ProHoster > Blog > Administration > Linux tips & tricks: server, open

Linux tips & tricks: server, open

For those who need to provide themselves, their loved ones, access to their servers from anywhere in the world via SSH / RDP / otherwise - a small RTFM / spur.

We need to do without VPN and other bells and whistles, from any device at hand.

And so that the server does not exercise too much.

All that is needed for this - knockd, straight arms and 5 minutes of work.

“Everything is on the Internet”, of course (even on Habré), but when it comes to a specific implementation, this is where it starts ...

We will practice on the example of Fedora / CentOS, but it does not matter.

The spur is suitable for both beginners and bison of this business, so there will be comments, but shorter.

1. Server

  • install knock-server:
    yum/dnf install knock-server

  • configure it (for example, on ssh) - /etc/knockd.conf:

    [options]
    UseSyslog
    interface = enp1s0f0
[SSHopen]
    sequence        = 33333,22222,11111
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
    cmd_timeout     = 3600
    stop_command    = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
[SSHclose]
    sequence        = 11111,22222,33333
    seq_timeout     = 5
    tcpflags        = syn
    command         = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

    The "opening" part is set to auto-close after 1 hour. Is it a little...

  • /etc/sysconfig/iptables:

    ...
-A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT
...

  • forward:

    service iptables restart
service knockd start

  • you can add RDP to the virtual Windows Server spinning inside (/etc/knockd.conf; substitute the name of the interface to taste):

    [RDPopen]
    sequence        = 44444,33333,22222
    seq_timeout     = 5
    tcpflags        = syn
    start_command   = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
    cmd_timeout     = 3600
    stop_command    = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
[RDPclose]
    sequence        = 22222,33333,44444
    seq_timeout     = 5
    tcpflags        = syn
    command         = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2

    All our kicks from the client are tracked on the server by the team iptables -S.

2. Guide to the rake

knockd.conf:

Mana also has everything (but this is inaccurate), but knockd is a rather stingy comrade on messages, so you need to be very careful.

  • version
    In the Fedora/CentOS repositories, the latest knockd for today is 0.63. Who wants UDP - look for packets 0.70.
  • interface
    In the default configuration of Fedora/CentOS this line no. Add manually, otherwise it will not work.
  • timeout
    Here you can choose according to your taste. It is necessary that the client has enough time for all the kicks - and the port scanner bot broke off (and 146% will scan).
  • start/stop/command.
    If there is one command, then command, if there are two, then start_command+stop_command.
    If you make a mistake, knockd will remain silent, but will not work.
  • proto
    Theoretically, you can use UDP. In practice, I mixed tcp and udp, and a client from the beach in Bali was able to open his gate only the fifth time. For TCP flew when necessary, and UDP is not a fact. But this is a matter of taste, again.
  • sequence
    The implicit rake is that the sequences should not intersect ... how to say this ...

For example, this:

open: 11111,22222,33333
close: 22222,11111,33333

By kick 11111 open will wait for the next kick at 22222. However, this (22222) kick will start working Close and everything will break. It depends on the client's delay as well. Such things ©.

iptables

If /etc/sysconfig/iptables is this:

*nat
:PREROUTING ACCEPT [0:0]

Doesn't really bother us, so here it is:

*filter
:INPUT ACCEPT [0:0]
...
-A INPUT -j REJECT --reject-with icmp-host-prohibited

It does interfere.

Since knockd adds the rules to the end of the INPUT chain, we will get a reject.

And to turn off this reject is to open the car to all winds.

In order not to go crazy in iptables what to insert before what (like this people suggest) let's make it easier:

  • default on CentOS/Fedora first the rule (“what is not forbidden is allowed”) is replaced by the opposite,
  • and remove the last rule.

The result should be:

*filter
:INPUT DROP [0:0]
...
#-A INPUT -j REJECT --reject-with icmp-host-prohibited

You can, of course, do REJECT instead of DROP, but bots will have more fun with DROP.

3. Client

This place is the most interesting (from my point of view), since you need to work not only from any beach, but also from any device.

In principle, a number of clients are listed on Online project, but this is from the same series “everything is on the Internet”. Therefore, I will list what is here and now working at my fingertips.

When choosing a client, you need to make sure that it supports the delay option between packets. Yes, the beach is different to the beach and 100 megabits never guarantee that packets will arrive in the right order at the right time from a given place.

And yes - when setting up the client, delay must be selected independently. A lot of timeout - bots will attack, a little - the client will not have time. A lot of delay - the client will not have time or there will be a conflict of knocks (see "rake"), a little - the packets will get lost on the Internet.

With timeout=5s, it is quite a working option delay=100..500ms

Windows

No matter how ridiculous it sounds, it is rather non-trivial to google a distinct knock-client for this platform. Such that CLI supports delay, TCP - and without bows.

As an option you can try this is. Apparently my Google is not a cake.

Linux

Everything is simple here:

dnf install knock -y
knock -d <delay> <dst_ip> 11111 22222 33333

MacOS

The easiest way is to install the port from homebrew:
brew install knock
and draw yourself the necessary batch files of command files of the form:

#!bin/sh
knock -d <delay> <dst_ip> 11111 22222 33333

iOS

The working version is KnockOnD (free, from the store).

Android

Knock on Ports. It's not an ad, it just works. And the developers are quite responsive.

PS markdown on Habré, of course, God bless him someday...

UPD1: thanks to good man found working client under Windows.
UPD2: Another one good man reminded that putting new rules at the end of iptables is not always useful. But - it depends.

Source: habr.com

Add a comment