knock 0.5 review
Downloadknockd is a port-knock server
|
|
knockd is a port-knock server.
It listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open security holes in a firewall for quick access.
The example below could be used to run a strict (DENY policy) firewall that can only be accessed after a successful knock sequence.
1) Client sends four TCP SYN packets to Server, at the following ports:
38281, 29374, 4921, 54918
2) Server detects this and runs an iptables command to open port 22 to Client.
3) Client connects to Server via SSH and does whatever it needs to do.
4) Client sends four more TCP SYN packets to Server:
37281, 8529, 40127, 10100
5) Server detects this and runs another iptables to close port 22 to Client.
What's New in This Release:
Added ability to change the knocking protocol (TCP/UDP) on a per-port basis using the knock client (instead of the -u switch)
Patches from Philippe Lovis :
Fixed memory leaks and potential security vulnerabilities
Added --lookup option for DNS lookups (default is off)
Added support for one-time sequences
Added Interface directive to select the listening interface
Moved packet filtering to kernel space with BPF filters
Support for excluding TCP flags with "!"
Removed the leftover/deprecated layer-2 MAC logic
knock 0.5 keywords