UFW and port knocking

Hi All,

This is how to setup basic port knocking for your home network.
At home I run several services that I want to get access to from the internet, but I don't always want these services open. Port knocking provides an interesting way of achieving both.

Basically how it works is that the knock daemon watches the firewall logs for connection attempts on specified ports. If it picks up a certain combination, the knock daemon can open another port for access through the firewall by adding rules.

Here's how I did it on Ubuntu 10.04.

First install the knock daemon:

sudo apt-get install knockd

Now setup UFW. UFW is basically a simpler way of configuring iptables.
First lets setup a rule to allow ssh before we turn the firewall on. Do these in order:

sudo ufw allow ssh/tcp
sudo ufw enable

Check the status by typing this:

sudo ufw status

All other ports, apart from ssh are closed. Now we need to configure the knock daemon.
Crack open the config file. I want to open port 80 so I can get to Mythtv. Add a label and some config.

[WEB]
     sequence    = 8111,8555,8777
     seq_timeout = 5
     start_command = ufw allow from %IP% to any port 80
     tcpflags    = syn
     cmd_timeout   = 3600
     stop_command  = ufw delete allow from %IP% to any port 80

Ok, so the knock sequence is 8111, 8555, 8777 in that order (although think about how port scanners work, choose some more random ports). That will then run start_command and open port 80. It'll close itself after an hour.

Once you have configured that start the daemon.

sudo service knockd start

Now for your router. Port forward port 80 and 8000-9000 to your server and thats it, job done.

For the client, to access your new rule, type this:

knock -v [external ip of your router] port1 port2 port3

Now access your website.

Thanks for reading,

Trev

How to install NRPE on linux

Hi All,

Ok, ok. Avoiding the fact that this is the first post and monitoring is not mentioned in the description, this is how I install the NRPE agent for Nagios on Linux boxes.

Logon to the box you want to monitor.

Create a directory somewhere called NRPE and go in it.

mkdir NRPE
cd NRPE

Download the following packages (google them I'll never keep up with versioning):
http://osdn.dl.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.6.tar.gz
http://osdn.dl.sourceforge.net/sourceforge/nagios/nrpe-2.8.tar.gz

As you can see you can get the latest versions from sourceforge.
Do all the following as root (su -)

Make a user called nagios and give it a password

/usr/sbin/useradd nagios
passwd nagios

First we install the plugins.

tar xzf nagios-plugins-1.4.6.tar.gz
cd nagios-plugins-1.4.6.tar.gz
./configure
make
make install

That'll do it. Now run these commands

chown nagios.nagios /usr/local/nagios
chown -R nagios.nagios /usr/local/nagios/libexec

What those 2 lines do is change the owner of /usr/local/nagios and everything under /usr/local/nagios/libexec to the nagios user you created a minute ago. The other directories will still be owned by root.

Now you need to install the NRPE bit itself. Go back to your NRPE directory you created earlier (if you are still with me type cd ..).

Type in:

tar xzf nrpe-2.8.tar.gz

Now it's a little more complicated than last time. Make sure you have openssl and all dependancies installed (yum install openssl or apt-get install openssl, or whatever for your distro).

Then type these commands in:

cd nrpe-2.8.tar.gz
./configure
make all

now run these:

make install-plugin
make install-daemon
make install-daemon-config
make install-xinetd

Thats it installed. Now for the configuration. Don't worry, by this time its taken a maximum of 10 mins from start to finish. It looks more complex than it is.

Config time:

type this in:

vi /etc/xinetd.d/nrpe

Press the insert button on your keyboard.
Go down to the "only_from" line and add your Nagios server IP onto the end of the line.
Then press the escape key then type :wq

This is to grant your nagios server permission to connect to the NRPE daemon.
Next we want to give the port number a service alias so....

vi /etc/services

Press your insert button and add an entry it can go anywhere, but be sensible. It must look like this:
nrpe 5666/tcp # NRPE

press escape then type :wq

For those of you with firewalls, this tells you that the daemon is running on port 5666, so needs to be open for connections from your Nagios box, to this server, on 5666.

Now restart xinetd service like this:

service xinetd restart

Test it's listening by typing this:
netstat -aunt | grep nrpe

To check that NRPE is receiving commands type this:

/usr/local/nagios/libexec/check_nrpe -H localhost

If you get a version number back you are good to go.

By default you get a bunch of checks installed by default. To change the values modify this file:

/usr/local/nagios/etc/nrpe.cfg

Scroll down to the bottom and you'll see some lines prefixed with the word command. You can change the -w and -c options. You can even create your own scripts in perl and create your own commands, but more on that later.

Thanks for reading,

Trev