LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 02-20-2009, 11:19 AM   #1
wsduvall
Member
 
Registered: Aug 2006
Posts: 92

Rep: Reputation: 16
Port knocking in Shorewall


Hey guys,

I'm trying to set up shorewall to allow knocking on port 22. I'm trying to follow this sites direction http://www.shorewall.net/PortKnocking.html but I keep getting this error:

Code:
Compiling...
Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Compiling /etc/shorewall/policy...
Compiling /etc/shorewall/routestopped for critical hosts...
Compiling /etc/shorewall/routestopped...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
   ERROR: Unknown action (SSHKnock) : /etc/shorewall/rules (line 73)
I'm using the perl compiler, and I have that set in /etc/shorewall/shorewall.conf. My /etc/shorewall/rules looks like:

Code:
#Port forward SSH
#DNAT           net             loc:192.168.0.100:22    TCP     22
SSHKnock         net            $FW             tcp       1599,1600,1601
SSHKnock         net            loc:192.168.0.100:22    TCP     22 -       98.244.111.68
Any ideas?
 
Old 02-21-2009, 12:34 AM   #2
JulianTosh
Member
 
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
I dont want to deter you from experimenting, but port knocking is security through obscurity. anyone that can sniff your traffic can replicate the port knocking and gain access to the service.

A better approach is to simply use keyed authentication - disable password authentication and force the use of ssh keys.

That and disable direct root login and you're good to go!

Last edited by JulianTosh; 02-21-2009 at 12:35 AM.
 
Old 02-21-2009, 11:57 AM   #3
wsduvall
Member
 
Registered: Aug 2006
Posts: 92

Original Poster
Rep: Reputation: 16
I have actually already disabled root login (this should probably even be default...) and key authentication. I would still like to get port knocking set up, if for nothing else then to figure out why my Shorewall action isn't working! Thanks though!
 
Old 02-21-2009, 02:09 PM   #4
andrew22
Member
 
Registered: Jan 2009
Location: Heaven
Distribution: Ubuntu 8.10 , openSUSE 11.1
Posts: 56

Rep: Reputation: 16
Try "knockd", nice knocking deamon (thats the server , not the client), and with help from iptables, will result in an secure enough SSH login. The client is "knock". Good luck defending your system!!!
 
Old 04-06-2009, 02:53 AM   #5
kipluxer
LQ Newbie
 
Registered: Apr 2009
Posts: 6

Rep: Reputation: 0
i'm try configuration shorewall in centos, but i'm find error in this configuration
please help me..
i'm using in the load balancing two ISP ( ADSL and VPN) with comparing shorewall base iptables and mikrotik base hardware

Code:
[root@olympia init.d]# shorewall start
Compiling...
Initializing...
Determining Zones...
   IPv4 Zones: net local
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   ERROR: Invalid TARGET in rule "COUNT        "
/sbin/shorewall: line 384: 15819 Terminated              $command $SHOREWALL_SHELL $sc $@
 
Old 04-06-2009, 07:45 AM   #6
AlucardZero
Senior Member
 
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,652

Rep: Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536Reputation: 536
You have an Invalid TARGET in rule COUNT, possibly on line 384.

Maybe if you posted your configuration you'd get a more useful answer.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Help setting up port knocking and IPTables Tortanick Linux - Networking 3 12-07-2008 02:28 AM
Asking about port knocking adam_blackice Linux - Security 6 06-24-2008 12:59 PM
Port Knocking through ssh tunnel metallica1973 Linux - Security 10 03-05-2008 10:00 PM
Does anyone here use port knocking? 144419855310001 General 4 10-07-2007 09:37 AM
port knocking only for ssh port? xpucto Linux - Security 1 03-29-2007 09:22 AM


All times are GMT -5. The time now is 11:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration