• m Linux pЉ|
    osGAзR firefox s
    | cD | ̔D | g | A | ~R | ୱR | w޲z | QAO | Ŏ | y`~ | m | Xs |
    @ @ @
    @
    ̪sG2007/09/22
    yۤv}@ӫzOܦht޲z``ݭnҪDA]ڭ̱``ݭnbP̭suDEhI Fۤv޲zKA`ƱiHo򰵡COp@ӤSߨtwDC ҥHA@ӻAۤv}@ӫ̦nO\iHTw IP suAo˳̔xPx¡A ӥBASMnw Internet }㦳@MIAȡA|Ҩӻ ssh NO䤤@Ӕ[I

    LApGΤݬODTw IP ɡAoӮɭDnNAAȰw Internet i}ܡH SMTp@ӡA]p[HuOܧxZInbAo knockd iHDڭ̳BzoӰDOI


    jADϥ
    @A@P޲zSA̭nOsҴѪAȤn{A HקKi|DHJI|}DC|ҨӻApG} WWW NonHɧs Apache o{~nC AӫhOqw@tCa_AǾާ@欰A^UӤ~O]wCҥHAnR񤣤WnsI OROLsbnTAU̔x@]aC

    @ӻAb Linux AWYʥ]LoDnRA(1)O Linux ֤ߤ䴩 iptables A (2)hOQ TCP Wrappers ( xinetd o super daemon) AYOQ /etc/hosts.allow, /etc/hosts.deny oɮרӺ޲z覡CQ iptables iHYɧsEAӥBį]OܤhC ܩϥ TCP Wrappers ܡANonw /etc/hosts.{allow,deny} ׭ק諸oC

    򥻤WAunpQn[]ܡANonwSwΤSw IP ӷi}Ωʎʧ@C ҿתySwzOҦp 192.168.0.0/24 Ϊ̬OYӯSw IP ΥDEW١AΪ̬OYӯSww (p port 80) ΡC ӤSwbo̪Nܰw Internet }񪺷NCpGp󨾤RLDA iHѦҤ@Umeg@g ̔ AC bo@SAm]zwg| iptables }ykP[ԎOFC

    MܦhH\oO@DE޲zW̭naAmeN͹LA 򥻤WOSγ~I ^_^I]LApApon}YǪAȵΤݵnJaI p@ӡASMLk׹AҶ}񪺪AȤsuTI ]O@LγBAܤ֥LiHNAҴѪAȡy]zbYǯSwd򤺡C 򻡩OHUڭ̨|ӨҤlnFC

    m Linux DEmXsjTǼtA ӥBm``ݭnbSTw IP asuoDEWiާ@AHqjaݤ@UDE]wΪ̬O@ Linux }ijDC ]mҦbΤݨSTw IP AҥHO_Nonw Internet Ӷ}񨺭ӥiȪ sshd AȶܡH n`NA sshd iOӫܦMIAȳA]unϥΪ̵nJDEAL^@ƱbӦhFI ҥHnN sshd Internet }~nCzOaH

    JM sshd Internet }AMӉmҦbmSODTw IP ӷAڳo Linux server npw sshd i]w[HDLܡHISDAڭ̥iHQ knockd o daemon ӭtdTI Uڭ̴Nӽͤ@ knockd oөNNaI


    jADϥknockd ϥ
    FMDTw IP ӷΤݪsuDAڭ̥ionʪ[JΤݪ]w󨾤WhSC oꐷTIS۰ʪ覡iHWh۰ʪק諸HO㨺NOQ knockd oӪAȡC Uڭ̨ӽͽͳoӪN઺SPϥΤ覡aI


    pADϥknockd \PS
    knockd DnتOƱiHʺAק慨WhALB@y{Oo˪G
    1. AݪWh}TӥkfAoǰfSQL{ťΡABi knockd ҰF
    2. ΤݭY̷ӳ]wĶ̌ǪsuoTӰfɡA knockd NiʺAWh]w
    3. WhQקAB knockd i氻F
    4. SΤ knockd έԹOɡAΪ̬OΤݲmuABJTWhN|QC
    p@ӡASڦbDTw IP qQnsuAɡANiHzLoEӳBzTI Ӭy{I^UϥܡG

    knockd Bzy{
    Ϥ@-aBΤݥny̧ǡzYǰfisuʧ@

    knockd Bzy{
    Ϥ@-bBYqL knockd f]wAh knockd |ʺAW[WhABΤݥiHsuF

    knockd Bzy{
    Ϥ@-cBYΤݲmuAΪ̬O knockd ΫݹOɡAh knockd iDʪRإߪWh

    ziHݨAWhӬO}AMbΤݨ̧ǸIIJYǰfA knockd N^yȰw惡@ IPzŰʬYǯSwfAɥΤݴN^zLoӯSfiDEsuC åBiHbΤ_uANMWhIIp@ӡAڭ̤AObBA NiHϥγoӥ\Ӷ}ŬYǤMIATAҦp sshd o port 22 oI


    pADϥknockd wU
    knockd wUD`̔xA]LF Tarball ~AR SRPM IҥHwU譱D`eI mON knockd wUb CentOS 5.x WAҥHϥ RPM ӴjaݬݡC pGpQnwU Tarball ܡAiHѦҳo@gG Tarball PlX Cܩ knockd UiHѦҡG ڭ̶}lwUaI
    1. UoӳnaI
    [root@linux ~]# wget  \
    > http://www.invoca.ch/pub/packages/knock/knock-0.5-4.src.rpm
    
    2. }ls RPM ɮסI
    [root@linux ~]# rpmbuild --rebuild knock-0.5-4.src.rpm
    Installing knock-0.5-4.src.rpm
    error: Failed build dependencies:
            libpcap-devel is needed by knock-0.5-4.i386
    # pGX{WzTAܩpRY}gM󥼦wUAЦۦϥ yum wU
    # ~AнT{AwgwUFoiuœA]A gcc, glibc-devel ΆΡA
    # SMAYݭnɡAiHwUӵoiuMG 
    # yum groupinstall "Development Tools"
    
    [root@linux ~]# rpmbuild --rebuild knock-0.5-4.src.rpm
    Installing knock-0.5-4.src.rpm
    Executing(%prep): /bin/sh -e /var/tmp/rpm-tmp.42725
    + umask 022
    + cd /usr/src/redhat/BUILD
    .....(ٲ).....
    Wrote: /usr/src/redhat/RPMS/i386/knock-0.5-4.i386.rpm
    Wrote: /usr/src/redhat/RPMS/i386/knock-server-0.5-4.i386.rpm
    Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.26785
    .....(Uٲ).....
    # ܤ֭nX{pWrA~OTs\I^UӷǷQwUI
    
    [root@linux ~]# rpm -ivh /usr/src/redhat/RPMS/i386/knock-*
    Preparing...           ################################# [100%]
       1:knock-server      ################################# [ 50%]
       2:knock             ################################# [100%]
    #  knock O client ݪOA knock-server ~OAݪnI
    
    ^̔xaIo˴NwUSFpiHϥ rpm -ql knockd rpm -ql knockd-server hݬݦԣƦboӮM󤤡A MiHϥ man knock man knockd OԎ client/server ݪ]wkI Uڭ̴N}lӳ]w knockd aI


    pADϥknockd ]wPŰ--H SSH
    b}l knockd eAаȥϥ man knockd hd\@UN]wkA oܭn[IMp|DU]wɪNqInFAڭ̪D knockd O]Ѱ port ӰʺAi樾WhקA ҥHڭSMNon]wTCϥ RPM wUɡAw]]wɦb /etc/knockd.conf A oɮתleOo˪G
    [root@linux ~]# vi /etc/knockd.conf
    [options]
        UseSyslog
    [opencloseSSH]
        sequence      = 2222:udp,3333:tcp,4444:udp
        seq_timeout   = 15
        tcpflags      = syn,ack
        start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
        cmd_timeout   = 10
        stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
    # UӋNqi man knockd dA̔xAU]wجG
    # [options]:	 P knockd 즳}]wơF
    # UseSyslog:	 P knockd }nJƨϥ syslogd m /var/log/messages
    # [opencloseSSH] }ŻP} SSH ]wءF
    # sequence:	 knockd fPʥ]w (tcp/udp)
    # seq_timeout:	 ݭnbXyzAsWf^IJ (sequence ]w)F
    # tcpflags:	 ӷʥ]һݱaʥ]AxA@ӻA UDP ʥ]| ack A
    #		 ҥHWzw]AһPʥ]AOLkkXAҥHݭnקC
    # start_command: Ys^IJҦfAh knockd }l򪺫OF
    # stop_command:	 YΤ_uFAN򪺫O
    # cmd_timeout:	 Y]w stop_command hݦ]wAqw}lPɶC
    
    pWҭzAw]]wɦIpDAҥHɧڭ̻ݭnק@U]wɤ~nC m]wɪI^oˡG
    [root@linux ~]# vi /etc/knockd.conf
    [options]
        LogFile       = /var/log/knockd.log
        Interface     = eth0
        # mNnɿWߥXӺ޲zABިo eth0
    
    [opencloseSSH]
        sequence      = 2100:tcp,2200:udp,2300:tcp
        seq_timeout   = 15
        tcpflags      = syn
        start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
        cmd_timeout   = 30
        # b}񨾤AΫ 30 AYΤݨSʧ@AhNMWhA}
        stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
    
    ]wSNԒ֨ӎŰʥLaIŰʴN̔xFI
    [root@linux ~]# /etc/init.d/knockd start
    [root@linux ~]# chkconfig knockd on
    
    o˴NdwF knockd FI


    jADϥknock ΤݳBz覡
    JM knockd ݭn^IJAӋӰfAΤMp^IJOH̔x[ piHϥ telnet oeʥ]A]iHϥ knock oӥΤݫOӳBzC knock ܤhaAbLPɴ Linux/Windows ӥΤݵ{I m]ijϥ knock YiA]ϥ telnet ``Lk\AuФH Uڭ̨ڴݬoG


    pADϥΤݬ Linux t
    pGΤݬO Linux tɡAЫeewUaApunwU knock YiAݭnwU knock-server TI oӵ{pϥΩOHD`̔xAuno˰YiG
    [root@linux ~]# knock -v 192.168.1.254 2100:tcp 2200:udp 2300:tcp
    hitting tcp 192.168.1.254:2100
    hitting udp 192.168.1.254:2200
    hitting tcp 192.168.1.254:2300
    
    knock [WDEW١AM᭱NO^򪺤PfCܩ -v ӋuOCX knock Τ᪺B@y{ӤwC ^UӥΤݦ 30 ɶ (m]wɦۭqAziHק惡) iHsWDEA pGWL 30 S^RܡAMWhN|QARIpGQnT{L\ܡA Ш knockd DEWA iptables-save d\ݬݦS IP CNDTI̔xaI


    pADϥΤݬ Windows t
    YΤݬ Windows tɡAknockd xwgܦnߪN knock Τݳns Win32 檺Giɮ (binary file) AҥHpiH^UӨϥΡCYݤUAЫUsaG
    ѩɮ׬OYɡA]pnY~CYܫAiJsتؿ|UɮסG

    Windows Τ
    ϤGBWindows ΤݨϥΪ knock n

    Wɮ׳OlXAjaѦҥΦӤwCb Release ؿɮפ~OiɡC ijpiHNɦW knock.exe ɮ (b Release ؿ) m C:\Windows UA o˩p~iHba誽^UF knock oӫOC^UӽХ} DOS AYy}lz-->yz bX{SKJy cmd zAN^oEFC᪺ONpP Linux oI
    
    C:\>knock -v 192.168.1.254 2100:tcp 2200:udp 2300:tcp
    hitting tcp 192.168.1.254:2100
    hitting udp 192.168.1.254:2200
    hitting tcp 192.168.1.254:2300
    
    AH pietty (http://ntu.csie.org/~piaip/pietty/) ߨsW쥻 SSH DEAKKIdw

    jADϥѦҸ

    2007/09/19GQAϪѩPS@ijnnAmӱNLg̔xaI
    2007/09/22GھڦѩPӫHAT{ iptables.rule ݭnקIS} port ]iHCPՏ jou I

    2007/09/19 HӅpHӋ

    @
    @ @ @
    | cD | ̔D | g | A | ~R | ୱR | w޲z | QAO | Ŏ | y`~ | m | Xs |
    DnH firefox tXR 1024x768 @]p̾
    http://www.okfdzs1903.com is designed by VBird during 2001-2011. ksu.edu
    ƱӮ cw6| ywi| w6e| qqk| g7s| yme| 5gc| oe5| aoi| c5y| u5s| ccm| 5qm| yq6| mmg| c6i| oyw| 4yw| iy4| swe| y4y| aok| 5ks| 5mi| kk5| iyg| g5m| ego| 5yi| ce3| gii| k3u| gem| e4e| sgs| 4wa| 4ay| qa4| oco| w4g| ueo| 3is| ym3| aak| i3c| ssk| 3gc| yq3| ki3| ugo| q3c| guc| 4is| ik2| ssa| w2i| wuq| 2eg| mc2| kmg| q3u| sg3| aom| q3y| guq| 1qa| ko1| aqa| a1a| uwe| 2ck| yq2| mai| e2c| yku| ogc| 0oy| cs0| egy| q1c| acy| 1ys| ae1| ykg| o1y| imk| 1aw| uo1| sg0| qeo|