.gear/knock.spec | 113 ++++++++++++ .gear/knockd.init | 112 ++++++++++++ .gear/knockd.sysconfig | 1 + .gear/rules | 5 + .../tags/6d4c5ae02a1ceda6b9348713ecd7235fb99e4508 | 13 ++ .gear/tags/list | 1 + Makefile.am | 4 +- knockd.conf | 30 ++-- src/knock_add | 189 +++++++++++++++++++++ src/knock_helper_ipt.sh | 189 --------------------- 10 files changed, 451 insertions(+), 206 deletions(-) diff --git a/.gear/knock.spec b/.gear/knock.spec new file mode 100644 index 0000000..c88228d --- /dev/null +++ b/.gear/knock.spec @@ -0,0 +1,113 @@ +Name: knock +Version: 0.7.8 +Release: alt1 + +Summary: knock is a port-knocking client +License: GPL +Group: Networking/Remote access + +Url: http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki +Source0: %name-%version.tar +Source1: knockd.sysconfig +Source2: knockd.init +Patch: %name-%version-%release.patch + +# Automatically added by buildreq on Thu Feb 17 2005 +BuildRequires: gcc-c++ libpcap-devel + +%description +Knock is a port-knocking server/client. Port-knocking is a method where a +server can sniff one of its interfaces for a special "knock" sequence of +port-hits. When detected, it will run a specified event bound to that port +knock sequence. These port-hits need not be on open ports, since we use +libpcap to sniff the raw interface traffic. This package contains the +knock client. + +%package server +Group: Networking/Remote access +Summary: knockd is a port-knocking server + +%description server +Knock is a port-knocking server/client. Port-knocking is a method where a +server can sniff one of its interfaces for a special "knock" sequence of +port-hits. When detected, it will run a specified event bound to that port +knock sequence. These port-hits need not be on open ports, since we use +libpcap to sniff the raw interface traffic. This package contains the +knockd server. + +%prep +%setup +%patch -p1 + +%build +autoreconf -fisv +%configure +%make_build + +%install +%make_install DESTDIR=%buildroot install +install -pD -m644 %SOURCE1 %buildroot%_sysconfdir/sysconfig/knockd +install -pD -m755 %SOURCE2 %buildroot%_initdir/knockd +install -pD -m600 knockd.conf %buildroot%_sysconfdir/knockd.conf + +%post server +%post_service knockd + +%preun server +%preun_service knockd + +%postun server +if [ "$1" -ge "1" ]; then + /sbin/service knockd condrestart >/dev/null 2>&1 || : +fi + +%files +%_bindir/%name +%_man1dir/knock.1* + +%files server +%doc README.md ChangeLog TODO +%attr(0755,root,root) %_sbindir/knockd +%attr(0600,root,root) %config(noreplace) %_sysconfdir/knockd.conf +%attr(0644,root,root) %config(noreplace) %_sysconfdir/sysconfig/knockd +%attr(0755,root,root) %config %_initdir/knockd +%_sbindir/knockd +%_sbindir/knock_add +%_man1dir/knockd.1* + +%changelog +* Wed Feb 03 2016 Anton Farygin 0.7.8-alt1 +- new version, build from upstream git + +* Wed Apr 17 2013 Dmitry V. Levin (QA) 0.5-alt6.qa1 +- NMU: rebuilt for debuginfo. + +* Thu Dec 04 2008 Michael Shigorin 0.5-alt6 +- added condstop to initscript (per repocop advice) + +* Tue Nov 25 2008 Michael Shigorin 0.5-alt5 +- fixed build with gcc 4.3 against glibc 2.8+ + +* Wed Nov 05 2008 Michael Shigorin 0.5-alt5 +- DID NOT fix build +- updated Url: + +* Sun Jan 28 2007 Michael Shigorin 0.5-alt4 +- updated Url: +- added Packager: + +* Sun Dec 10 2006 Michael Shigorin 0.5-alt3 +- updated Url: +- spec macro abuse cleanup + +* Thu Sep 29 2005 Michael Shigorin 0.5-alt2 +- removed duplicated manpage from packages (thanks raorn@) + +* Tue Jul 12 2005 Michael Shigorin 0.5-alt1 +- 0.5 +- rebuilt for Sisyphus +- spec cleanup/optimization + +* Thu Feb 17 2005 Alexey Beleckiy 0.4-alt1 +- Initial build + diff --git a/.gear/knockd.init b/.gear/knockd.init new file mode 100644 index 0000000..4e0a41d --- /dev/null +++ b/.gear/knockd.init @@ -0,0 +1,112 @@ +#!/bin/sh +# +# chkconfig: - 85 15 +# description: Knock is a port-knocking server/client. +# processname: knockd +# config: /etc/knockd.conf +# pidfile: /var/run/knockd.pid + +# Script Author: Simon Matter +# Version: 2004041500 + +# Source function library. +if [ -f /etc/init.d/functions ]; then + . /etc/init.d/functions +elif [ -f /etc/rc.d/init.d/functions ] ; then + . /etc/rc.d/init.d/functions +else + exit 0 +fi + +# Source networking configuration. +. /etc/sysconfig/network + +# Check that networking is up. +[ ${NETWORKING} = "no" ] && exit 0 + +# This is our service name +BASENAME=`basename $0` +if [ -L $0 ]; then + BASENAME=`find $0 -name $BASENAME -printf %l` + BASENAME=`basename $BASENAME` +fi + +[ -f /etc/${BASENAME}.conf ] || exit 1 + +OPTIONS="" + +# Source service configuration. +if [ -f /etc/sysconfig/$BASENAME ]; then + . /etc/sysconfig/$BASENAME +else + echo "$BASENAME: configfile /etc/sysconfig/$BASENAME does NOT exist !" + exit 1 +fi + +RETVAL=0 + +start() { + echo -n $"Starting $BASENAME: " + start_daemon /usr/sbin/$BASENAME -d $OPTIONS + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && touch /var/lock/subsys/$BASENAME + return $RETVAL +} + +stop() { + echo -n $"Shutting down $BASENAME: " + #killall $BASENAME + stop_daemon $BASENAME + RETVAL=$? + echo + [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/$BASENAME + return $RETVAL +} + +restart() { + stop + start +} + +rhstatus() { + status $BASENAME +} + +condrestart() { + [ -e /var/lock/subsys/$BASENAME ] && restart || : +} + +condstop() { + [ -e /var/lock/subsys/$BASENAME ] && stop || : +} + +# See how we were called. +case "$1" in + start) + start + ;; + stop) + stop + ;; + restart) + restart + ;; + reload) + restart + ;; + condrestart) + condrestart + ;; + condstop) + condstop + ;; + status) + rhstatus + ;; + *) + echo $"Usage: $BASENAME {start|stop|restart|reload|condrestart|status}" + RETVAL=1 +esac + +exit $RETVAL diff --git a/.gear/knockd.sysconfig b/.gear/knockd.sysconfig new file mode 100644 index 0000000..5bfcdf0 --- /dev/null +++ b/.gear/knockd.sysconfig @@ -0,0 +1 @@ +#OPTIONS="" diff --git a/.gear/rules b/.gear/rules new file mode 100644 index 0000000..030547e --- /dev/null +++ b/.gear/rules @@ -0,0 +1,5 @@ +tar: v@version@:. +diff: v@version@:. . +spec: .gear/knock.spec +copy: .gear/knockd.init +copy: .gear/knockd.sysconfig \ No newline at end of file diff --git a/.gear/tags/6d4c5ae02a1ceda6b9348713ecd7235fb99e4508 b/.gear/tags/6d4c5ae02a1ceda6b9348713ecd7235fb99e4508 new file mode 100644 index 0000000..6522b80 --- /dev/null +++ b/.gear/tags/6d4c5ae02a1ceda6b9348713ecd7235fb99e4508 @@ -0,0 +1,13 @@ +object 258a27e5a47809f97c2b9f2751a88c2f94aae891 +type commit +tag v0.7.8 +tagger Anton Farygin 1454501827 +0300 + +0.7.8 +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlax78gACgkQqohfd2vlwKtlzgCeP6lYx1uUeZFmQufr3DLRXr0P +51YAoJ2His9BSnF4y2iwiyB2c0EBAA6J +=08dS +-----END PGP SIGNATURE----- diff --git a/.gear/tags/list b/.gear/tags/list new file mode 100644 index 0000000..0e71fd2 --- /dev/null +++ b/.gear/tags/list @@ -0,0 +1 @@ +6d4c5ae02a1ceda6b9348713ecd7235fb99e4508 v0.7.8 diff --git a/Makefile.am b/Makefile.am index c5b15ab..1aa8d3a 100644 --- a/Makefile.am +++ b/Makefile.am @@ -6,7 +6,7 @@ man_MANS = doc/knock.1 if BUILD_KNOCKD sbin_PROGRAMS = knockd -dist_sbin_SCRIPTS = src/knock_helper_ipt.sh +dist_sbin_SCRIPTS = src/knock_add man_MANS += doc/knockd.1 sysconf_DATA = knockd.conf endif @@ -14,7 +14,7 @@ endif dist_doc_DATA = README.md TODO ChangeLog COPYING knock_SOURCES = src/knock.c -knockd_SOURCES = src/knockd.c src/list.c src/list.h src/knock_helper_ipt.sh +knockd_SOURCES = src/knockd.c src/list.c src/list.h src/knock_add %.1: %.1.in sed -e "s/#VERSION#/$(VERSION)/" $< > $@ diff --git a/knockd.conf b/knockd.conf index 7c636f0..9c4262c 100644 --- a/knockd.conf +++ b/knockd.conf @@ -1,21 +1,21 @@ [options] logfile = /var/log/knockd.log -[openSSH] - sequence = 7000,8000,9000 - seq_timeout = 5 - command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT - tcpflags = syn +#[openSSH] +# sequence = 7000,8000,9000 +# seq_timeout = 5 +# command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT +# tcpflags = syn -[closeSSH] - sequence = 9000,8000,7000 - seq_timeout = 5 - command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT - tcpflags = syn +#[closeSSH] +# sequence = 9000,8000,7000 +# seq_timeout = 5 +# command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT +# tcpflags = syn -[openHTTPS] - sequence = 12345,54321,24680,13579 - seq_timeout = 5 - command = /usr/local/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP% - tcpflags = syn +#[openHTTPS] +# sequence = 12345,54321,24680,13579 +# seq_timeout = 5 +# command = /usr/sbin/knock_add -i -c INPUT -p tcp -d 443 -f %IP% +# tcpflags = syn diff --git a/src/knock_add b/src/knock_add new file mode 100755 index 0000000..57d0698 --- /dev/null +++ b/src/knock_add @@ -0,0 +1,189 @@ +#!/bin/sh + +# Original version to add non-duplicated rules by Greg Kuchyt (greg.kuchyt@gmail.com) +# Updated to handle deletes and be generic by Paul Rogers (paul.rogers@flumps.org) + +SCRIPT_NAME=$(basename $0) + +AWK="/bin/awk" +GREP="/bin/grep" +IPTABLES="/sbin/iptables" +SORT="/bin/sort" + +COMMENT_APP="knockd " +COMMENT_DEL="knockd " +COMMENT_INS="knockd " +COMMENT_DEFAULT="by knockd" + +IPT_CHAIN="INPUT" +IPT_METHOD="" +IPT_COMMENT="" +IPT_SRC_IP="" +IPT_DST_PORT="" +IPT_PROTO="tcp" +IPT_RULE_TARGET="ACCEPT" + +DRY_RUN=0 +SEEN=0 +VERBOSE=0 + +usage() { + echo "Usage: $SCRIPT_NAME -a|-i|-x -f SRC_IP_ADDR -d DST_PORT [-p|-c|-m|-t|-h|-v]" + echo "Options:" + echo "-a|--append Action: append a rule to NetFilter" + echo "-i|--insert Action: insert a rule to NetFiler" + echo "-x|--delete Action: delete a rule from NetFilter" + echo "-f|--srcaddr The source IP address to be used" + echo "-d|--dstport The destination port to be used in the rule" + echo "-p|--proto The protocol that the rule applies to; default: $IPT_PROTO" + echo "-c|--chain The NetFilter chain to apply the change to; default: $IPT_CHAIN" + echo "-m|--comment Overide default comment text: '$COMMENT_DEFAULT'" + echo "-t|--test Test run - don't actually perform an update to NetFilter" + echo "-h|--help Print this informational screen and exit" + echo "-v|--verbose Print verbose information about actions" +} + +ARGS=$(getopt -o aixf:d:p:c:m::thv -l "append,insert,delete,srcaddr:,dstport:,proto:,chain:,comment::,test,help,verbose" -n $SCRIPT_NAME -- "$@") + +if [ $? -ne 0 ]; +then + echo "$SCRIPT_NAME - Error! Invalid arguments" + usage + exit 1 +fi + +eval set -- "$ARGS" + +while true; do + case "$1" in + -a|--append) + IPT_METHOD="-A" + shift; + ;; + -x|--delete) + IPT_METHOD="-D" + shift; + ;; + -i|--insert) + IPT_METHOD="-I" + shift; + ;; + -f|--srcaddr) + IPT_SRC_IP=$2 + shift 2; + ;; + -d|--dstport) + IPT_DST_PORT=$2 + shift 2; + ;; + -p|--proto) + IPT_PROTO=$2 + shift 2; + ;; + -c|--chain) + IPT_CHAIN=$2 + shift 2; + ;; + -m|--comment) + case "$2" in + "") + IPT_COMMENT=$COMMENT_DEFAULT; + shift 2;; + *) + IPT_COMMENT=$2; + shift 2 ;; + esac + ;; + -t|--test) + DRY_RUN=1 + shift; + ;; + -h|--help) + usage + shift; + exit + ;; + -v|--verbose) + VERBOSE=1 + shift; + ;; + --) + shift; + break; + ;; + esac +done + +# Begin sanity checks +if [ -z "$IPT_SRC_IP" ]; then + echo "$SCRIPT_NAME - Error! Source IP address required" + usage + exit 1 +fi + +if [ -z "$IPT_DST_PORT" ]; then + echo "$SCRIPT_NAME - Error! Destination port required" + usage + exit 1 +fi + +if [ -z "$IPT_METHOD" ]; then + echo "$SCRIPT_NAME - Error! Valid action option not specified" +fi + +case "$IPT_METHOD" in + -A) + IPT_COMMENT="$COMMENT_APP $IPT_COMMENT" + ;; + -I) + IPT_COMMENT="$COMMENT_INS $IPT_COMMENT" + ;; + -D) + IPT_COMMENT="$COMMENT_DEL $IPT_COMMENT" + ;; +esac + +if [ "$VERBOSE" -eq 1 ]; then + echo "$SCRIPT_NAME - Testing rule" + echo "$SCRIPT_NAME - action: $IPT_METHOD _ src: $IPT_SRC_IP _ dstport: $IPT_DST_PORT _ proto: $IPT_PROTO _ chain: $IPT_CHAIN _ comment: $IPT_COMMENT" +fi + +COMMENT="" +if [ -n "$IPT_COMMENT" ]; then + COMMENT="-m comment --comment '$IPT_COMMENT'" +fi + +$IPTABLES -L $IPT_CHAIN &> /dev/null +if [ 0 -ne "$?" ]; then + echo "$SCRIPT_NAME - Error: $IPT_CHAIN is not a valid NetFilter chain" + exit +fi +# End sanity checks + +# Dupe checking +for IP in `$IPTABLES -n -L $IPT_CHAIN | $GREP $IPT_RULE_TARGET | $GREP "/* $IPT_COMMENT */"| $AWK '{print $4}' | $SORT -u`; +do + if [ "$VERBOSE" -eq 1 ]; then + echo "$SCRIPT_NAME - $IP" + fi + + if [ "$IPT_SRC_IP" == "$IP" ]; then + SEEN=1 + fi +done + +if [ "$VERBOSE" -eq 1 ]; then + echo "$SCRIPT_NAME - Seen: $SEEN" +fi + + +if [ "$SEEN" -eq 0 ]; then + if [ "$VERBOSE" -eq 1 ]; then + echo "$SCRIPT_NAME - $IPT_COMMENT" + echo $IPTABLES $IPT_METHOD $IPT_CHAIN -s $IPT_SRC_IP -p $IPT_PROTO --dport $IPT_DST_PORT -j $IPT_RULE_TARGET $COMMENT + fi + + if [ "$DRY_RUN" -eq 0 ]; then + eval $IPTABLES $IPT_METHOD $IPT_CHAIN -s $IPT_SRC_IP -p $IPT_PROTO --dport $IPT_DST_PORT -j $IPT_RULE_TARGET $COMMENT + fi +fi \ No newline at end of file diff --git a/src/knock_helper_ipt.sh b/src/knock_helper_ipt.sh deleted file mode 100644 index 8577331..0000000 --- a/src/knock_helper_ipt.sh +++ /dev/null @@ -1,189 +0,0 @@ -#!/bin/sh - -# Original version to add non-duplicated rules by Greg Kuchyt (greg.kuchyt@gmail.com) -# Updated to handle deletes and be generic by Paul Rogers (paul.rogers@flumps.org) - -SCRIPT_NAME=$(basename $0) - -AWK="/bin/awk" -GREP="/bin/grep" -IPTABLES="/sbin/iptables" -SORT="/bin/sort" - -COMMENT_APP="Append " -COMMENT_DEL="Delete " -COMMENT_INS="Insert " -COMMENT_DEFAULT="by knockd" - -IPT_CHAIN="INPUT" -IPT_METHOD="" -IPT_COMMENT="" -IPT_SRC_IP="" -IPT_DST_PORT="" -IPT_PROTO="tcp" -IPT_RULE_TARGET="ACCEPT" - -DRY_RUN=0 -SEEN=0 -VERBOSE=0 - -usage() { - echo "Usage: $SCRIPT_NAME -a|-i|-x -f SRC_IP_ADDR -d DST_PORT [-p|-c|-m|-t|-h|-v]" - echo "Options:" - echo "-a|--append Action: append a rule to NetFilter" - echo "-i|--insert Action: insert a rule to NetFiler" - echo "-x|--delete Action: delete a rule from NetFilter" - echo "-f|--srcaddr The source IP address to be used" - echo "-d|--dstport The destination port to be used in the rule" - echo "-p|--proto The protocol that the rule applies to; default: $IPT_PROTO" - echo "-c|--chain The NetFilter chain to apply the change to; default: $IPT_CHAIN" - echo "-m|--comment Overide default comment text: '$COMMENT_DEFAULT'" - echo "-t|--test Test run - don't actually perform an update to NetFilter" - echo "-h|--help Print this informational screen and exit" - echo "-v|--verbose Print verbose information about actions" -} - -ARGS=$(getopt -o aixf:d:p:c:m::thv -l "append,insert,delete,srcaddr:,dstport:,proto:,chain:,comment::,test,help,verbose" -n $SCRIPT_NAME -- "$@") - -if [ $? -ne 0 ]; -then - echo "$SCRIPT_NAME - Error! Invalid arguments" - usage - exit 1 -fi - -eval set -- "$ARGS" - -while true; do - case "$1" in - -a|--append) - IPT_METHOD="-A" - shift; - ;; - -x|--delete) - IPT_METHOD="-D" - shift; - ;; - -i|--insert) - IPT_METHOD="-I" - shift; - ;; - -f|--srcaddr) - IPT_SRC_IP=$2 - shift 2; - ;; - -d|--dstport) - IPT_DST_PORT=$2 - shift 2; - ;; - -p|--proto) - IPT_PROTO=$2 - shift 2; - ;; - -c|--chain) - IPT_CHAIN=$2 - shift 2; - ;; - -m|--comment) - case "$2" in - "") - IPT_COMMENT=$COMMENT_DEFAULT; - shift 2;; - *) - IPT_COMMENT=$2; - shift 2 ;; - esac - ;; - -t|--test) - DRY_RUN=1 - shift; - ;; - -h|--help) - usage - shift; - exit - ;; - -v|--verbose) - VERBOSE=1 - shift; - ;; - --) - shift; - break; - ;; - esac -done - -# Begin sanity checks -if [ -z "$IPT_SRC_IP" ]; then - echo "$SCRIPT_NAME - Error! Source IP address required" - usage - exit 1 -fi - -if [ -z "$IPT_DST_PORT" ]; then - echo "$SCRIPT_NAME - Error! Destination port required" - usage - exit 1 -fi - -if [ -z "$IPT_METHOD" ]; then - echo "$SCRIPT_NAME - Error! Valid action option not specified" -fi - -case "$IPT_METHOD" in - -A) - IPT_COMMENT="$COMMENT_APP $IPT_COMMENT" - ;; - -I) - IPT_COMMENT="$COMMENT_INS $IPT_COMMENT" - ;; - -D) - IPT_COMMENT="$COMMENT_DEL $IPT_COMMENT" - ;; -esac - -if [ "$VERBOSE" -eq 1 ]; then - echo "$SCRIPT_NAME - Testing rule" - echo "$SCRIPT_NAME - action: $IPT_METHOD _ src: $IPT_SRC_IP _ dstport: $IPT_DST_PORT _ proto: $IPT_PROTO _ chain: $IPT_CHAIN _ comment: $IPT_COMMENT" -fi - -COMMENT="" -if [ -n "$IPT_COMMENT" ]; then - COMMENT="-m comment --comment '$IPT_COMMENT'" -fi - -$IPTABLES -L $IPT_CHAIN &> /dev/null -if [ 0 -ne "$?" ]; then - echo "$SCRIPT_NAME - Error: $IPT_CHAIN is not a valid NetFilter chain" - exit -fi -# End sanity checks - -# Dupe checking -for IP in `$IPTABLES -n -L $IPT_CHAIN | $GREP $IPT_RULE_TARGET | $AWK '{print $4}' | $SORT -u`; -do - if [ "$VERBOSE" -eq 1 ]; then - echo "$SCRIPT_NAME - $IP" - fi - - if [ "$IPT_SRC_IP" == "$IP" ]; then - SEEN=1 - fi -done - -if [ "$VERBOSE" -eq 1 ]; then - echo "$SCRIPT_NAME - Seen: $SEEN" -fi - - -if [ "$SEEN" -eq 0 ]; then - if [ "$VERBOSE" -eq 1 ]; then - echo "$SCRIPT_NAME - $IPT_COMMENT" - echo $IPTABLES $IPT_METHOD $IPT_CHAIN -s $IPT_SRC_IP -p $IPT_PROTO --dport $IPT_DST_PORT -j $IPT_RULE_TARGET $COMMENT - fi - - if [ "$DRY_RUN" -eq 0 ]; then - eval $IPTABLES $IPT_METHOD $IPT_CHAIN -s $IPT_SRC_IP -p $IPT_PROTO --dport $IPT_DST_PORT -j $IPT_RULE_TARGET $COMMENT - fi -fi \ No newline at end of file