
This rule will be quite secure provided that you specify 'norfc1918'
on your external interface.</p></div></li></ol></div><p>For another way to implement Port Knocking, see the <a class="ulink" href="ManualChains.html" target="_self">Manual Chain</a> documentation.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Limit"></a>Limiting Per-IP Connection Rate</h2></div></div></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Debian users. This feature is broken in the Debian version 3.0.7
of Shorewall (and possibly in other versions). The file
<code class="filename">/usr/share/shorewall/Limit</code> was inadvertently
dropped from the .deb. That file may be obtained from <a class="ulink" href="http://shorewall.svn.sourceforge.net/viewvc/*checkout*/shorewall/tags/3.0.7/Shorewall/Limit?revision=3888" target="_self">Shorewall
SVN</a> and installed manually.</p></div><p>Beginning with Shorewall 3.0.4, Shorewall has a 'Limit' <a class="ulink" href="Actions.html" target="_self">action</a>. Limit is invoked with a comma-separated
list in place of a logging tag. The list has three elements:</p><div class="orderedlist"><ol type="1"><li><p>The name of a 'recent' set; you select the set name which must
conform to the rules for a valid chain name. Different rules that
specify the same set name will use the same set of counters.</p></li><li><p>The number of connections permitted in a specified time
period.</p></li><li><p>The time period, expressed in seconds.</p></li></ol></div><p>Connections that exceed the specified rate are dropped.</p><p>For example,to use a recent set name of <span class="bold"><strong>SSHA</strong></span>, and to limiting SSH to 3 per minute, use this
entry in <code class="filename">/etc/shorewall/rules</code>:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S)
Limit:none:SSHA,3,60 net $FW tcp 22</pre><p>If you want dropped connections to be logged at the info level, use
this rule instead:</p><pre class="programlisting">#ACTION SOURCE DEST PROTO DEST PORT(S)
Limit:info:SSHA,3,60 net $FW tcp 22</pre><p>To summarize, you pass four pieces of information to the Limit
action:</p><div class="itemizedlist"><ul type="disc"><li><p>The log level. If you don't want to log, specify "none".</p></li><li><p>The name of the recent set that you want to use ("SSHA" in this
example).</p></li><li><p>The maximum number of connections to accept (3 in this
example).</p></li><li><p>The number of seconds over which you are willing to accept that
many connections (60 in this example).</p></li></ul></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h3 class="title"><a id="LimitImp"></a>How Limit is Implemented</h3></div></div></div><p>For those who are curious, the Limit action is implemented in
Shorewall 3.0 and Shorewall 3.2 as follows:</p><div class="itemizedlist"><ul type="disc"><li><p>The file
<code class="filename">/usr/share/shorewall/action</code>.Limit is
empty.</p></li><li><p>The file <code class="filename">/usr/share/shorewall/Limit</code> is as
follows:</p><pre class="programlisting">set -- $(separate_list $TAG)
[ $# -eq 3 ] || fatal_error "Rule must include <set name>,<max connections>,<interval> as the log tag"
run_iptables -A $CHAIN -m recent --name $1 --set
if [ -n "$LEVEL" ]; then
run_iptables -N $CHAIN%
log_rule_limit $LEVEL $CHAIN% $1 DROP "" "" -A
run_iptables -A $CHAIN% -j DROP
run_iptables -A $CHAIN -m recent --name $1 --update --seconds $3 --hitcount $(( $2 + 1 )) -j $CHAIN%
else
run_iptables -A $CHAIN -m recent --update --name $1 --seconds $3 --hitcount $(( $2 + 1 )) -j DROP
fi
run_iptables -A $CHAIN -j ACCEPT</pre></li></ul></div><p>In Shorewall 3.3, Limit is made into a built-in action; basically
that means that the above code now lives inside of Shorewall rather than
in a separate file.</p><p>For completeness, here's the above
<code class="filename">/usr/share/shorewall/Limit</code> for use with
Shorewall-perl:</p><pre class="programlisting">my @tag = split /,/, $tag;
fatal_error 'Limit rules must include <set name>,<max connections>,<interval> as the log tag (' . join( ':', 'Limit', $level eq '' ? 'none' : $level , $tag ) . ')'
unless @tag == 3;
my $set = $tag[0];
for ( @tag[1,2] ) {
fatal_error 'Max connections and interval in Limit rules must be numeric (' . join( ':', 'Limit', $level eq '' ? 'none' : $level, $tag ) . ')' unless /^\d+$/
}
my $count = $tag[1] + 1;
add_rule $chainref, "-m recent --name $set --set";
if ( $level ) {
my $xchainref = new_chain 'filter' , "$chainref->{name}%";
log_rule_limit $level, $xchainref, $tag[0], 'DROP', '', '', 'add', '';
add_rule $xchainref, '-j DROP';
add_rule $chainref, "-m recent --name $set --update --seconds $tag[2] --hitcount $count -j $xchainref->{name}";
} else {
add_rule $chainref, "-m recent --update --name $set --seconds $tag[2] --hitcount $count -j DROP";
}
add_rule $chainref, '-j ACCEPT';
1; </pre></div></div></div></body></html>
