Port knocking using two-factor authentication
List of commits:
| Subject | Hash | Author | Date (UTC) |
|---|---|---|---|
| Small stuff dealing with ENOBUFS; doc updated | 17bb2fc3712e1704519d4c4257462e71350dfa93 | Catalin(ux) M. BOIE | 2018-03-23 03:28:39 |
| Add first support for ct marking | 19268d626b40bdd18480cc79fa597aa4bff9c824 | Catalin(ux) M. BOIE | 2018-03-21 17:23:01 |
| More tweakings all around | 0c5961860deadb8bcb1dfd1be429b2966f03312a | Catalin(ux) M. BOIE | 2018-03-11 21:10:32 |
| Added password support | df6d270a3e243084069a31fe980d76c97d89a861 | Catalin(ux) M. BOIE | 2018-02-13 22:46:53 |
| Checkpoint | 049e12584744b8a51bfc5867fd0e7b2db0592deb | Catalin(ux) M. BOIE | 2018-02-11 22:25:13 |
| Fixed a bug in totp, added keys in memory | abec61861e2f37398026dbe7342d7751390e95d8 | Catalin(ux) M. BOIE | 2018-02-04 18:36:12 |
| Initial version | c641fafbd46342cd24fde45129cc3637b7ca65bc | Catalin(ux) M. BOIE | 2018-02-03 23:42:32 |
Commit 17bb2fc3712e1704519d4c4257462e71350dfa93
- Small stuff dealing with ENOBUFS; doc updated
Author: Catalin(ux) M. BOIE
Author date (UTC): 2018-03-23 03:28
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2018-03-23 03:28
Parent(s): 19268d626b40bdd18480cc79fa597aa4bff9c824
Signing key:
Tree: fca19b6f7e7caf3f6355c147d4cd6f608bfd7505
Author: Catalin(ux) M. BOIE
Author date (UTC): 2018-03-23 03:28
Committer name: Catalin(ux) M. BOIE
Committer date (UTC): 2018-03-23 03:28
Parent(s): 19268d626b40bdd18480cc79fa597aa4bff9c824
Signing key:
Tree: fca19b6f7e7caf3f6355c147d4cd6f608bfd7505
| File | Lines added | Lines deleted |
|---|---|---|
| README | 3 | 3 |
| nf2fad.c | 6 | 1 |
| File README changed (mode: 100644) (index ef115c0..8669344) | |||
| ... | ... | For iptables: | |
| 49 | 49 | -A INPUT -i ethX -m mark --mark 0x77777777 -j CONNMARK --save-mark | -A INPUT -i ethX -m mark --mark 0x77777777 -j CONNMARK --save-mark |
| 50 | 50 | # We need this rule again, to not hit again nf2fad. | # We need this rule again, to not hit again nf2fad. |
| 51 | 51 | -A INPUT -i ethX -m connmark --mark 0x77777777 -j ACCEPT | -A INPUT -i ethX -m connmark --mark 0x77777777 -j ACCEPT |
| 52 | # These are the control channels: | ||
| 52 | # CONTROL_CHANNEL(S)_SECTION: These are the control channels: | ||
| 53 | 53 | -A INPUT -i ethX -p icmp --icmp-type echo-request -j NFQUEUE --queue-num 4444 | -A INPUT -i ethX -p icmp --icmp-type echo-request -j NFQUEUE --queue-num 4444 |
| 54 | 54 | -A INPUT -i ethX -p udp --dport 1 -j NFQUEUE --queue-num 4444 | -A INPUT -i ethX -p udp --dport 1 -j NFQUEUE --queue-num 4444 |
| 55 | # Now, what ports to allow. | ||
| 55 | # ALLOW_SECTION: Now, what ports to allow. | ||
| 56 | 56 | # Next rule will pass port 22 (for example) to nf2fa and the connection will | # Next rule will pass port 22 (for example) to nf2fa and the connection will |
| 57 | 57 | # be marked if allowed. You may add here other ports as well. | # be marked if allowed. You may add here other ports as well. |
| 58 | 58 | -A INPUT -i ethX -p tcp --dport 22 -j NFQUEUE --queue-num 4444 | -A INPUT -i ethX -p tcp --dport 22 -j NFQUEUE --queue-num 4444 |
| 59 | 59 | ||
| 60 | 60 | For ip6tables: | For ip6tables: |
| 61 | <insert here the IPv4 rules till the control channels> | ||
| 61 | <insert here the IPv4 rules till the control channel(s)> | ||
| 62 | 62 | -A INPUT -i ethX -p ipv6-icmp --icmpv6-type echo-request -j NFQUEUE --queue-num 4444 | -A INPUT -i ethX -p ipv6-icmp --icmpv6-type echo-request -j NFQUEUE --queue-num 4444 |
| 63 | 63 | -A INPUT -i ethX -p udp --dport 1 -j NFQUEUE --queue-num 4444 | -A INPUT -i ethX -p udp --dport 1 -j NFQUEUE --queue-num 4444 |
| 64 | 64 | -A INPUT -i ethX -p tcp --dport 22 -j NFQUEUE --queue-num 4444 | -A INPUT -i ethX -p tcp --dport 22 -j NFQUEUE --queue-num 4444 |
| File nf2fad.c changed (mode: 100644) (index 3f0c6c1..5e6b364) | |||
| ... | ... | int main(int argc, char *argv[]) | |
| 1108 | 1108 | if (ev.data.fd == fd1) { | if (ev.data.fd == fd1) { |
| 1109 | 1109 | ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); | ret = mnl_socket_recvfrom(nl, buf, sizeof(buf)); |
| 1110 | 1110 | if (ret == -1) { | if (ret == -1) { |
| 1111 | perror("mnl_socket_recvfrom"); | ||
| 1111 | if (errno == ENOBUFS) { | ||
| 1112 | fprintf(stderr, "Some packets were lost. Bad.\n"); | ||
| 1113 | continue; | ||
| 1114 | } | ||
| 1115 | |||
| 1116 | perror("error receiving from nl fd"); | ||
| 1112 | 1117 | return 1; | return 1; |
| 1113 | 1118 | } | } |
| 1114 | 1119 | ||
Hints:
Before first commit, do not forget to setup your git environment:
Clone this repository using HTTP(S):
Clone this repository using ssh (do not forget to upload a key first):
Clone this repository using git:
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
Before first commit, do not forget to setup your git environment:
git config --global user.name "your_name_here"
git config --global user.email "your@email_here"
git config --global user.email "your@email_here"
Clone this repository using HTTP(S):
git clone https://rocketgit.com/user/catalinux/nf2fa
Clone this repository using ssh (do not forget to upload a key first):
git clone ssh://rocketgit@ssh.rocketgit.com/user/catalinux/nf2fa
Clone this repository using git:
git clone git://git.rocketgit.com/user/catalinux/nf2fa
You are allowed to anonymously push to this repository.
This means that your pushed commits will automatically be transformed into a merge request:
... clone the repository ...
... make some changes and some commits ...
git push origin main
... make some changes and some commits ...
git push origin main
RocketGit
Rocket your launch!
Rocket your launch!