knockd.
© 2009 Jan Zulawski <fdd@altair.pw>

## (to) knock; knockd. however, that `d' comes from *daemon*.

% echo -e 'e.g.,\n'

% iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT tcp -- foo.bar.qux.def 0.0.0.0/0 tcp dpt:22 DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22

% cat /etc/knockd.conf [openSSH] sequence = foobar,def,plugh,fred,xyzzy,thud seq_timeout = 5 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn

[closeSSH] sequence = thud,def,fred,foobar,xyzzy,plugh seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn

% knock -v foo.bar.qux.quux foobar def plugh fred xyzzy thud

% echo 'however, knocks can be sent via netcat, hping, packit, etc.'

% echo 'open_port command executed @foo.bar.qux.def.' % echo 'do sleep 16; while job_done; done...'

% knock -v foo.bar.qux.quux thud def fred foobar xyzzy plugh

% echo 'close_port command now executed @specific.host. all set. w00t!'

n.b.:
#01. {def,foobar,fred,plugh,thud,xyzzy} == (tcp || udp) ports.
#02. use as many as you want... anyway, 3 should be just fine (read as `secure').

 .
..:

-- Feb 18, 2009.

tonight
black celebration
tonight

[ up ]