Mailing List Archive

Here is a method I use to frustrate people trying to
nab my wifi connection using iptables (wireless router
-> linux router -> dsl -> net). The wireless router in
setup with a basic NAT for my desktops and wireless
but the wireless comes in on its own nic. with
prerouting set to drop, I have
[1:56] -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT

echo 204 > /proc/sys/net/ipv4/ip_default_ttl
on my laptop init

--
gentoo-security@gentoo.org mailing list

Hello Tobias,


TS> That's a possibility I once saw on slashdot:

TS> iptables -A INPUT -p tcp --dport 1000 -m recent --remove --name PART1
TS> iptables -A INPUT -p tcp --dport 2000 -m recent --remove --name PART2
TS> iptables -A INPUT -p tcp --dport 3000 -m recent --remove --name PART3
TS> iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PART1
TS> iptables -A INPUT -p tcp --dport 2000 -m recent --set --name PART2
TS> iptables -A INPUT -p tcp --dport 3000 -m recent --set --name PART3
TS> iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 30 \
TS> --name PART1 --name PART2 --name PART3 -j ACCEPT

It's the best :)
I'll add some protection from plain port scan.
iptables -A INPUT -p tcp --dport 999 -m recent --remove --name PART1
iptables -A INPUT -p tcp --dport 1001 -m recent --remove --name PART1
...

TS> There are numerous knock, knock implementations listed at:
TS> http://www.portknocking.org/view/implementations/implementations

I've found this page not long ago, most promising temprules. I'm currently experimenting with them.
TS> IMHO, the problem with "normal" port knocking tools is the dependency on
TS> client software. I would prefer a solution which can be used without
TS> (too much) hassle (eg. using telnet and then putty or such).
TS> This evidently is not be possible when using more sophisticated port
TS> knocking with timing or specially crafted / encrypted packages, unless
TS> you have a really good feel for timing.. ;-)
Same to me ;)
or even a web browser: http://somehost:123

--
Best regards,
boger mailto:boger@ttk.ru

--
gentoo-security@gentoo.org mailing list

Hello morgan,

Wednesday, October 5, 2005, 12:12:53 AM, you wrote:

ma> Here is a method I use to frustrate people trying to
ma> nab my wifi connection using iptables (wireless router
->> linux router -> dsl -> net). The wireless router in
ma> setup with a basic NAT for my desktops and wireless
ma> but the wireless comes in on its own nic. with
ma> prerouting set to drop, I have
ma> [1:56] -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT

echo 204 >> /proc/sys/net/ipv4/ip_default_ttl
ma> on my laptop init

Correct me if I wrong, but it works only from lan, because ttl decreases when routed.

Also it needs root or special user to change /proc/sys/...


--
Best regards,
boger mailto:boger@ttk.ru

--
gentoo-security@gentoo.org mailing list

morgan allen wrote:

> -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT
>
> echo 204 > /proc/sys/net/ipv4/ip_default_ttl

202 != 204?

Is this a typo?

Dan
--
gentoo-security@gentoo.org mailing list

Yes I have it setup to work only from lan side, but i
can work from the net side by tracerouting first, then
setting the ittl accordingly. And yes, unfortunatly it
does require special privleges.
--
gentoo-security@gentoo.org mailing list

nope, laptop -> wifi router -> iptable
--
gentoo-security@gentoo.org mailing list

On Tue, Oct 04, 2005 at 04:31:38PM -0400, Dan Gregory wrote:
> > -A PREROUTING -m ttl --ttl-eq 202 -j ACCEPT
> >
> > echo 204 > /proc/sys/net/ipv4/ip_default_ttl
>
> 202 != 204?
>
> Is this a typo?
>
Thought so first, but remember that each time a router touches it the
ttl gets decreased. So if the linux routing box it two hops away from
the laptop (which is likely if he has a separate wireless router
dedicated to such use) the difference of two would be the right
solution. :)

W
--
"What the hell, he thought, you're only young once, and
threw himself out of the window. That would at least keep
the element of surprise on his side."

- Ford outwitting a Vogon with a rocket launcher by going
into another certain death situation.
Sortir en Pantoufles: up 54 days, 58 min
--
gentoo-security@gentoo.org mailing list

This is result of last week discussion about port knockers.
Its my second bash script (first is my firewall), so any feedback will be appreshiated ;)

usage: ./knocker.sh <config file name> del
Path to config file is constant in knocker.sh.
del - is optional, simply deletes target chain

script has no limits on knock sequences, and demands statefull filtering enabled
ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

My versions of gateway portknocking:

First script:
If you log in w/ ssh (pki only) from the wireless segment
(192.168.33.0/24), an entry for your IP address is added to iptables.
When you log out, the entry is removed. I know it's ugl but it works
well. If the script is restarted any existing iptable entries will
obviously get orphaned. This only works because there si no dns
resolution for the wireless segment, otherwise `who` will resolve the
addresses and bad things will happen.

#! /usr/bin/env python
import string,os,time
# Dictionary value explaination (key is IP) # I= insert into iptables,
user logged in # D= delete from iptables, user disconnected # L= don't
do anything, user is still logged in master={} while (1):
for i in master.keys():
master[i]="D" #First assume everybody left #
loggedIn=os.popen("who | grep 192.168.33 | sed 's/.*(\(.*\))/\1/g' |
sort -u") #
for i in loggedIn.readlines():
i=i.strip()
if master.has_key(i):
master[i]="L" #leave this IP in iptables (change "D" value)
else: master[i]="I" #insert this IP in iptables (new key) #
for i in master.keys():
if master[i] == 'L':
print 'ignoring IP: '+i
continue
elif master[i] == 'I':
print 'new IP: '+i
os.popen("/sbin/iptables -I FORWARD -p all -s "+i+" -j
ACCEPT")
else:
print 'removing IP: '+i
os.popen("/sbin/iptables -D FORWARD -p all -s "+i+" -j
ACCEPT")
time.sleep(3)

+++++++++++++++++++++++++++++++++++++++++++++
Second Script:
This script is a bit more complicated. An entry is added to iptables to
match icmp traffic to playboy.com and log it. Syslog-ng will filter The
trigger in this script is playboy.com and your mac address (grepped from
arp -a) is added to the iptables leaf wireless2net (I use shorewall).


#!/bin/env python
# filename: /usr/sbin/portknock.py
import os,time
print "Flush the iptables chain or create it if it doesn't exist"
a=os.popen('/sbin/iptables -F wless_portknock || /sbin/iptables -N
wless_portknock') print "Check to see if chain is included in
wireless2net chain"
if os.popen('/sbin/iptables -L wireless2net | grep
wless_portknock').readlines()==[]: os.popen('/sbin/iptables -I
wireless2net 2 -j wless_portknock')

print 'starting loop'
master={}
while (1):
for r in os.popen('grep "`/usr/bin/date +"%b %e"`"
/var/log/portknock | cut -d " " -f8 | cut -d "=" -f2 | sort
-u').readlines():
if len(r)==0:continue
r=r.strip()
i=os.popen('arp -an | grep '+r+'| cut -d " " -f4').readline()
i=i.strip()
if master.has_key(i):continue
else:
master[i]=''
print 'adding mac '+i+' which belongs to IP '+r
a3=os.popen("/sbin/iptables -I wless_portknock -p all -j
ACCEPT -m mac --mac-source "+i)
time.sleep(3)

-----------------------------------------------
The relevent entry in the shorewall rules file

ACCEPT:info:pnoc wireless net:216.163.137.3
icmp

-----------------------------------------------
The relevent parts of syslog-ng.conf

destination portknock { file("/var/log/portknock"); }; filter
f_portknock { match ("Shorewall:wireless2net:ACCEPT"); }; log {
source(src); filter(f_portknock); destination(portknock); };

I tried to use tagging but the field gets trunicated so syslog-ng never
sees it.

------------------------------------------------
At midnight cron runs the following reset script:

#!/bin/bash
echo > /var/log/portknock
kill `pgrep -f portknock.py`
python /usr/sbin/portknock.py&

------------------------------------------------
Like I said, it's complicated. Don't forget to touch /var/log/portknock

-Jeff

-----Original Message-----
From: boger [mailto:boger@ttk.ru]
Sent: Tuesday, October 11, 2005 2:00 PM
To: gentoo-security@lists.gentoo.org
Subject: [gentoo-security] port knocking

This is result of last week discussion about port knockers.
Its my second bash script (first is my firewall), so any feedback will
be appreshiated ;)

usage: ./knocker.sh <config file name> del Path to config file is
constant in knocker.sh.
del - is optional, simply deletes target chain

script has no limits on knock sequences, and demands statefull filtering
enabled ipt -i $IF_INET -A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT



--
gentoo-security@gentoo.org mailing list