Those who need to provide themselves, their beloved, access to their servers from anywhere in the world via SSH / RDP / otherwise - a small RTFM / spur.
We need to do without VPN and other bells and whistles, from any device at hand.
And so that the server does not exercise too much.
All you need is knockd , straight arms and 5 minutes of work.
"Everything is on the Internet", of course (even on Habré ), but when it comes to a specific implementation, it starts ...
We will practice with the example of Fedora / CentOS, but it doesn’t matter.
The spur will suit both beginners and the bison of this business, so there will be comments, but shorter.
1. Server
put knock-server:
yum/dnf install knock-server
configure it (for example on ssh) - /etc/knockd.conf:
[options] UseSyslog interface = enp1s0f0 [SSHopen] sequence = 33333,22222,11111 seq_timeout = 5 tcpflags = syn start_command = iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 3600 stop_command = iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT [SSHclose] sequence = 11111,22222,33333 seq_timeout = 5 tcpflags = syn command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
The "opening" part is set to auto-close after 1 hour. You never know ...
/ etc / sysconfig / iptables:
... -A INPUT -p tcp -m state --state NEW -m tcp --dport 11111 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22222 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 33333 -j ACCEPT ...
forward:
service iptables restart service knockd start
You can add RDP to the virtual Windows Server spinning inside (/etc/knockd.conf; name the interface to your taste):
[RDPopen] sequence = 44444,33333,22222 seq_timeout = 5 tcpflags = syn start_command = iptables -t nat -A PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2 cmd_timeout = 3600 stop_command = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2 [RDPclose] sequence = 22222,33333,44444 seq_timeout = 5 tcpflags = syn command = iptables -t nat -D PREROUTING -s %IP% -i enp1s0f0 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 192.168.0.2
All our kicks from the client are monitored on the server by the iptables -S
command.
2. Rake Guide
knockd.conf:
Everything is in the mans too (but this is inaccurate), however knockd is a comrade rather stingy with messages, so you need to be very careful.
- version
In Fedora / CentOS repositories, extreme knockd for today is 0.63. Who wants UDP - look for 0.70 packets. - interface
In the default configuration of Fedora / CentOS, this line is missing . Add by hand, otherwise it will not work. - timeout
Here to choose to taste. It is necessary for the client to have enough time for all the kicks - and the bot-scanner of the ports will break off (and 146% will scan it). - start / stop / command.
If the command is one - then command, if two - then start_command + stop_command.
If you make a mistake, knockd will remain silent, but will not work. - proto
Theoretically, you can use UDP. In practice, I mixed tcp and udp, and a client from the beach in Bali was able to open a gate only from the fifth time. For TCP flew when necessary, and UDP is not a fact. But this is a matter of taste, again. - sequence
The implicit rake is that the sequences should not overlap ... how to say it ...
For example, this:
open: 11111,22222,33333 close: 22222,11111,33333
Open 11111 kick will wait for the next kick on 22222. However, this (22222) kick will start to work close and everything will break. It depends on the delay of the client as well. Such things ©.
iptables
If in / etc / sysconfig / iptables this is this:
*nat :PREROUTING ACCEPT [0:0]
it doesn’t bother us, then here it is:
*filter :INPUT ACCEPT [0:0] ... -A INPUT -j REJECT --reject-with icmp-host-prohibited
Taki interferes.
Since knockd adds rules to the end of the INPUT chain, we get reject.
And to turn off this reject is to open the car to all winds.
In order not to go into iptables, where to put something before (as people suggest) we’ll make it easier:
- default in CentOS / Fedora the first rule ("what is not forbidden - allowed") is replaced by the opposite,
- and remove the last rule.
The result should be:
*filter :INPUT DROP [0:0] ... #-A INPUT -j REJECT --reject-with icmp-host-prohibited
You can, of course, make REJECT instead of DROP, but with DROP, bots will have more fun.
3. Customer
In this place the most interesting (from my point of view), since you need to work not only from any beach, but also from any device.
In principle, a number of clients are listed on the project’s website , but this is from the same series “everything is on the Internet”. Therefore, I will list what works here and now at my fingertips.
When choosing a client, you must ensure that it supports the delay option between packets. Yes, the beach, the strife and 100 megabits never guarantee the arrival of packets in the right order at the right time from this place.
And yes - when setting up the client, delay must be selected independently. A lot of timeout - bots will attack, a little - the client will not be in time. There is a lot of delay - the client will not be in time or there will be a conflict of idiots (see "rake"), not enough - the packets will re-enter the Internet.
With timeout = 5s, the fully working option delay = 100..500ms
Windows
No matter how ridiculous it sounds, but google a distinct knock-client for this platform is quite nontrivial. Such that CLI supports delay, TCP - and without bows.
As an option, you can try this here . Apparently my Google is not a cake.
Linux
Everything is simple here:
dnf install knock -y knock -d <delay> <dst_ip> 11111 22222 33333
MacOS
The easiest way is to put the port from homebrew:
brew install knock
and draw for yourself body shirts Commanders of the form:
#!bin/sh knock -d <delay> <dst_ip> 11111 22222 33333
iOS
The working option is KnockOnD (free, from the store).
Android
"Knock on Ports". Not advertising, but just working. And the developers are quite responsive.
PS markdown on Habr, of course, God bless him someday ...
UPD1 : thanks to a good person, a working client for Windows was found.
UPD2 : another good person recalled that putting new rules at the end of iptables is not always useful. But - it depends.