Zaurus And Port Knocking

So, you're away from home, and have internet connectivity via an an internet cafe or GPRS modem, and want to access your computer at home. However, you don't want to leave your computer open to the world, and aim to keep it hidden. Even exposing ssh can be a risk if an exploit is found, so how can you connect if every useful service is firewalled off using iptables?

Port knocking is a useful tool for hiding a system on the internet and making it respond only when it receives a pre-arranged signal. The original conception was that the system would look for packets coming to a sequence of TCP or UDP ports which would be unresponsive, and unless the correct sequence was received, no action would be taken. On receiving the correct sequence, permission would be granted for the knocking client to connect (perhaps to access ssh, use a web proxy etc). High security versions would allow the code to change, either to use a new code once the current one had been "used up" like a one-time pad, or to have the code fixed to some sort of time source requiring a token or client software with the seed to the generator installed.

The technique discussed here is not strictly port knocking, as it uses a ping with an embedded fixed password to wake up the server. Whilst this weakens the security quite a lot, provided the action triggered doesn't do anything dangerous it's not a massive worry, and besides, if someone is sniffing traffic to your server, you've probably got other things to worry about!

The advantage of using ping is that its much easier to set up the client - nearly every linux x86 PC has the required software already installed. If you're on a guest computer, you could use a live linux distribution like DamnSmall or Knoppix for this.

The downside is that, for the Zaurus (Cacko at least) and Windows, the standard ping program doesn't work because they don't support the required options to insert a character string password into the ping datagram; however, just install hping2 on the Zaurus and it works. Whether you'd be able to access hping2 on the windows box, is another problem :-/ but for the sake of completeness, you can find a copy of hping2 for win32 here.

The program to be run on your linux firewall is called barricade. The original version was written by Francesco Vannini, but I found that it didn't work when the pinging client was hping2, due to differences in the way hping2 creates icmp packets. I also realised that it wasn't making best use of libpcap, so rewrote that part and used pcap's filter function to only supply icmp packets which reduces the CPU load somewhat. I also added and simplified the debug.

• Download the barricade.tar.gz barricade-1.0.0-PADM.tar.gz
• Unpack it with "gzcat barricade-1.0.0-PADM.tar.gz | tar xfBp -"
• Build it with make (you will need gcc installed) using "make"
• Install the barricade binary into firewall's /usr/local/sbin
• Copy the barricade.conf file into firewall's /etc and change the password and interface definitions to suit your firewall
• Copy the barricade_action script file into firewall's /usr/local/bin
• Copy the init.t script file into firewall's /etc/init.d or equivalent and make soft links to it in /etc/init.d/rc3.d and rc5.d
• Start the daemon
• "tail -f /var/log/messages" to watch barricade in action

• Install the hping2 program with "ipkg install hping2"
• Copy from the firewall the barricade_client_hping2 script
• Run the barricade_client_hping2 script to wake up the firewall

Use the pre-set search below for more useful websites about this subject.

This is under construction - please give feedback if you try this and I'll try and help and use it to improve this page