You are not logged in.

#1 2014-01-11 15:49:28

becatlibra
Member
Registered: 2010-06-25
Posts: 57

[Solved] Knockd not seeing knocks, can see via tcpdump (used to work)

I have a setup which uses knockd to open my SSH port on my arch workstation.  This has worked for a few years however, it is now no longer functioning.  The only possible cause I could see is the upgrade to libpcap that I made, via pacman ... except I can see the traffic with 'tcpdump'.  knockd sees some of the knocks but not all of them, it's intermittent

tcpdump: listening on enp2s0, link-type EN10MB (Ethernet), capture size 65535 bytes
IP (tos 0x0, ttl 64, id 55052, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.7.138.52266 > 10.30.6.189.5315: Flags [S], cksum 0x9c07 (correct), seq 3881804615, win 27440, options [mss 1372,sackOK,TS val 570122 ecr 0,nop,wscale 7], length 0
IP (tos 0x0, ttl 64, id 30528, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.7.138.46591 > 10.30.6.189.8142: Flags [S], cksum 0xee39 (correct), seq 1185283311, win 27440, options [mss 1372,sackOK,TS val 570122 ecr 0,nop,wscale 7], length 0
IP (tos 0x0, ttl 64, id 21805, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.7.138.57902 > 10.30.6.189.3215: Flags [S], cksum 0x9153 (correct), seq 4139421904, win 27440, options [mss 1372,sackOK,TS val 570122 ecr 0,nop,wscale 7], length 0
config: new section: 'options'
config: log file: /var/log/knockd.log
config: interface: enp2s0
config: new section: 'SSH'
config: SSH: sequence: 5315:tcp,8142:tcp,3215:tcp
config: SSH: seq_timeout: 100
config: SSH: start_command: /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 2233 -j ACCEPT
config: tcp flag: SYN
config: SSH: cmd_timeout: 3600
config: SSH: stop_command: /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 2233 -j ACCEPT
ethernet interface detected
Local IP: 10.30.6.189
Adding pcap expression for door 'SSH': (dst host 10.30.6.189 and (((tcp dst port 5315 or 8142 or 3215) and tcp[tcpflags] & tcp-syn != 0)))
listening on enp2s0...

tried a second time and it saw a few of them, again tcpdump sees all of them

IP (tos 0x0, ttl 64, id 24058, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.7.138.52270 > 10.30.6.189.5315: Flags [S], cksum 0x55dd (correct), seq 1531191909, win 27440, options [mss 1372,sackOK,TS val 591406 ecr 0,nop,wscale 7], length 0
IP (tos 0x0, ttl 64, id 48344, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.7.138.46595 > 10.30.6.189.8142: Flags [S], cksum 0xe061 (correct), seq 1792643947, win 27440, options [mss 1372,sackOK,TS val 591406 ecr 0,nop,wscale 7], length 0
IP (tos 0x0, ttl 64, id 37857, offset 0, flags [DF], proto TCP (6), length 60)
    10.20.7.138.57906 > 10.30.6.189.3215: Flags [S], cksum 0xcbab (correct), seq 222489799, win 27440, options [mss 1372,sackOK,TS val 591407 ecr 0,nop,wscale 7], length 0
2014-00-11 10:45:53: tcp: 10.20.7.138:46591 -> 10.30.6.189:8142 74 bytes
2014-00-11 10:45:53: tcp: 10.20.7.138:57902 -> 10.30.6.189:3215 74 bytes

Tried adding a delay to the knocks and setting the seq_timeout higher.  I just don't get what is happening.  If tcpdump can see it, shouldn't libpcap be able to capture it?  Sometimes it will capture both the first and the second knock but it seems to never catch the first

Thanks for you help

B

Last edited by becatlibra (2014-01-14 15:29:31)

Offline

#2 2014-01-11 16:05:55

Spider.007
Member
Registered: 2004-06-20
Posts: 1,143
Website

Re: [Solved] Knockd not seeing knocks, can see via tcpdump (used to work)

you could revert the libpcap update to see if that fixes it. If it does, it's probably better to report this upstream

Offline

#3 2014-01-11 16:12:21

becatlibra
Member
Registered: 2010-06-25
Posts: 57

Re: [Solved] Knockd not seeing knocks, can see via tcpdump (used to work)

Thanks for that, I did try a downgrade yesterday and it didn't help, however I'm seeing the same suggestion in the AUR (for knockd) for this exact same problem.  I am guessing the issue is that I didn't reboot after downgrading, I did not think that would be necessary but the network stack has never been one of my strong suits.  I'll try that and let you guys know.

Offline

#4 2014-01-11 16:54:25

becatlibra
Member
Registered: 2010-06-25
Posts: 57

Re: [Solved] Knockd not seeing knocks, can see via tcpdump (used to work)

Of course, being tired due to not enough sleep I rebooted the remote machine forgetting about the fact that it needs a password to decrypt the drives before fully booting hmm

I'll update this on Monday

B

Offline

#5 2014-01-11 17:08:44

Spider.007
Member
Registered: 2004-06-20
Posts: 1,143
Website

Re: [Solved] Knockd not seeing knocks, can see via tcpdump (used to work)

Oops, I hope not too many people depend on it smile

Offline

#6 2014-01-14 15:28:42

becatlibra
Member
Registered: 2010-06-25
Posts: 57

Re: [Solved] Knockd not seeing knocks, can see via tcpdump (used to work)

Downgrading did fix it this time around.  Not sure why downgrading before did not (not sure why a reboot would make a difference with libpcap)

Offline

Board footer

Powered by FluxBB