Forcing SaltStack to "knock harder"
I really like the "knocking harder" technique I developed. I haven't seen it mentioned in any other places, and it effectively gives the protected service a smart layer of obscurity with minimal effort and complexity.
I also like SaltStack as a remote configuration and management tool. It connects over two ports, and I was looking for a way to use my technique on this service. Salt uses ports 4505 and 4506, where 4506 is first to connect and has several short-lived connections as well as a long-lasting session, and 4505 has a single long-lasting session.
I wanted to protect the first connection by requiring multiple SYN packets (a "hard knock"), but then allow connections to both ports with no delay as long as there's continuous traffic and sessions between them. To that end, I've come up with the following patch to ufw's after.rules file.
I also like SaltStack as a remote configuration and management tool. It connects over two ports, and I was looking for a way to use my technique on this service. Salt uses ports 4505 and 4506, where 4506 is first to connect and has several short-lived connections as well as a long-lasting session, and 4505 has a single long-lasting session.
I wanted to protect the first connection by requiring multiple SYN packets (a "hard knock"), but then allow connections to both ports with no delay as long as there's continuous traffic and sessions between them. To that end, I've come up with the following patch to ufw's after.rules file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- after.rules.orig 2016-06-30 14:56:53.155072361 -0500 | |
| +++ after.rules 2016-06-30 14:38:06.839093867 -0500 | |
| @@ -15,6 +15,9 @@ | |
| :ufw-after-forward - [0:0] | |
| # End required lines | |
| +### add salt-stack knocking chains | |
| +:salt-new-conn - [0:0] | |
| + | |
| # don't log noisy services by default | |
| -A ufw-after-input -p udp --dport 137 -j ufw-skip-to-policy-input | |
| -A ufw-after-input -p udp --dport 138 -j ufw-skip-to-policy-input | |
| @@ -26,5 +29,22 @@ | |
| # don't log noisy broadcast | |
| -A ufw-after-input -m addrtype --dst-type BROADCAST -j ufw-skip-to-policy-input | |
| +### add salt-stack knocking rules | |
| +### accept all connections if there's been an accepted connection within the last day | |
| +-A salt-new-conn -m recent --update --rsource --name salt-allow --seconds 86400 --hitcount 1 -j ACCEPT | |
| +### new connections start with 4506, if we're knocking on 4505, return and let default rules log and drop | |
| +-A salt-new-conn -p tcp --dport 4505 -j RETURN | |
| +### add/update the knock record and log that we got a knock (--set always returns success) | |
| +-A salt-new-conn -m recent --set --rsource --name salt-knock -j LOG --log-prefix "[UFW SALT KNOCK] " -m limit --limit 3/min --limit-burst 10 | |
| +### ! rcheck if we've recorded 3 knocks in the last 5 seconds. if NOT, just drop (no need to log as we just did that) | |
| +-A salt-new-conn -m recent ! --rcheck --rsource --name salt-knock --seconds 5 --hitcount 3 -j DROP | |
| +### now we have seen enough knocks, remove the knock records for that IP and log that we're adding an allow record (both actions are optional) | |
| +-A salt-new-conn -m recent --remove --rsource --name salt-knock -j LOG --log-prefix "[UFW SALT ALLOW] " -m limit --limit 3/min --limit-burst 10 | |
| +### add the allow record and accept the packet | |
| +-A salt-new-conn -m recent --set --rsource --name salt-allow -j ACCEPT | |
| + | |
| +## add an after input rule to send all salt traffic to the knocking rule chain | |
| +-A ufw-after-input -p tcp -m state --state NEW -m multiport --dports 4505,4506 -j salt-new-conn | |
| + | |
| # don't delete the 'COMMIT' line or these rules won't be processed | |
| COMMIT |
Labels: iptables, obscurity, port knocking, saltstack, xt_recent
posted by Pete at
6:36 AM
1 Comments:
As of 2019.2.0, port 4505 appears to be the first port to attempt to connect. Swapping 4505 and 4506 in the above patch (or eliminating the RETURN line entirely) works like a charm.
Post a Comment
Subscribe to Post Comments [Atom]
<< Home