インターネットにも ssh (22/tcp) を開けてると便利だよね。でも Brute Force Attack されちゃうよね。なので knockd を実装する。
### Install
yum -y install libpcap-devel wget "http://www.zeroflux.org/proj/knock/files/knock-0.5.tar.gz" tar zxf knock-0.5.tar.gz cd knock-0.5/
# 既定の syslog facility が user になっているので daemon に変更する (2011/01/10 追記)
cp -a src/knockd.c src/knockd.c.orig
sed -i 's/openlog("knockd", 0, LOG_USER);/openlog("knockd", 0, LOG_DAEMON);/' src/knockd.c
./configure --prefix=/usr/local/knock-0.5
# コンフィグファイルのインストール先を /etc/knockd.conf から /usr/local/knock/etc/knockd.conf に変更。
cp -a Makefile Makefile.orig sed -i 's/$(DESTDIR)\/etc\/knockd.conf/$(prefix)\/etc\/knockd.conf/' Makefile make make install ln -s /usr/local/knock-0.5 /usr/local/knock
### knockd.conf
cp -a /usr/local/knock/etc/knockd.conf /usr/local/knock/etc/knockd.conf.orig
{
echo -e '[options]'
echo -e ' UseSyslog'
echo -e '[opencloseSSH]'
echo -e ' sequence\t\t= 7000:tcp,8000:tcp,9000:tcp'
echo -e ' seq_timeout\t\t= 15'
echo -e ' tcpflags\t\t= syn'
echo -e ' start_command\t= /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT'
echo -e ' cmd_timeout\t\t= 300'
echo -e ' stop_command\t= /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT'
} > /usr/local/knock/etc/knockd.conf
chmod 600 /usr/local/knock/etc/knockd.conf
### Sysconfig
# インタフェースを指定。
mkdir /usr/local/knock/etc/sysconfig echo -e 'OPTIONS="-i ppp0"' > /usr/local/knock/etc/sysconfig/knockd
### Startup script
{
echo -e '#!/bin/bash'
echo -e '#'
echo -e '# chkconfig: 2345 56 24'
echo -e '# description: Knock is a port-knocking server/client.'
echo -e '# processname: knockd'
echo -e '# config: /usr/local/knock/etc/knockd.conf'
echo -e '# config: /usr/local/knock/etc/sysconfig/knockd'
echo -e '# pidfile: /var/run/knockd.pid'
echo -e ''
echo -e '# Source function library.'
echo -e '. /etc/rc.d/init.d/functions'
echo -e ''
echo -e 'if [ -f /usr/local/knock/etc/sysconfig/knockd ]; then'
echo -e ' . /usr/local/knock/etc/sysconfig/knockd'
echo -e 'fi'
echo -e ''
echo -e '[ -f /usr/local/knock/etc/knockd.conf ] || exit 1'
echo -e ''
echo -e 'KNOCKD=/usr/local/knock/sbin/knockd'
echo -e 'PROG=knockd'
echo -e 'PIDFILE=/var/run/knockd.pid'
echo -e 'LOCKFILE=/var/lock/subsys/knockd'
echo -e 'RETVAL=0'
echo -e ''
echo -e 'start() {'
echo -e ' echo -n $"Starting ${PROG}: "'
echo -e ' daemon --pidfile=${PIDFILE} ${KNOCKD} -d -c /usr/local/knock/etc/knockd.conf ${OPTIONS}'
echo -e ' RETVAL=${?}'
echo -e ' echo'
echo -e ' [ ${RETVAL} = 0 ] && touch ${LOCKFILE}'
echo -e ' return ${RETVAL}'
echo -e '}'
echo -e ''
echo -e 'stop() {'
echo -e ' echo -n $"Shutting down ${PROG}: "'
echo -e ' killproc -p ${PIDFILE} -d 10 ${KNOCKD}'
echo -e ' RETVAL=${?}'
echo -e ' echo'
echo -e ' [ ${RETVAL} = 0 ] && rm -f ${LOCKFILE} ${PIDFILE}'
echo -e '}'
echo -e ''
echo -e '# See how we were called.'
echo -e 'case "${1}" in'
echo -e ' start)'
echo -e '\tstart'
echo -e '\t;;'
echo -e ' stop)'
echo -e '\tstop'
echo -e '\t;;'
echo -e ' status)'
echo -e '\tstatus -p ${PIDFILE} ${KNOCKD}'
echo -e '\tRETVAL=${?}'
echo -e '\t;;'
echo -e ' restart|reload)'
echo -e '\tstop'
echo -e '\tstart'
echo -e '\t;;'
echo -e ' condrestart)'
echo -e '\tif [ -f ${PIDFILE} ] ; then'
echo -e '\t stop'
echo -e '\t start'
echo -e '\tfi'
echo -e '\t;;'
echo -e ' *)'
echo -e '\techo $"Usage: ${PROG} {start|stop|restart|condrestart|reload|status}"'
echo -e '\texit 1'
echo -e 'esac'
echo -e ''
echo -e 'exit ${RETVAL}'
} > /etc/rc.d/init.d/knockd
chmod 755 /etc/rc.d/init.d/knockd
/sbin/chkconfig --add knockd
/sbin/chkconfig knockd on
/sbin/service knockd start
### hosts.allow
cp -a /etc/hosts.allow /etc/hosts.allow.$(date '+%Y%m%d%H%M%S') echo -e '# knockd\nsshd:\tALL' >> /etc/hosts.allow
