Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rules applied 3 times and incoherent state when spamming open/close #70

Open
Docteur-RS opened this issue Jun 26, 2020 · 1 comment
Open

Rules applied 3 times and incoherent state when spamming open/close #70

Docteur-RS opened this issue Jun 26, 2020 · 1 comment

Comments

@Docteur-RS
Copy link

Docteur-RS commented Jun 26, 2020
edited
Loading

Hey,

I have been experimenting whith knockd and saw it behave quite oddly.

Interrogation 1:

  • why does it creates the iptable rule 3 times ??

With the following simple configuration:

  [closeSSH]
        sequence    = xxxx,yyyy,zzzzz
        seq_timeout = 15
        tcpflags    = syn
        command     = sudo iptables -I INPUT 5 -p tcp --dport 22 -j DROP

It applys the rules 3 times as you can see bellow:

$ sudo iptables -S INPUT
...
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j DROP
...

Its not tied to to the fact that I use 3 ports as code because if I set only 2 I still get the rule applied 3 times.

However when opening SSH with the right code it does the same thing 3 times which in the end unlocks ssh... So in the end it works but its weird...

Interrogation 2

  • Isn't the daemon suppose to track the oppening and closing of the "gate" in a coherent way ?

For instance if I spam open / close / open / open / close /open I still got some rules leftovers as the system does not keep up with the opening and closing spam.

Moreover If I choose to use a rule deleting an iptable by its number It might delete the wrong iptable rule...

Using centos 7.7
OpenSSH_7.4p1
Thx
@TDFKAOlli
Copy link
Contributor

Hi @Docteur-RS ,

on Interrogation 1: The code only executes the command once. You can check from the code that it checks for the code sequence and only when a complete sequence is found, it executes the command once.
Anyhow port knocking is not "reliable" because you send single packets to different ports and one or several might get lost. Which in turn means the sequence is not detected every time and the gate doesn't open. So a client might fire off a sequence multiple times to make sure one sequence makes it to the server. In that case you could see several attempts. Maybe you check the logs and see how often the sequence was matched on your server.

On Interrogation 2: In my opinion thats not the job on the knock deamon. It detects a sequence and when detected it executes a command you define. It could be a firewall rule. Or only "Hello world"... or start another demon... or whatever. So - again in my oppinion and other might disagree - you should take care that there are no leftovers.
I use it to block/unblock certain MAC addresses (parental control). And the knockd command calls a script which takes care the iptables is clean and no duplicate rules apply. As I also learned that iptables can apply a single rule multiple times 😏

Maybe this helps.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Docteur-RS @TDFKAOlli