WebKnock 21 review
DownloadWebknock project is a program that continuously scans Apache's "access" logfile and executes a configurable command when a certain UR
|
|
Webknock project is a program that continuously scans Apache's "access" logfile and executes a configurable command when a certain URL sequence is detected. The IP address of the client can be passed to the command to be executed, allowing one to use iptables to open certain ports (usually, SSH) to certain hosts as soon as the correct URL sequence is activated. No changes to the Web server configuration are necessary.
I finally got tired of all the script-kiddies trying to guess my root and other common user passwords by brute force attack. Even though I have SSH configured to allow only a few selected users to login, their brute force attempts create some quite large syslog files in my system.
I went around looking for a portknocker, but since many times we’re behind restrictive firewalls, it becomes impossible to remotely “open” SSH to your current IP address.
I then decided to write something myself, and webknock is the result of it.
Webknock is a Perl program that sits idly in the background monitoring your apache “access” logfile. Once a pre-determined sequence is hit, it executes a configurable command, with the calling IP as an argument. A popular choice here would be “iptables”, allowing access to your current IP.
After a pre-determined (but configurable) amount of time, another command is executed, this time “closing” access to the previously used IP address.
Note that this is only useful if you already have Apache running in your server, and port 80 or 443 can be accessed from anywhere in the net (my case). Also, no modifications are required to the Apache configuration.
WebKnock 21 keywords