Sorry for the downtime, wasn’t planned. It was late last night when I set up the knock daemon, I somehow managed to accidently copy and past my terminal which resulted in about a quarter of my /etc/init.d/* scripts getting broken. Unfortunatly I didn’t notice it right away. I did notice it when I rebooted the server (kernel change) and lot’s of daemons didn’t come up (oh unimportant stuff like SSH 🙁 ) Well, that’s what backups are for.
I know there are plenty of pages floating around the Internet about knock daemons that open ports in a firewall after a predefined series of ports are “knocked”. For some reason ALL the pages I found assumed that a) you want the filter in your INPUT chain, and that the INPUT chain defaulted to DROP or REJECT.
In my case, I’m defiantly not going to have a iptables firewall with a default that drops packets. Every few weeks I try out some new software and can’t be bothered with adjusting my firewall every time. All I need it to do is keep pesky people off my ssh, that’s all.
So here is a short tutorial how to set up s knock daemon with a ACCEPT default for INPUT:
/etc/knockd.conf
1 2 3 4 5 6 7 8 9 10 | [options] UseSyslog [opencloseSSH] sequence = 76:udp,123:tcp,7630:tcp,1921:udp seq_timeout = 25 tcpflags = syn,ack start_command = /sbin/iptables -I SSH-Knock 2 -s %IP% -p tcp --dport 22 --syn -j ACCEPT cmd_timeout = 20 stop_command = /sbin/iptables -D SSH-Knock -s %IP% -p tcp --dport 22 --syn -j ACCEPT |
iptables:
1 2 3 4 5 | iptables -N SSH-Knock iptables -A INPUT -p tcp --dport 22 -j SSH-Knock iptables -A SSH-Knock -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A SSH-Knock -j REJECT --reject-with icmp-port-unreachable /etc/init.d/iptables save active |
I didn’t get around to updating last week, as of October I’m working at a new company. The new job is fun, and totally different environment (went from a company in the financial sector with 5000+ people to a company that develops and publishes games with around 150 people). The company is real cool, and the colleagues are nice.
I didn’t do much last weekend, we played some board games with friends. I should get back to climbing, haven’t done anything in a week.
We went hiking yesterday, west of Bad Bergzabern. We had a look at “Puhlstein”. You have a fantastic lookout from one end, and a long row of rock formations protrude from the top of the hill. There were a couple castle ruins surrounding the hill, so the view was nice too.
We saw a family climbing (it was still sunny and warm, but on the shadow side of the hill it was a bit windy and cold). And we saw some interresting routes in the rocks. We also found a geocache (I had loaded all nearby gecaches into my gps before we left), so that rouded up a nice day outdoors.
Ok, the contest is ready. I’ll start off with the information everybody has been waiting for:
IP: 80.190.250.213
There is a webserver running with a brief description of the target and rules of the contest http://80.190.250.213/ The webserver is actually part of the contest since people are supposed to deface this page. To make it a bit more interresting, the ssh sessions are recorded with script and saved here for everyone to see (e.g. “less -r filename”).
Rules and Target of the contest:
As stated above, deface this page. To achieve this goal, everything is allowed. Do what you need/want to achieve the goal.
Unfortunatly we will still need a short list of actions that are not allowed:
A few details to the box and the system:
Have fun 😉
btw. I’m also posting this in the buha forums for anyone who prefers a German description.