Knockd

From DD-WRT Wiki

(Difference between revisions)
Jump to: navigation, search
Revision as of 01:14, 6 July 2005 (edit)
203.63.137.225 (Talk)
(Install the knockd package)
← Previous diff
Revision as of 01:14, 6 July 2005 (edit) (undo)
203.63.137.225 (Talk)

Next diff →
Line 51: Line 51:
-==Configure LD PATH because we can't change /etc/ld.so.conf+==Configure LD PATH because we can't change /etc/ld.so.conf==
at the command prompt type the following at the command prompt type the following
$ LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib $ LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib

Revision as of 01:14, 6 July 2005

You are here: Main Page/DD-WRT Docu (EN)/knockd

Ok - until dd-wrt moves /etc to rw space there is going to be problems with a lot of ipkg installs. The following details a workaround but is not ideal.

Contents

Introduction

knockd is a utility that can enhance security on the your network. knockd will perform whatever action you script until a special knock sequence is given. A knock sequence is defined as a series of either TCP or UDP requests on defined ports. These ports do not even have to be open.

For example, a script could be written to to forward the SSH port (port 22) to a specific LAN host for 20 seconds when the knock sequence is given. This knock sequence could be defined as connecting to port 22 twice with UDP, port 151 once with TCP, and then port 15 with UDP, for example.

Port Scanning the routers WAN interface would yield no ports open. If the port scan was run again within 20 seconds of sending the knock sequence, the scan would yeild that port 22 was open. This could enhance security as most attacks begin with port scans to determine what services you have open, and port 22 wouldn't show up unless the attacker both expected you to be running knockd AND took the time to deterime the knock sequence.

A knock sequence of connecting with either udp or tcp on port 1, followed by port 2, followed by port 3, followed by port 4, followed by port 5 could be used to launch a script that classes all ports on the router, or even disables the WAN port for 60 seconds before bringing it back up. In this way you are protecting yourself from attackers as soon as a port scan is detected.

Further examples may be seen at Linux Journal's General Discussion of Port Knocking

Installation

Prerequisites

You should already have:
-a Linksys WRT54G product
-DD-WRT installed as the firmware
-Good knowledge of the command line
-SCP or some other way to copy files to and from your desktop setup
-some knowledge of using ipkg to install packages
-jffs already configured if you don't want to install to ram
If your running Windows on your desktop:
-TextPad or Win32Pad
(or other *nix friendly text editor. DO NOT USE NOTEPAD)

Install the libpcap package

Knockd depends on libpcap's presence. If it isn't installed, install it

-telnet or ssh shell into the router
-run the command ipkg install -d <dest_name> libpcap
<dest_name> should be root to install to /jffs <dest_name> should be ram to install to /tmp *Remember, /tmp is deleted on router reboot* Ex: ipkg install -d root libpcap The default is root so a simpler way of doing this is unless you want to install to /tmp space just do 'ipkg install libpcap'

Install the knockd package

-Find the knockd package in the OpenWRT Package Tracker.
You will need the URI of package to install it.
-telnet or ssh shell into the router -run the command ipkg install -d <dest_name> <URI of package>
<dest_name> should be root to install to /jffs <dest_name> should be ram to install to /tmp *Remember, /tmp is deleted on router reboot* Ex: ipkg install -d ram http://openwrt.alphacore.net/knockd_0.4_mipsel.ipk


Configure LD PATH because we can't change /etc/ld.so.conf

 at the command prompt type the following
 $ LD_LIBRARY_PATH=/lib:/usr/lib:/jffs/lib
 $ export LD_LIBRARY_PATH
 You will need to set this every time the router reboots, or include it in 
 startup script

Usage & Troubleshooting

General Usage

You will need to pass a different config file at startup (again because of /etc not being writable) this is however quite easy. just type

knockd -d -c /jffs/etc/knockd.conf

or replace that path with wherever your conf file is.

Also note the default interface is eth0, if you are using ppp you will need to do something like this (adjust for you interface and conf file)

knockd -d -i ppp0 -c /jffs/etc/knockd.conf


See the knockd homepage


Troubleshooting

See the knockd homepage

If you get the error "knockd: can't load library 'libpcap.so.0.8" do the following:
Then you either haven't installed libpcap or you haven't updated your LD_LIBRARY_PATH env see above section.


Load on router startup

either point rc_startup at it or have rc_startup point to a general startup script which includes starting knockd as above.

External Resources


You are here: Main Page/DD-WRT Docu (EN)/knockd