Controlling servers (e.g. apache, samba)
John Dangler
jdangler at atlantic.net
Tue Feb 6 04:58:17 UTC 2007
On Tue, 2007-02-06 at 09:18 +1100, Peter Garrett wrote:
> On Mon, 05 Feb 2007 14:46:55 -0400
> Derek Broughton <news at pointerstop.ca> wrote:
>
> > It is, of course, hazardous to be modifying rulesets for IPTables over the
> > net, as you can easily find yourself locked out.
>
> One way around this ( it's not a security strategy in itself, but I think
> it's a handy tool) is "port knocking". This allows you to gain, for
> instance, ssh access by "knocking" on closed ports in a pre-defined manner
> to "open" , say, port 22. The daemon executes an iptables rule to open
> a port when the correct sequence is detected. It will also close the port
> after a time out period, if configured in /etc/knockd.conf . This time can
> be quite short if your iptables include a rule like
>
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> ( Once you are connected, it can "shut up shop" again to other connections,
> since your existing connection will continue )
>
> The package is called "knockd" and comes with the daemon and a "knocking
> client" . Quite clever. See for example
>
> http://www.linuxjournal.com/article/6811 for a discussion of the method,
> or
> http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki
>
> apt-cache show knockd :-)
>
> It's in universe, if you are interested.
>
> Peter
>
Peter~
Very interesting. Thanks for the info.. I'm looking into this!
>
>
More information about the ubuntu-users
mailing list