FWbuilder config of port-knocking access?

nnn
2011-07-12
2013-03-05
  • nnn
    nnn
    2011-07-12

    I've been asked to provide & protect occassional roaming access to SSH listener ports at a bunch of geo-distributed boxes.

    fwbuilder is really! handy for managing all the various boxes' firewall rulesets.

    I do NOT want to keep SSH ports always open to the net-at-large, so I'm looking at a port-knocking setup.

    Can fwbuilder setup port-knocking detection using iptables' "recent" module?

    Basically, I want to have SSH listening on a closed, random port, say #12345.  Then a telent to ports #11111, #22222, and #33333 in order within 30 seconds from a given IP would open port #12345 for SSH access *just* for that IP.

    Here's a simple example of what'd need to be done:

      http://dotancohen.com/howto/portknocking.html

    I'm just not sure if, and HOW, that'd be done with fwbuilder.

     
  • Mike Horn
    Mike Horn
    2011-07-13

    Here's a link that talks about how to use the "recent" module to temporarily ban failed SSH login attempts. 

    http://www.fwbuilder.org/4.0/docs/users_guide/block_ssh_attack_with_module_recent.html

    You can adapt this example to match the port knocking configuration shown in the example article you mentioned.  Let us know if you run into any issues.

     
  • nnn
    nnn
    2011-07-13

    Thanks, I think that should do it.

    One thing I noticed is that when I create a CustomService object, the code string appears to be concatenated with the iptables command

    So if I enter,

    "-dport 10000  -m recent -name SSH -set"

    when I hover over the new object, the display shows:

    "iptables-dport 10000  -m recent -name SSH -set"

    See? "iptables-dport" - no space.

    But if I enter,

    " -dport 10000  -m recent -name SSH -set"

    with a leading space I get

    "iptables -dport 10000  -m recent -name SSH -set"

    I don't know if that's a real problem, or just one with display.

     
  • Mike Horn
    Mike Horn
    2011-07-13

    The "iptables" you see at the beginning when you hover over it just shows the type of custom service object this is, so this won't affect your generated rules.