Hi, Arch Community,
I have kind of a dumb question regarding port knocking. I'm doing some preliminary testing based on the documentation here:
I've created a couple of rules and a logging chain:
:PORTKNOCK - [0:0]
-A PORTKNOCK -m limit --limit 5/m --limit-burst 10 -j LOG --log-prefix "IPTABLES Portknock: "
-A PORTKNOCK -j DROP
# This will add the ip to the list SSH0 if the port knocked is 8881
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8881 -m recent --name SSH0 --set -j PORTKNOCK
I know this is getting hit because it is logging:
Feb 7 15:46:44 hypervisor kernel: [2316624.562712] IPTABLES Portknock: IN=eth0 OUT= MAC=78:2b:cb:a7:97:dd:08:00:27:72:61:bb:08:00 SRC=10.135.217.176 DST=10.135.217.178 LEN=64 TOS=0x10 PREC=0x00 TTL=64 ID=31917 DF PROTO=TCP SPT=38253 DPT=8881 WINDOW=16384 RES=0x00 SYN URGP=0
My question is that based on my reading, I should be able to inspect the contents of the names set SSH0 by taking a look at /proc/net/ipt_recent/SSH0 or something of this sort (http://www.ducea.com/2006/06/28/using-i … e-attacks/).
I don't see this path of my proc filesystem. Could anybody tell me where to look to discern this set information?
Thank-you so much for taking the time to answer my question.
You should have xt_recent if the xt_recent kernel module is loaded.
Thank-you, kind person. This is exactly what I was looking for.