search

jvinet / knock

A port-knocking daemon
http://www.zeroflux.org/projects/knock
GNU General Public License v2.0
552 stars 114 forks source link

knockd sometimes fails to close a door #14

Open cramhead opened 9 years ago

cramhead commented 9 years ago

Thanks for making such a great package.

Since installing knockd I have some messages odd messages showing up in my logs and I was hoping you might have some insight.

knockd:  90.221.146.158: openSSH: Stage 1
knockd:  24.86.218.141: openSSH: Stage 1
knockd:  79.179.107.54: openSSH: Stage 1
knockd:  115.239.248.56: openSSH: Stage 1
knockd:  115.239.248.56: openSSH: sequence timeout knockd:  99.109.92.21: openSSH: Stage 1
knockd:  99.109.92.21: openSSH: sequence timeout (knockd:  24.86.218.141: openSSH: Stage 1
knockd:  24.86.218.141: openSSH: Stage 1
knockd:  24.86.218.141: openSSH: sequence timeout (knockd:  203.177.21.205: openSSH: Stage 1

When I'm not connected via the network and list my iptables I have;

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -j DROP

When I knock the port opens correctly. When I unknock the port usually closes, but sometimes not. If I manually call run the iptables delete command it always works. I have noticed that calling knock multiple times keeps inserting the same input rule even though it exists, but that the unknock doesn't always remove it.

My knock.conf

[options]
  UseSyslog
[openSSH]
  sequence    = theSequence
  seq_timeout = 5
  tcpflags    = syn
  command     = /sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport 525 -j ACCEPT

[closeSSH]
 sequence    = theSequence
 seq_timeout = 5
 command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 525 -j ACCEPT
 tcpflags    = syn
jvinet commented 9 years ago

Okay, sounds like two separate things.

1) The log messages you're seeing suggest that these are random one-off port hits to your server, possibly from port scans. The scanning machine hits the first port of your sequence (probably b/c it's scanning the entire 65536 port range), sees no reaction from your machine, and moves on. This is normal, and doesn't indicate any foul play... unless you consider a port scan to be foul play.

2) I can't verify a bug where knockd fails to close a door. Can you post a log excerpt (with debug/verbose enabled) showing a case where it doesn't correctly close the door?

ghost commented 7 years ago

had same issue change time-out to 15 sec, and its working