Controlling servers (e.g. apache, samba)
Peter Garrett
peter.garrett at optusnet.com.au
Mon Feb 5 22:18:23 UTC 2007
On Mon, 05 Feb 2007 14:46:55 -0400
Derek Broughton <news at pointerstop.ca> wrote:
> It is, of course, hazardous to be modifying rulesets for IPTables over the
> net, as you can easily find yourself locked out.
One way around this ( it's not a security strategy in itself, but I think
it's a handy tool) is "port knocking". This allows you to gain, for
instance, ssh access by "knocking" on closed ports in a pre-defined manner
to "open" , say, port 22. The daemon executes an iptables rule to open
a port when the correct sequence is detected. It will also close the port
after a time out period, if configured in /etc/knockd.conf . This time can
be quite short if your iptables include a rule like
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
( Once you are connected, it can "shut up shop" again to other connections,
since your existing connection will continue )
The package is called "knockd" and comes with the daemon and a "knocking
client" . Quite clever. See for example
http://www.linuxjournal.com/article/6811 for a discussion of the method,
or
http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
apt-cache show knockd :-)
It's in universe, if you are interested.
Peter
More information about the ubuntu-users
mailing list