Qualcuno sa come ottenere Port Knocking funziona su macOS Sierra. Non sono riuscito a trovare alcuna informazione utile dopo una ricerca.
Funziona ora, grazie per tutto l'aiuto. @klanomath @jksoegaard. Ti auguro il meglio.
Ecco le configurazioni:
-
Configurazione: /usr/local/etc/ssh-access.txt è vuoto inizialmente
-
Configurazione: /etc/pf.conf
scrub-anchor "com.apple/*" nat-anchor "com.apple/*" rdr-anchor "com.apple/*" dummynet-anchor "com.apple/*" anchor "com.apple/*" load anchor "com.apple" from "/etc/pf.anchors/com.apple" table <ssh-access> persist file "/usr/local/etc/ssh-access.txt" pass in quick proto tcp from <ssh-access> to port 22 -
Configurazione: /usr/local/etc/knockd.conf
[options] logfile = /var/log/knockd.log [openSSH] sequence = 7000,8000,9000 seq_timeout = 5 command = echo %IP% > /usr/local/etc/ssh-access.txt tcpflags = syn [commitFW] sequence = 9000,8000,7000 seq_timeout = 5 command = pfctl -t ssh-access -T replace -f /usr/local/etc/ssh-access.txt tcpflags = syn [closeSSH] sequence = 5000,4000,6000 seq_timeout = 5 command = echo '' > /usr/local/etc/ssh-access.txt tcpflags = syn -
Output quando Launch knockd:
config: new section: 'options' config: log file: /var/log/knockd.log config: new section: 'openSSH' config: openSSH: sequence: 7000:tcp,8000:tcp,9000:tcp config: openSSH: seq_timeout: 5 config: openSSH: start_command: echo %IP% > /usr/local/etc/ssh-access.txt config: tcp flag: SYN config: new section: 'commitFW' config: commitFW: sequence: 9000:tcp,8000:tcp,7000:tcp config: commitFW: seq_timeout: 5 config: commitFW: start_command: pfctl -t ssh-access -T replace -f /usr/local/etc/ssh-access.txt config: tcp flag: SYN config: new section: 'closeSSH' config: closeSSH: sequence: 5000:tcp,4000:tcp,6000:tcp config: closeSSH: seq_timeout: 5 config: closeSSH: start_command: echo '' > /usr/local/etc/ssh-access.txt config: tcp flag: SYN ethernet interface detected Local IP: 192.168.8.101 Adding pcap expression for door 'openSSH': (dst host 192.168.8.101 and (((tcp dst port 7000 or 8000 or 9000) and tcp[tcpflags] & tcp-syn != 0))) Adding pcap expression for door 'commitFW': (dst host 192.168.8.101 and (((tcp dst port 9000 or 8000 or 7000) and tcp[tcpflags] & tcp-syn != 0))) Adding pcap expression for door 'closeSSH': (dst host 192.168.8.101 and (((tcp dst port 5000 or 4000 or 6000) and tcp[tcpflags] & tcp-syn != 0))) -
Bussa dal client Mac
192:~ vincent-st$ knock -v 192.168.8.101 7000,8000,9000 hitting tcp 192.168.8.101:7000 192:~ vincent-st$ knock -v 192.168.8.101 9000,8000,7000 hitting tcp 192.168.8.101:9000 192:~ vincent-st$ ssh [email protected] ssh: connect to host port 22: connection refused
Dopo aver usato il comando knock appropriato, ssh funziona:
-
Bussa dal client Mac
192:~ vincent-st$ knock -v 192.168.8.101 7000 8000 9000 hitting tcp 192.168.8.101:7000 hitting tcp 192.168.8.101:8000 hitting tcp 192.168.8.101:9000 192:~ vincent-st$ knock -v 192.168.8.101 9000 8000 7000 hitting tcp 192.168.8.101:9000 hitting tcp 192.168.8.101:8000 hitting tcp 192.168.8.101:7000 192:~ vincent-st$ ssh [email protected] The authenticity of host '192.168.8.101 (192.168.8.101)' can't be established. RSA key fingerprint is SHA256:6AlMpQmxODOueRS+faoODOueRS+ODOueRS+fa. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '192.168.8.101' (RSA) to the list of known hosts. Password: Last login: Tue Jul 11 01:14:56 2017 '