Controlling servers (e.g. apache, samba)

John Dangler jdangler at atlantic.net
Tue Feb 6 04:58:17 UTC 2007


On Tue, 2007-02-06 at 09:18 +1100, Peter Garrett wrote:
> On Mon, 05 Feb 2007 14:46:55 -0400
> Derek Broughton <news at pointerstop.ca> wrote:
> 
> > It is, of course, hazardous to be modifying rulesets for IPTables over the
> > net, as you can easily find yourself locked out.
> 
> One way around this ( it's not a security strategy in itself, but I think
> it's a handy tool) is "port knocking". This allows you to gain, for
> instance, ssh access by "knocking" on closed ports in a pre-defined manner
> to "open" , say,  port 22. The daemon executes an iptables rule to open
> a port when the correct sequence is detected. It will also close the port
> after a time out period, if configured in /etc/knockd.conf . This time can
> be quite short if your iptables include a rule like
> 
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> ( Once you are connected, it can "shut up shop" again to other connections,
> since your existing connection will continue )
> 
> The package is called "knockd" and comes with the daemon and a "knocking
> client" . Quite clever. See for example
> 
> http://www.linuxjournal.com/article/6811 for a discussion of the method,
> or 
> http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
> 
> apt-cache show knockd  :-)
> 
> It's in universe, if you are interested.
> 
> Peter
> 
Peter~
Very interesting.  Thanks for the info.. I'm looking into this!

> 
> 





More information about the ubuntu-users mailing list