[SGVLUG] Re: Wake-on-lan and port knocking notes

Michael Proctor-Smith mproctor13 at gmail.com
Thu Apr 12 14:00:33 PDT 2007


Yep need new batteries will have to pull that out of the rack later.
Sgvlug should be backup. As long as the wind does not kill the power
again but it should come back on its own now that it is off of the
ups.

On 4/12/07, Michael Proctor-Smith <mproctor13 at gmail.com> wrote:
> Well I might it bliked and I think the ups I put sgvlug on my need new
> batteries, I will go check it.
>
> On 4/12/07, Emerson, Tom (*IC) <Tom.Emerson at wbconsultant.com> wrote:
> > Hmmm... Looks like the wind has knocked us down -- I can't log on to the
> > site to update it (nor can I see the site itself at either the .org or
> > .net extension)  Have you lost power, Mike?  [duh, he isn't even going
> > to see this if he has...]
> >
> >
> >
> > > -----Original Message-----
> > > From: claude felizardo [mailto:cafelizardo at usa.net]
> > > Sent: Thursday, April 12, 2007 1:22 PM
> > > To: mproctor13 at gmail.com; Emerson, Tom (*IC)
> > > Subject: Wake-on-lan and port knocking notes
> > >
> > >
> > > Mike/Tom,  Here's the notes I had last month.  If you could
> > > post it to
> > > the website that would be great as I'm not sure everyone will
> > > be on the
> > > same subnet during the meeting.  I'm going to try and update
> > > them with
> > > notes on using nmap if I get a chance but it's looking kinda
> > > grim right now.
> > >
> > > claude
> > >
> > > --------------------------------------------------------------
> > > ----------------------------------
> > >
> > >
> > >
> > > *Wake-On-LAN**
> > >
> > > ***
> > >
> > >     * http://en.wikipedia.org/wiki/Wake_on_lan
> > >     * use ifconfig to get MAC address
> > >     * open UDP port 9 on firewall and forward to your server
> > >     * http://www.dslreports.com/wakeup
> > >
> > >
> > >
> > >
> > > *PORT KNOCKING*
> > >
> > > *The Problem*
> > >
> > >     * Allow remote access
> > >     * Block unauthorized users
> > >
> > > *Review Five layer model*
> > >
> > >    1. Physical Layer - physical cable, WiFi
> > >    2. Data link layer - Ethernet Packets
> > >    3. Network layer - IP (src addr/port -> dest add/port)
> > >    4. Transport Layer - TCP, UDP
> > >    5. Application Layer - HTTP, SSH, TELNET, ...
> > >
> > > *Basic Solutions - use combination of hardware and software*
> > >
> > >    1. block all access
> > >    2. use NAT to hide internal address of server(s)
> > >    3. open and/or forward specific ports
> > >    4. Use nonstandard port
> > >
> > > *First Implementation*
> > >
> > >    1. Open holes in firewall/router w/ forwarding rules
> > >    2. Configure application to listen to nonstandard port
> > >    3. Vulnerable to anyone who discovers secret port
> > >
> > > *Restrict access from trusted hosts*
> > >
> > >     * http://shorewall.net/PortKnocking.html
> > >     * /etc/shorewall/rules
> > >
> > >     ACCEPT net fw tcp 22,7022
> > >
> > >     * /etc/hosts.allow
> > >
> > >     sshd : remote.host : ALLOW
> > >
> > >     ALL : ALL : spawn (/usr/sbin/safe_finger -l @%h |
> > > /bin/mail -s ""Port Denial on %N for %d from %c" root) & : DENY
> > >
> > > *Simple Port Knocking - single port, fixed sequence
> > > *
> > >
> > >     * /etc/hosts -- make sure ip is listed separate from 127.0.0.1
> > >     * /etc/services
> > >
> > >     myssh    7122/tcp    # SSH remote login
> > >
> > >     * /etc/hosts.allow
> > >
> > >     mysshd : ALL : spawn (/usr/sbin/safe_finger -l @%h |
> > > /bin/mail -s "SSH allowed on %N for %d from %c" root) & : ALLOW
> > >
> > >     * /etc/shorewall/rules
> > >
> > >     SSHKnock:info net    fw      tcp     7122,7100,7099,7101
> > >
> > >     * /etc/shorewall/actions
> > >
> > >     SSHKnock
> > >
> > >     * /etc/shorewall/action.SSHKnock
> > >     * /etc/shorewall/SSHKnock
> > >
> > >     if [ -n "$LEVEL" ]; then
> > >
> > >         log_rule_limit $LEVEL $CHAIN SSHKnock ACCEPT ""
> > > "$TAG" -A -p tcp --dport 7122   -m recent --rcheck --name SSH
> > >
> > >         log_rule_limit $LEVEL $CHAIN SSHKnock DROP   ""
> > > "$TAG" -A -p tcp --dport ! 7122
> > >
> > >     fi
> > >
> > >     run_iptables -A $CHAIN -p tcp --dport 7122 -m recent
> > > --rcheck --seconds 60 --name SSH          -j ACCEPT
> > >
> > >     run_iptables -A $CHAIN -p tcp --dport 7099 -m recent
> > >                  --name SSH --remove -j DROP
> > >
> > >     run_iptables -A $CHAIN -p tcp --dport 7100 -m recent
> > >                  --name SSH --set    -j DROP
> > >
> > >     run_iptables -A $CHAIN -p tcp --dport 7101 -m recent
> > >                  --name SSH --remove -j DROP
> > >
> > >
> > > *Advanced Port Knocking*
> > >
> > >     * Longer Sequence - eg, 7001,7002,7000 -- not sequential!
> > >     * Limit per-IP connection rate
> > >     * Multiple Port, Dynamic Mapping -
> > >       http://www.linuxjournal.com/article/6811
> > >           o header: 102,100,103
> > >           o payload: 10a,10b,10c,10d
> > >           o checksum: 10(a+b+c+d mod 10)
> > >           o footer: 103,100,102
> > >           o example for 143 (checksum is 8
> > >
> > >         102,100,103  100,101,104,103  108  103,100,102
> > >
> > >
> > >     * Use UDP instead
> > >     * Webknocking - series of web pages
> > >
> > >
> > >
> >
>


More information about the SGVLUG mailing list