search

jvinet / knock

A port-knocking daemon
http://www.zeroflux.org/projects/knock
GNU General Public License v2.0
549 stars 113 forks source link

Rules applied 3 times and incoherent state when spamming open/close #70

Open Docteur-RS opened 4 years ago

Docteur-RS commented 4 years ago

Hey,

I have been experimenting whith knockd and saw it behave quite oddly.

Interrogation 1:

With the following simple configuration:

  [closeSSH]
        sequence    = xxxx,yyyy,zzzzz
        seq_timeout = 15
        tcpflags    = syn
        command     = sudo iptables -I INPUT 5 -p tcp --dport 22 -j DROP

It applys the rules 3 times as you can see bellow:

$ sudo iptables -S INPUT
...
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j DROP
...

Its not tied to to the fact that I use 3 ports as code because if I set only 2 I still get the rule applied 3 times.

However when opening SSH with the right code it does the same thing 3 times which in the end unlocks ssh... So in the end it works but its weird...

Interrogation 2

For instance if I spam open / close / open / open / close /open I still got some rules leftovers as the system does not keep up with the opening and closing spam.

Moreover If I choose to use a rule deleting an iptable by its number It might delete the wrong iptable rule...

Using centos 7.7 OpenSSH_7.4p1 Thx

TDFKAOlli commented 4 years ago

Hi @Docteur-RS ,

on Interrogation 1: The code only executes the command once. You can check from the code that it checks for the code sequence and only when a complete sequence is found, it executes the command once. Anyhow port knocking is not "reliable" because you send single packets to different ports and one or several might get lost. Which in turn means the sequence is not detected every time and the gate doesn't open. So a client might fire off a sequence multiple times to make sure one sequence makes it to the server. In that case you could see several attempts. Maybe you check the logs and see how often the sequence was matched on your server.

On Interrogation 2: In my opinion thats not the job on the knock deamon. It detects a sequence and when detected it executes a command you define. It could be a firewall rule. Or only "Hello world"... or start another demon... or whatever. So - again in my oppinion and other might disagree - you should take care that there are no leftovers. I use it to block/unblock certain MAC addresses (parental control). And the knockd command calls a script which takes care the iptables is clean and no duplicate rules apply. As I also learned that iptables can apply a single rule multiple times 😏

Maybe this helps.