knock not knocking?

dtw · 2006-10-22 10:44:16

Am having some probs with knockd. I have the set up correct, I think: the start command works fine when applied manually and I am using the correct knock sequence. I also added knockd to hosts.allow but I can't see any evidence that knockd is even receiving my knocks. Could that be a firewall issue? I'm feeling a bit dumb, tbh, but it seems daft to have to open ports in the firewall to get the knocks. I think my firewall must just be dropping the knocks, it could be flag related I guess?

swiergot · 2006-10-22 11:53:13

Perhaps you are using UDP packets in your sequence and they get lost?

dtw · 2006-10-22 12:31:57

I am using udp packets, why would they be getting lost?

swiergot · 2006-10-22 12:44:08

It's their nature - there is no guarantee of delivery.

lucke · 2006-10-22 13:10:03

Instead of using simple port knocking, you could have a look at fwknop - I even thought about packaging it, but resigned after seeing that it has some weird perl install script.

iphitus · 2006-10-22 15:00:51

lucke wrote:

Instead of using simple port knocking, you could have a look at fwknop - I even thought about packaging it, but resigned after seeing that it has some weird perl install script.

because judd wrote knockd

dtw · 2006-10-22 15:09:24

I'm puzzled. I tried all three knocks as tcp and I get the same result. The knockd log shows no activity and only the first knock appears in the iptables log.

This is my iptables file - any clues there?

# Generated by iptables-save v1.3.5 on Sun Oct 22 08:46:21 2006
*filter
:INPUT DROP [17:3079]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [81:8108]
:interfaces - [0:0]
:open - [0:0]
-A INPUT -p icmp -j ACCEPT 
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A INPUT -j interfaces 
-A INPUT -j open 
-A INPUT -m limit --limit 15/min -j LOG --log-prefix "INPUT: " --log-level 7 
-A interfaces -i lo -j ACCEPT 
COMMIT
# Completed on Sun Oct 22 08:46:21 2006

ralvez · 2006-10-22 16:45:11

Well, to me the way that IP table is set up you will never get anything to go thrugh from the outside world; unless you initiate the hand-shake yourself.
If you want an external manchine to contact you an input like:

-A INPUT -p tcp -i 123.456.789.1 -j ACCEPT

where the address 123.456.789.1 is the address of the machine you want to allow to contact your system.
Or am I missing something?

ralvez · 2006-10-22 17:04:12

After reading a bit about knockd I realized that things may be a bit more complicated.
Do you have something like this in your knockd configuration?

#/etc/knockd.conf
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

Then you need send a command like this:

$ knock -v 192.168.1.25 7000 8000 9000

after which you open your SSH client and connect.

I understand that some people use scripts to automate the process and you may want to do the same in order to simplify your life.

dtw · 2006-10-23 18:24:38

ralvez: thanks for your efforts but I was past were you are when I started!

Here is the oupt from knockd -vD

sudo knockd -vD
config: new section: 'options'
config: log file: /var/log/knockd.log
config: interface: wlan0
config: new section: 'opencloseSSH'
config: opencloseSSH: sequence: 00000:tcp,00000:tcp,00000:tcp
config: opencloseSSH: seq_timeout: 15
config: tcp flag: SYN
config: tcp flag: ACK
config: opencloseSSH: start_command: /bin/touch /open.txt
config: opencloseSSH: cmd_timeout: 10
config: opencloseSSH: stop_command: /bin/touch /close.txt
ethernet interface detected
Local IP: 192.168.1.2
listening on wlan0...

Obviously they are not the port numbers.

knock -v 1921.168.1.2 00000 00000 00000

Yields exactly and as expected:

hitting tcp 192.168.1.2:00000
hitting tcp 192.168.1.2:00000
hitting tcp 192.168.1.2:00000

Am baffled.

ralvez · 2006-10-23 21:22:51

Can't you use wireshark to monitor the packets as they are sent? That may give you an idea of where things get cut-off.

You may even allow a specific machine to access the system via iptables just for the purpose of taking a look at the data flow. Send the knocking sequence, just as it should otherwise but monitor the sequence of events.

I'll try to get a bit of a better understanding of knockd ( I actually think is a good concept ) see if I can be of better help.
Hey I may even set it up in one of my spare machines if I get some time

dtw · 2006-11-09 21:47:59

The problem is the flag settings. Judd's second example of a knockd config uses this option

tcpflags      = syn,ack

I used this automatically not seeing any harm. However, it seems that there must be some ack traffic hitting the firewall between knocks that is killing the knock sequence because if I switch to syn only it works. Could this be a firewall issue, as I suspected (only the first knock packet gets logged by iptables), or am I actually doing something wrong still?

I started another thread a while back about brain0's firewall, it'd be good to know if it is incompatible with certain knockd configs.

ralvez · 2006-11-09 23:26:08

I would not be surprised if it is the firewall. You could try changing the IP tables rules to allow your machine (the one you want to grant access) to send say TCP packets as to verify if the firewall is stopping them.
If after you allow tcp traffic from that machine it works then we could say with certain degree of assurance that THAT IS the problem.

lanrat · 2006-11-10 22:48:15

I'm not sure if I understand you correctly dtw but are you trying to connect via ssh from some machine from the outside to the machine with the iptables + knockd setup mentioned above?

According to knockd manpage iptables configuration doesn't matter for the port knocking sequence because knockd operates on the link level.

However if there is some kind of another firewall before your firewall it can simply drop packets with "incorrect" flags and they never get through to your firewall.

You can check this by running tcpdump (as root) on your firewall machine like this:

tcpdump "ether host place_your_wlan_HWaddr_from_ifconfig_here and dst port (7000 or 8000 or 9000)"

Then on the outside machine try knock or some other tool like netcat (nc firewall_ip_address 7000 etc.). Tcpdump should produce something like this if the packets get through to your firewall:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
23:36:49.775314 IP outsidehost.blahblah.com.45958 > your_firewall_host.lalala.com.7000: S 3180976499:3180976499(0) win 5840 <mss>
23:36:55.615175 IP outsidehost.blahblah.com.34870 > your_firewall_host.lalala.com.8000: S 3193429035:3193429035(0) win 5840 <mss>
23:36:58.847666 IP outsidehost.blahblah.com.49256 > your_firewall_host.lalala.com.9000: S 3183829694:3183829694(0) win 5840 <mss>

If that's the case I would try adding your knockd sequence ports to your firewall setup (just to be sure). If it doesn't help then perhaps there is something wrong with the knockd?

Arch Linux

#1 2006-10-22 10:44:16

knock not knocking?

#2 2006-10-22 11:53:13

Re: knock not knocking?

#3 2006-10-22 12:31:57

Re: knock not knocking?

#4 2006-10-22 12:44:08

Re: knock not knocking?

#5 2006-10-22 13:10:03

Re: knock not knocking?

#6 2006-10-22 15:00:51

Re: knock not knocking?

#7 2006-10-22 15:09:24

Re: knock not knocking?

#8 2006-10-22 16:45:11

Re: knock not knocking?

#9 2006-10-22 17:04:12

Re: knock not knocking?

#10 2006-10-23 18:24:38

Re: knock not knocking?

#11 2006-10-23 21:22:51

Re: knock not knocking?

#12 2006-11-09 21:47:59

Re: knock not knocking?

#13 2006-11-09 23:26:08

Re: knock not knocking?

#14 2006-11-10 22:48:15

Re: knock not knocking?

Board footer