Permalink
Browse files

use a timeout for all OSes in pcap_open_live()

  • Loading branch information...
1 parent 7666f2e commit 4faa1daa4f8ab6825a2becf106f43220af395132 Judd Vinet committed Dec 9, 2013
Showing with 70 additions and 65 deletions.
  1. +0 −53 README
  2. +58 −0 README.md
  3. +1 −1 configure.ac
  4. +1 −1 knockd.conf
  5. +10 −10 src/knockd.c
View
53 README
@@ -1,53 +0,0 @@
-knock :: A port-knocking implementation
-=======================================
-
-Copyright (c) 2004, Judd Vinet <jvinet@zeroflux.org>
-
-=========
- ABOUT
-=========
-This is a port-knocking server/client. Port-knocking is a method where a
-server can sniff one of its interfaces for a special "knock" sequence of
-port-hits. When detected, it will run a specified event bound to that port
-knock sequence. These port-hits need not be on open ports, since we use
-libpcap to sniff the raw interface traffic.
-
-===========
- EXAMPLE
-===========
-The example below could be used to run a strict (DENY policy) firewall that
-can only be accessed after a successful knock sequence.
-
-1) Client sends four TCP SYN packets to Server, at the following ports:
- 38281, 29374, 4921, 54918
-
-2) Server detects this and runs an iptables command to open port 22 to Client.
-
-3) Client connects to Server via SSH and does whatever it needs to do.
-
-4) Client sends four more TCP SYN packets to Server:
- 37281, 8529, 40127, 10100
-
-5) Server detects this and runs another iptables command to close port 22 to Client.
-
-
-====================
- KNOCKING CLIENTS
-====================
-The accompanying knock client is very basic. If you want to do more advanced
-knocks (eg, setting specific tcp flags) then you should take look at hping,
-sendip or packit.
-
- http://freshmeat.net/projects/hping/
- http://freshmeat.net/projects/sendip/
- http://freshmeat.net/projects/packit/
-
-
-=========================
- OTHER IMPLEMENTATIONS
-=========================
-Here are some other implementations of port-knocking:
-
- http://sourceforge.net/projects/pasmal/
- http://doorman.sourceforge.net/
-
View
@@ -0,0 +1,58 @@
+# knock :: A port-knocking implementation
+
+Copyright (c) 2004, Judd Vinet <jvinet@zeroflux.org>
+
+## ABOUT
+
+This is a port-knocking server/client. Port-knocking is a method where a
+server can sniff one of its interfaces for a special "knock" sequence of
+port-hits. When detected, it will run a specified event bound to that port
+knock sequence. These port-hits need not be on open ports, since we use
+libpcap to sniff the raw interface traffic.
+
+
+## BUILDING
+
+To build knockd, make sure you have libpcap and the autoconf tools
+installed. Then run the following:
+
+ $ autoreconf -fi
+ $ ./configure --prefix=/usr/local
+ $ make
+ $ sudo make install
+
+
+## EXAMPLE
+
+The example below could be used to run a strict (DENY policy) firewall that
+can only be accessed after a successful knock sequence.
+
+ 1. Client sends four TCP SYN packets to Server, at the following ports:
+ 38281, 29374, 4921, 54918
+ 2. Server detects this and runs an iptables command to open port 22 to
+ Client.
+ 3. Client connects to Server via SSH and does whatever it needs to do.
+ 4. Client sends four more TCP SYN packets to Server: 37281, 8529,
+ 40127, 10100
+ 5. Server detects this and runs another iptables command to close port
+ 22 to Client.
+
+
+## KNOCKING CLIENTS
+
+The accompanying knock client is very basic. If you want to do more advanced
+knocks (eg, setting specific tcp flags) then you should take look at hping,
+sendip or packit.
+
+ - [hping](http://freshmeat.net/projects/hping/)
+ - [sendip](http://freshmeat.net/projects/sendip/)
+ - [packit](http://freshmeat.net/projects/packit/)
+
+
+## OTHER IMPLEMENTATIONS
+
+Here are some other implementations of port-knocking:
+
+ - [pasmal](http://sourceforge.net/projects/pasmal/)
+ - [doorman](http://doorman.sourceforge.net/)
+
View
@@ -1,6 +1,6 @@
AC_PREREQ(2.59)
AC_INIT([knock], [0.6], [https://github.com/jvinet/knock/issues])
-AM_INIT_AUTOMAKE([dist-xz no-dist-gzip foreign])
+AM_INIT_AUTOMAKE([dist-xz no-dist-gzip foreign subdir-objects])
AC_CONFIG_HEADER([config.h])
View
@@ -2,7 +2,7 @@
logfile = /var/log/knockd.log
[openSSH]
- sequence = 7000
+ sequence = 7000,8000,9000
seq_timeout = 5
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
View
@@ -28,22 +28,26 @@
#include <ctype.h>
#include <string.h>
#include <fcntl.h>
+
#if defined(__FreeBSD__) || defined(__APPLE__)
#include <limits.h>
#include <sys/socket.h>
#include <netinet/in_systm.h>
#endif
+
#include <netinet/in.h>
#include <netinet/if_ether.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <netinet/udp.h>
#include <netinet/ip_icmp.h>
#include <net/if.h>
+
#if !defined(__FreeBSD__) && !defined(__APPLE__)
#include <bits/time.h>
#include <linux/limits.h>
#endif
+
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
@@ -89,7 +93,7 @@ typedef struct opendoor {
} opendoor_t;
PMList *doors = NULL;
-/* we keep one list of knock attempts, one per IP address,
+/* we keep one list of knock attempts per IP address,
* and increment the stage as they progress through the sequence.
*/
typedef struct knocker {
@@ -123,10 +127,10 @@ long get_current_one_time_sequence_position(opendoor_t *door);
void generate_pcap_filter();
size_t realloc_strcat(char **dest, const char *src, size_t size);
void close_door(opendoor_t *door);
-char* get_ip(const char* iface, char *buf, int bufsize);
-size_t parse_cmd(char* dest, size_t size, const char* command, const char* src);
-int exec_cmd(char* command, char* name);
-void sniff(u_char* arg, const struct pcap_pkthdr* hdr, const u_char* packet);
+char* get_ip(const char *iface, char *buf, int bufsize);
+size_t parse_cmd(char *dest, size_t size, const char *command, const char *src);
+int exec_cmd(char *command, char *name);
+void sniff(u_char *arg, const struct pcap_pkthdr *hdr, const u_char *packet);
pcap_t *cap = NULL;
FILE *logfd = NULL;
@@ -211,11 +215,7 @@ int main(int argc, char **argv)
}
}
-#if defined(__FreeBSD__) || defined(__APPLE__)
- cap = pcap_open_live(o_int, 65535, 0, 1, pcapErr);
-#else
- cap = pcap_open_live(o_int, 65535, 0, 0, pcapErr);
-#endif
+ cap = pcap_open_live(o_int, 65535, 0, 10, pcapErr);
if(strlen(pcapErr)) {
fprintf(stderr, "could not open %s: %s\n", o_int, pcapErr);
}

0 comments on commit 4faa1da

Please sign in to comment.