-
-
Save DasLampe/4131161 to your computer and use it in GitHub Desktop.
Port Knocking, client and server configuration files
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| # Port Knocking server configuration. It closes all ports but the webserver one. | |
| # When the correct sequence of ports is detected (1000. 2000. 3000. 4000), the | |
| # SSH port is opened for 5 seconds to allow connections. | |
| # | |
| # Erase all the rules | |
| iptables -F | |
| # Close all incoming connections | |
| iptables -P INPUT DROP | |
| iptables -P OUTPUT ACCEPT | |
| iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| # Open the web server port to the public | |
| iptables -A INPUT -m state --state NEW -p TCP --dport 80 -j ACCEPT | |
| # Allow the loopback interface (mysql, ...) | |
| iptables -A INPUT -i lo -j ACCEPT | |
| # Port Knocking | |
| ############### | |
| # Original Script http://pub.ligatura.org/fs/netfilter/misc/portknock_multi | |
| # | |
| # Netfilter/IPtables - example of multiple-port knocking | |
| # Note: Knock ports to open SSH port for 5 seconds. | |
| iptables -N INTO-PHASE2 | |
| iptables -A INTO-PHASE2 -m recent --name PHASE1 --remove | |
| iptables -A INTO-PHASE2 -m recent --name PHASE2 --set | |
| iptables -A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: " | |
| iptables -N INTO-PHASE3 | |
| iptables -A INTO-PHASE3 -m recent --name PHASE2 --remove | |
| iptables -A INTO-PHASE3 -m recent --name PHASE3 --set | |
| iptables -A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: " | |
| iptables -N INTO-PHASE4 | |
| iptables -A INTO-PHASE4 -m recent --name PHASE3 --remove | |
| iptables -A INTO-PHASE4 -m recent --name PHASE4 --set | |
| iptables -A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: " | |
| iptables -A INPUT -m recent --update --name PHASE1 | |
| iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PHASE1 | |
| iptables -A INPUT -p tcp --dport 2000 -m recent --rcheck --name PHASE1 -j INTO-PHASE2 | |
| iptables -A INPUT -p tcp --dport 3000 -m recent --rcheck --name PHASE2 -j INTO-PHASE3 | |
| iptables -A INPUT -p tcp --dport 4000 -m recent --rcheck --name PHASE3 -j INTO-PHASE4 | |
| iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name PHASE4 -j ACCEPT |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /bin/bash | |
| # If you use git on a server with porkocking you can't pull anything. | |
| # So I use a ssh tunnel. | |
| # But it doesn't exists an pre-fetch hook. :( (But most of the time I only push to this server) | |
| #pssh.sh is in this file ;) | |
| source ~/.bash_profile | |
| string=`lsof -i -P | grep -i LISTEN | grep 6851` | |
| if [ -z "$string" ] | |
| then | |
| echo "Tunnel wird aufgebaut" | |
| pssh -L 6851:example.com:22 -Nf user@example.com | |
| fi |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # SCP Connection Port Knocker | |
| # | |
| # 1 - Append this code to your .bashrc or .bash_profile file | |
| # 2 - Create a .portknocks file in your home directory with a list like | |
| # host1 port1 | |
| # host1 port2 | |
| # ... | |
| # host1 portN | |
| # host2 port1 | |
| # ... | |
| # 3 - You must open a new terminal session to use the new function | |
| # 4 - Use it as you would use the ssh command | |
| # scp user@server:~/hello ~/hello => psscp user@server:~/hello ~/hello | |
| # | |
| # It accepts the usual options of the SCP program | |
| psscp() { | |
| while getopts "dfl:prtvBCc:i:P:q1246S:o:F:" FLAG | |
| do | |
| true | |
| done | |
| j=$OPTIND | |
| while [ ${@:$j:1} ] | |
| do | |
| HOST=${@:$j:1} | |
| HOST=${HOST#*@} | |
| HOST=${HOST%:*} | |
| if [ "$HOST" != "." ] && [ "$HOST" != ".." ] | |
| then | |
| HOSTS="${HOSTS}${HOST}\n" | |
| fi | |
| ((j++)) | |
| done | |
| echo -e $HOSTS | sort -u | \ | |
| while read HOST | |
| do | |
| if [ $HOST ] | |
| then | |
| CNT=1 | |
| cat ~/.portknocks | grep ^$HOST | awk '{ for(i=2; i <= NF; i++) printf "%s\n", $i}' | \ | |
| while read PORT | |
| do | |
| echo "Knocking $HOST ($CNT)" | |
| nc -w 1 $HOST $PORT & sleep 0.5 && | |
| ((CNT++)) | |
| done | |
| fi | |
| done | |
| scp $* | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # SSH Connection Port Knocker | |
| # | |
| # 1 - Append this code to your .bashrc or .bash_profile file | |
| # 2 - Create a .portknocks file in your home directory with a list like | |
| # host1 port1 | |
| # host1 port2 | |
| # ... | |
| # host1 portN | |
| # host2 port1 | |
| # ... | |
| # 3 - You must open a new terminal session to use the new function | |
| # 4 - Use it as you would use the ssh command | |
| # ssh user@server => pssh user@server | |
| # | |
| # It accepts the usual options of the SSH program | |
| pssh() { | |
| while getopts "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:W:XYy" FLAG | |
| do | |
| true | |
| done | |
| HOST=${@:$OPTIND:1} | |
| HOST=${HOST#*@} | |
| CNT=1 | |
| cat ~/.portknocks | grep ^$HOST | awk '{ for(i=2; i <= NF; i++) printf "%s\n", $i}' | \ | |
| while read PORT | |
| do | |
| echo "Knocking $HOST ($CNT)" | |
| nc -w 1 $HOST $PORT & sleep 0.5 && | |
| ((CNT++)) | |
| done | |
| ssh $* | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment