ipt_sysrq 0.4 review
Downloadipt_sysrq is a new iptables target that allows you to do the same as the magic sysrq key on a keyboard does, but over the network.
|
|
ipt_sysrq is a new iptables target that allows you to do the same as the magic sysrq key on a keyboard does, but over the network.
Sometimes a remote server hangs and only responds to icmp echo request (ping). Every administrator of such machine is very unhappy because (s)he must go there and press the reset button. It takes a long time and it's inconvenient. So here is a solution. Use the Network Magic SysRq and you will be able to do more than just pressing a reset button. You can remotely sync disks, remount them read-only, then do a reboot. And everything is comfortably and lasts only in a few seconds.
You can restrict who can do this by setting the iptables firewall. But unfortunately, for simplicity, the Network Magic SysRq is based on a single packet request. This packet is encrypted and password protected, but if somebody can sniff it (s)he will be able to repeat (but not to change) the query (so-called replay attack). The query is also protected by a timestamp. When the packet is generated, it is stamped by current date and time. Then on the server side that stamp is compared with the current time of the server and if it is within the tolerance the request is accepted. Together with some other information, the timestamp is protected by SHA1 hash. This means that the potential attacker has a limited time to repeat the sniffed packet. If anybody requires a better security than this, some secure encrypted tunnel can be used. (not depending on userspace, of course!
Requirements:
Works on Linux 2.4.x and on 2.6.x too.
To successful compile you need to have installed:
GCC
Linux kernel sources of your running kernel
Header files of your iptables command
What's New in This Release:
More user friendly
enhanced encryption algorithm (no terrible prime numbers needed)
enhanced security (time and password based protection
ipt_sysrq 0.4 keywords