pyportknock
pyportknock is a portknocking client/server implemention written in python. It consists of two scripts: the client, for sending off the knocks, and the server, for monitoring firewall logs looking for knocks. This code (especially the client) is very heavily based off of work done by Marilen Corciovei.
This code is strictly an exercise for me. I do not suggest you use this unless you have the knowledge to read the code, and understand what it is doing. I am not a security expert, and there may be security problems with this code. That being said, I have used this on my system, and it seems to work okay.
The client should work on any Unix system. The server is tailered for Linux, but with a few quick tweaks there is no reason it would not work on any other Unix system.
Features
- Open and close knock sequence can (independantly) contain any arbitrary number of ports
- Server logging of both successful and failed knock attempts.
- Very strict rules for determining successful knock makes it very difficult to brute force
Problems and solutions
The knock sequence is succeptable to sniffing attacks. To prevent SSH bruteforcing, it is strongly recommended to use only key-based authentification. I will also add a hook to restrict knocks from only known MAC addresses, to add extra security for those who will only connect from a known computer.
The server depends on firewall logs, which may be difficult to configure depending on your system logger. If using iptables, you can use the ULOG target to create a portknock log. If using LOG target, you will have to use your system logger's filter mechanism to seperate portknock messages from the rest. I will add a hook to only process lines with an arbitrary identifier, which you would create using "--log-prefix" in iptables.
You can view the online server source code.
You can view the online client source code.
You can download the client and server source in tarball format.
stats
It is
Sunday May 18, 2008 1:49 am
This page served 928 times
This page last modified: April 14, 2008 11:28 am
Your IP address is: 38.103.63.17
You are browsing using: CCBot/1.0 (+http://www.commoncrawl.org/bot.html)
You are browsing from: United States.
badcomputer.org's uptime: 01:49:38 up 24 days, 02:31, 0 users, load average: 0.00, 0.00, 0.00
local
home | unix stuff | dir2ogg | sneetchalizer | wmainfo | q&d guide to permissions | q&d guide to tar and gzip | code | MS rant | browser shootout | linux & iAudio X5 | photos | music | programming poetry | sieve of Eratosthenes | plea | rain | suffer | archive | about | recipes | compaqr3000 | sitemap
search
credits
This page, and all pages on this site were created and are maintained by Darren Kirby using valid XHTML 1.0 and CSS, and are ©copyright 2002 - 2008. The Penguin image was created by Tukka, and is used by permission. Inspiration for the look of this site was provided by Eric A. Meyer's CSS gallery. This website runs on Gentoo Linux. It is served by Apache. PHP and MySQL hold together the backend.