Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-20-2009, 11:19 AM   #1
Registered: Aug 2006
Posts: 92

Rep: Reputation: 16
Port knocking in Shorewall

Hey guys,

I'm trying to set up shorewall to allow knocking on port 22. I'm trying to follow this sites direction but I keep getting this error:

Compiling /etc/shorewall/zones...
Compiling /etc/shorewall/interfaces...
Determining Hosts in Zones...
Preprocessing Action Files...
   Pre-processing /usr/share/shorewall/action.Drop...
   Pre-processing /usr/share/shorewall/action.Reject...
Compiling /etc/shorewall/policy...
Compiling /etc/shorewall/routestopped for critical hosts...
Compiling /etc/shorewall/routestopped...
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering...
Compiling Kernel Route Filtering...
Compiling Martian Logging...
Compiling /etc/shorewall/masq...
Compiling MAC Filtration -- Phase 1...
Compiling /etc/shorewall/rules...
   ERROR: Unknown action (SSHKnock) : /etc/shorewall/rules (line 73)
I'm using the perl compiler, and I have that set in /etc/shorewall/shorewall.conf. My /etc/shorewall/rules looks like:

#Port forward SSH
#DNAT           net             loc:    TCP     22
SSHKnock         net            $FW             tcp       1599,1600,1601
SSHKnock         net            loc:    TCP     22 -
Any ideas?
Old 02-21-2009, 12:34 AM   #2
Registered: Sep 2007
Location: Las Vegas, NV
Distribution: Fedora / CentOS
Posts: 674
Blog Entries: 3

Rep: Reputation: 90
I dont want to deter you from experimenting, but port knocking is security through obscurity. anyone that can sniff your traffic can replicate the port knocking and gain access to the service.

A better approach is to simply use keyed authentication - disable password authentication and force the use of ssh keys.

That and disable direct root login and you're good to go!

Last edited by JulianTosh; 02-21-2009 at 12:35 AM.
Old 02-21-2009, 11:57 AM   #3
Registered: Aug 2006
Posts: 92

Original Poster
Rep: Reputation: 16
I have actually already disabled root login (this should probably even be default...) and key authentication. I would still like to get port knocking set up, if for nothing else then to figure out why my Shorewall action isn't working! Thanks though!
Old 02-21-2009, 02:09 PM   #4
Registered: Jan 2009
Location: Heaven
Distribution: Ubuntu 8.10 , openSUSE 11.1
Posts: 56

Rep: Reputation: 16
Try "knockd", nice knocking deamon (thats the server , not the client), and with help from iptables, will result in an secure enough SSH login. The client is "knock". Good luck defending your system!!!
Old 04-06-2009, 02:53 AM   #5
LQ Newbie
Registered: Apr 2009
Posts: 6

Rep: Reputation: 0
i'm try configuration shorewall in centos, but i'm find error in this configuration
please help me..
i'm using in the load balancing two ISP ( ADSL and VPN) with comparing shorewall base iptables and mikrotik base hardware

[root@olympia init.d]# shorewall start
Determining Zones...
   IPv4 Zones: net local
   Firewall Zone: fw
Validating interfaces file...
Validating hosts file...
Pre-processing Actions...
   Pre-processing /usr/share/shorewall/action.Drop...
   ERROR: Invalid TARGET in rule "COUNT        "
/sbin/shorewall: line 384: 15819 Terminated              $command $SHOREWALL_SHELL $sc $@
Old 04-06-2009, 07:45 AM   #6
Senior Member
Registered: May 2006
Location: USA
Distribution: Debian
Posts: 4,701

Rep: Reputation: 566Reputation: 566Reputation: 566Reputation: 566Reputation: 566Reputation: 566
You have an Invalid TARGET in rule COUNT, possibly on line 384.

Maybe if you posted your configuration you'd get a more useful answer.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help setting up port knocking and IPTables Tortanick Linux - Networking 3 12-07-2008 02:28 AM
Asking about port knocking adam_blackice Linux - Security 6 06-24-2008 12:59 PM
Port Knocking through ssh tunnel metallica1973 Linux - Security 10 03-05-2008 10:00 PM
Does anyone here use port knocking? 144419855310001 General 4 10-07-2007 09:37 AM
port knocking only for ssh port? xpucto Linux - Security 1 03-29-2007 09:22 AM

All times are GMT -5. The time now is 11:15 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration