This little script makes using one-time sequences with Judd Vinet's knockd really quite easy Happy New Year!
EXAMPLES Generate sequences: knock-once --generate --output-file ~/.knock-once/myserver_sequences Send first uncommented knock sequence from ~/.knock-once/myserver_sequences: knock-once ~/.knock-once/myserver_sequences myserver.example.com Send and comment out sequence after usage: knock-once --comment-sequence ~/.knock-once/myserver_sequences myserver.example.com
knock-once man page:
NAME knock-once - port-knock client helper utility SYNOPSIS knock-once [options] file server knock-once -g [options] DESCRIPTION knock-once is a script to automate the generation and sending of one-time knock sequences to servers running knockd, the port-knock server written by Judd Vinet. knock-once can generate a list of random sequences using either /dev/random or /dev/urandom. The script then sends knocks from this list using the port-knock client, knock, that comes with the knockd package. Sequences from the list can be automatically commented out after usage. OPERATIONS -g, --generate Generate a list of random port-knock sequences in the format recognized by knockd. -h, --help Output syntax and command-line options. -s, --send <file> <server> Send the first uncommented port-knock sequence from the specified file to the specified server. This is the default operation and only file and server need to be passed as command-line arguments. -v, --version Display the version. GENERATE OPTIONS -l, --sequence-length <length> Specify the number of packets in each sequence. Any positive integer may be specified. The default is 3. -m, --min-port <port> Specify the lowest port number to use in the generated sequences. The default is 1024. -M, --max-port <port> Specify the highest port number to use in the generated sequences. The default is 65536. -n, --total-number <number> Specify the total number of sequences to generate. The default is 100. -o, --output-file <file> Specify the file path to write sequences into. Existing files will not be overwritten so a new file path must be specified. The default is ./knock-once_sequences. -r, --true-random Use /dev/random as the random number generator. The default is /dev/urandom. -t, --tcp-only Use only the TCP protocol in generated sequences. The default uses both TCP and UDP. -u, --udp-only Use only the UDP protocol in generated sequences. The default uses both TCP and UDP. SEND OPTIONS -c, --comment-sequence Comment out the sequence with a hash sign (#) after usage. The user must therefore have write access to the file specified. -d --delay <delay> Specify the delay in seconds to sleep between each knock. This prevents packets from arriving in the wrong order. Increase the delay if problems occur. See sleep(1) for further details on the arguments allowed. The default is 1. EXAMPLES Generate sequences: knock-once --generate --output-file ~/.knock-once/myserver_sequences Send first uncommented knock sequence from ~/.knock-once/myserver_sequences: knock-once ~/.knock-once/myserver_sequences myserver.example.com Send and comment out sequence after usage: knock-once --comment-sequence ~/.knock-once/myserver_sequences myserver.example.com BUGS If there are any bugs, send an email with as much detail as possible to firstname.lastname@example.org AUTHOR Jamie Nguyen <email@example.com> SEE ALSO knock(1), knockd(1), random(4) See https://sourceforge.net/projects/knockonce/ for current information.
Last edited by dyscoria (2011-01-03 16:17:53)
So, this will just work it's way down the list each time? I'm not sure if this would work with multiple machines who ssh in....hrm.
I wonder if it'd be possible to build a similar tool that mimics two factor RSA keys, so that if you have whatever random seed on a machine and a correct clock within +/- a reasonable window of time, you can generate the current ports that need knocked? You'd just need a cron script to run every X minutes to change the port sequence.