Created
May 18, 2017 21:56
-
-
Save cryptolok/326b6afc98bf4bb489a206d62ad12580 to your computer and use it in GitHub Desktop.
Port Knocking configuration using OpenBSD with knockd on SSH
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Port Knocking configuration using OpenBSD with knockd on SSH | |
#! DISCLAIMER ! | |
# OpenBSD isn't an OS for Unix novices, thus I will omit deep details and just make some assumptions about your configuration | |
# Port Knocking, despite being a known network stealthing technique, was implemented essentially for Linux, I made a reliable, stable and portable configuration for OpenBSD (might also work for FreeBSD) | |
# install | |
export PKG_PATH=http://ftp.openbsd.org/pub/OpenBSD/6.1/packages/amd64/ | |
pkg_add autoconf | |
pkg_add automake | |
export AUTOCONF_VERSION=2.69 | |
export AUTOMAKE_VERSION=1.14 | |
git clone https://github.com/jvinet/knock | |
compile | |
/sbin/knockd -i re0 -c /usr/local/etc/knockd.conf | |
# Packet Filter | |
/etc/pf.conf: | |
block all | |
pass out | |
# Port Knocking | |
/usr/local/etc/knockd.conf: | |
[options] | |
logfile = /var/log/knockd.log | |
[opencloseSSH] | |
sequence = 443:tcp, 80:tcp | |
# ports of HTTPS and HTTP are selected because, they are less likely to be filtered if you're behind a restrictive firewall and can be done by a web browser whereas | |
port scanners won't have such behavior, but you're still encouraged to change them if you desire so | |
seq_timeout = 1 | |
tcpflags = syn | |
start_command = /bin/echo 'pass in on re0 proto tcp from %IP% to re0:0 port 22' >> /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf | |
cmd_timeout = 10 | |
stop_command = /usr/bin/sed -i '$ d' /etc/pf.conf && /sbin/pfctl -f /etc/pf.conf | |
# this will open SSH port on interface re0 for 10 seconds which will allow you to connect and since, PF is a state-full firewall, it won't block already established connection | |
# note that it is a mistake to think that I reload all of PF rules, this is true for Netfilter (iptables), but PF will change the rules in a smart manner | |
# connecting from your PC | |
sudo aptitude install knock || yaourt knock || echo 'you know what to do' | |
knock $IP 443 80 | |
ssh $IP | |
# I advise to repeat it few times in order to avoid network delays and lost packets in some circumstances | |
# alternatively, you can also use your web browser or wget | |
firefox https://$IP || wget https://$IP | |
firefox http://$IP || wget http://$IP | |
ssh $IP |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
make gives my trouble:
bash-4.4# make
make all-am
make: don't know how to make doc/knock.1 (prerequisite of: all-am)
any thoughts?
bash-4.4# uname -a
OpenBSD knockd.demo.local 6.1 GENERIC.MP#20 amd64
bash-4.4#