Package: knockd
Version: 0.5-1
Severity: important
I have employed knockd on one of the servers and during configuration
and troubleshooting of my setup I mentioned that if 'magic ports' are
known to the intruder, that would allow to perform DoS attack due to
the facts that for each new opened door child process is forked
To somewhat eliminate the problem I have decided to limit number of
opened doors by tuning start_command. Here is my configuration
[opencloseSSH]
sequence = 20101,10101,30101
seq_timeout = 25
tcpflags = syn
# just to be safe -- don't even try to add a rule if there are already
100 of them
start_command = /sbin/iptables -n -L ext-SSH-knock | /usr/bin/wc -l |
/usr/bin/xargs -I % /usr/bin/test % -lt 100 && /sbin/iptables -A ext-SSH-knock
-s %IP% -p tcp --syn --dport 22 -j ACCEPT
cmd_timeout = 20
stop_command = /sbin/iptables -D ext-SSH-knock -s %IP% -p tcp --syn
--dport 22 -j ACCEPT
That would just partially resolve the issue...
As a solution I would recommend to keep track of opened doors per IP
and don't even call start_command (and not fork a child) if IP is
known to have opened port, or it hasn't passed some configurable
amount of time since the last time door opened and closed (even 1
second would be helpful)
Or since most of that could be handled by sophisticated start_command,
at least to don't fork if start_command failed...
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.13.4
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Versions of packages knockd depends on:
ii libc6 2.3.5-9 GNU C Library: Shared libraries an
ii libpcap0.8 0.9.4-1 System interface for user-level pa
ii logrotate 3.7.1-2 Log rotation utility
knockd recommends no packages.
-- no debconf information
--Yarik
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
