Posts from the ‘security’ Category

Checking if there is unauthorized DHCP servers in a LAN

I have found a very nice tool to probe for unauthorized DHCP servers in a network.  In Debian, you can use aptitude or apt-get to install it.

I hope it will be useful for more people.


#apt-get install dhcp_probe
#dhcp_probe -f -o /home/user/caps/dhcp.pcap eth0
note: starting, version 1.3.0
warn: received unexpected response on interface eth0 from BootP/DHCP server with IP source 192.168.0.1 (ether src 70:ca:9b:15:e1:9).
warn: received unexpected response on interface eth0 from BootP/DHCP server with IP source 192.168.0.1(ether src 70:ca:9b:15:e1:9).
warn: received unexpected response on interface eth0 from BootP/DHCP server with IP source 192.168.0.2 (ether src 70:ca:9b:15:e1:2).

A knockd configuration file

Knockd is a Port Knocking implementation and I really like this one for being quite simple and flexible to work with almost any POSIX Operating System.

There are many ways to implement it, but some can be quite confusing and sometimes even useless if you write it wrong.

I personally like the following kind of configuration for it’s simplicity. I’m going to present you the code and then, after these code lines, I’m going to comment it:

/* Start of the knockd.conf file */
[options]
logfile = /var/log/knockd.log

[opencloseSSH]
sequence = 7000,8000,9000
seq_timeout = 15
command = /sbin/iptables -I INPUT -s %IP% -p tcp –dport 22 -j ACCEPT
cmd_timeout = 10
tcpflags = syn
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp –dport 22 -j ACCEPT

/* End of the knockd.conf file */

I will not get into deeper details about EACH line, but I will explain you how it works in general for this example.

Basically, knockd will be waiting for the three knock attempts (7000, 8000, 9000). The user has 15 seconds between the first knock (7000) until the last knock (9000). Once the server got those 3 knocks in less than 15 seconds, the iptables will open the port 22. Then you have 10 seconds to establish the connection, after these 10 seconds, the “stop_command” will be launched, which in this case will delete the iptables rule above. Remember, the path “/sbin/iptables” may vary, depending on which Linux distro you are using.

In order to make use of the following configuration scheme, it’s important that you have ESTABLISHED,RELATED rules in your iptables firewalling settings. Like this:

iptables -A INPUT -m –state ESTABLISHED,RELATED -j ACCEPT

Otherwise, you may loose your SSH session after those 10 seconds (even if you connected already).

And, of course, the iptables DROP policy:

iptables -P INPUT DROP

If you are interested about different configuration methods, you should check for the official man page. In the shell: man knockd

I wrote this tutorial based on Gentoo Linux, however, knockd should works in different Linux distros and also with any other *NIX.

References:

http://www.zeroflux.org/projects/knock

http://www.portknocking.org/