Il 05/02/2010 19:49, Steven Leeman ha scritto: > just like ssh you have to enable the webgui on the wan via the gui -> > system->firewall -> applications or something; > if your password is complex (there is even a parameter "iscomplex") it > will allow such access > in the latest firmwares this is only https from the WAN and http from > the LAN; ssh is thesame > > Blogic programmed some security so if some ip is trying a few times to > guess your root pwd it will put it in a blacklist... personally I notice > that if I "exit" my ssh session...I can only reconnect after > +-5minutes... I added it to trac.fonosfera.org <http://trac.fonosfera.org>
But i can enable ssh with iptables -A input_daemon -s %IP% -p tcp
--dport 22 -j zone_wan_ACCEPT. It doesn't work with the WebGUI and i
need an iptables command for port knocking.
Then I'd like to have a webserver listening on port 80, how can i set
webgui port to 8080 or something?
> so you are doing something like
> "telnet fonera 1234 , telnet fonera 4321" and then port 22 is opening up?
> did you document it?
It's really simple!
Just install knockd from opkg, edit your /etc/knockd.conf like
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 1000,2000,3000
seq_timeout = 5
command = iptables -A input_daemon -s %IP% -p tcp --dport 22
-j zone_wan_ACCEPT
tcpflags = syn
[closeSSH]
sequence = 3000,2000,1000
seq_timeout = 5
command = iptables -D input_daemon -s %IP% -p tcp --dport 22
-j zone_wan_ACCEPT
tcpflags = syn
then start knockd with knockd -i ppp0
--
f.
"E' in un giorno di pioggia che ti ho conosciuta
e il vento dell'ovest rideva gentile..."
(Modena City Ramblers)
http://fox.noblogs.org/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Development mailing list [email protected] http://fonosfera.org/mailman/listinfo/development
