Fincer
/
linux-server-setup
mirror of https://github.com/Fincer/linux-server-setup

#!/usr/bin/perl##   knockgen 0.1 - Random port & protocol sequence generator for knockd daemon#   Copyright (C) 2018  Pekka Helenius##   This program is free software: you can redistribute it and/or modify#   it under the terms of the GNU General Public License as published by#   the Free Software Foundation, either version 3 of the License, or#   (at your option) any later version.##   This program is distributed in the hope that it will be useful,#   but WITHOUT ANY WARRANTY; without even the implied warranty of#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the#   GNU General Public License for more details.##   You should have received a copy of the GNU General Public License#   along with this program.  If not, see <https://www.gnu.org/licenses/>.##-----------------------------------------# PROGRAM DESCRIPTION
# This perl program generates a random port & protocol sequence for knockd daemon.# This generated sequence can be used to knock ports of the target machine (usually a SSH server behind a firewall).# The generated data must be equal for the server (knockd daemon computer) and your client (ssh/knock client computer).
#-----------------------------------------# ENVIRONMENT
use strict;use warnings;
# For CLI input parametersuse Getopt::Long;
# For help textuse Pod::Usage;
# For IP regular expressions# Requires 'perl-regexp-common' package (e.g. Arch Linux package database)use Regexp::Common qw/net number/;
# Requires 'perl-io-socket-inet6' package (e.g. Arch Linux package database)use IO::Socket;
# For pinging target hostsuse Net::Ping;

# TODO output file (Default: /etc/knockd.conf)    # Check if the file exists        # Do same checks than in the bash script        # Ask user for these# TODO knockd daemon: Configuration file? [default: /etc/knockd.conf ]# TODO knockd daemon: Network interface for daemon? [default: eth0 ]# TODO knockd daemon: Time limit for port knocking in seconds? [default: 10 ]# TODO knockd daemon: Ports to be opened after knocking? [default: 22 ]# TODO knockd daemon: Open port for specified IP or any client? [default: any ]# TODO knockd daemon: How long to keep the port opened in seconds? [default: 15 ]# TODO knockd daemon: TCP Flags? [default: syn ]# TODO knockd daemon: Use log file /var/log/knockd.log? [default: n]
# TODO If previous knockd configuration detected (get creation date of it), warn sysadmin about it# TODO add commented date tag to generated knockd.conf file (for sysadmins)# TODO Ask user if the generated port sequence pattern is ok or generate a new one# TODO if output/override etc parameter is given with valid input, use it instead of generating a new one
# TODO detect old SSH configurations from /etc/iptables/*.rules files. Warn user about them and delete if permission granted#       Do this by detecting the the ports which should be opened by knockd
# TODO support for multiple port openings. Can we do this just by adding a new port to IPTABLES rule or do we have to generate a new# rule for each port?
#-----------------------------------------# DEFAULT VALUES## Port test before generating values for knockd.# We need testing because we want to avoid any ports which may be listened/used by a running server daemon.#my $default_target_ip                   = "127.0.0.1"; # IPv4 address of the target host computer. Default: 127.0.0.1my $connection_timeout                  = 0.3; # Connection timeout in seconds. Default: 0.3my $connection_timeout_minlimit         = 0.2; # This is the minimum time out limit for connection attemptsmy $connection_timeout_maxlimit         = 5.0; # This is the maximum time out limit for connection attempts
# Knockd specific valuesmy $knockd_protocols                    = "tcp,udp"; # Protocols to be used. Only tcp or udp is accepted.my $knockd_port_count                   = 6; # How many port and protocol combinations we generate for knockd input.my $knockd_port_count_limit             = 30; # This is the maximum amount of ports accepted to output.my ($knockd_min_port, $knockd_max_port) = (1, 65535); # Scanned port range. Default: 1, 65535
# TODO override port pattern# TODO override port + protocol pattern
# TODO parameter: output pattern only, no knockd questions described above
# TODO knockd_protocols: check for input values (must be either tcp or udp, max values (array length) is 2"# TODO knockd_port_count: set minimum limit to 2
# TODO check for iptables Default policy, too (does it reject all traffic etc)#/usr/bin/iptables -I INPUT -p tcp -dport 5461 -j ACCEPT#/usr/bin/iptables -D INPUT -p tcp -dport 5461 -j ACCEPT
#-----------------------------------------# USER INPUT PARAMETERS
my %opts = ("all"            => 0,            "ports-only"     => 0,            "target-ip"      => $default_target_ip,            "dry-gen"        => 0,            "random-always"  => 0);
GetOptions ("a|all"            => \$opts{"all"},            "p|ports-only"     => \$opts{"ports-only"},            "i|target-ip=s"    => \$opts{"target-ip"},            "d|dry-gen"        => \$opts{"dry-gen"},            "r|random-always"  => \$opts{"random-always"},            "t|conn-timeout=f" => \$connection_timeout,            "c|protocols=s"    => \$knockd_protocols,            "m|min-port=i"     => \$knockd_min_port,            "x|max-port=i"     => \$knockd_max_port,            "n|port-count=i"   => \$knockd_port_count,            "h|help"           => sub { pod2usage(1) })or pod2usage(2);
my $all             = $opts{"all"};my $ports_only      = $opts{"ports-only"};my $target_ip       = $opts{"target-ip"};my $dry_gen         = $opts{"dry-gen"};my $random_always   = $opts{"random-always"};
#-----------------------------------------# ERROR HANDLING
# We don't accept regular PERL arguments here. We take arguments only from GetOptions# Perl arguments are handled differently, we don't want them.if (@ARGV){    print "Unknown option: @ARGV\n";    pod2usage(2);}
#--------------------# If 'target_ip' is default value and 'dry-gen' is set, clear the IP value.if ($target_ip eq $default_target_ip and $dry_gen) {    print "WARNING: Not testing whether generated ports are being used or not.\n";    undef $target_ip;}
#--------------------# If both 'dry-gen' and 'target_ip' is set, terminate.if ($target_ip and $dry_gen) {    die "ERROR: Define either target IPv4 address or 'dry-gen' parameter.\n";}
#--------------------# If neither 'ports-only' or 'all' hash is set, use default 'all' value.if (not $ports_only and not $all) {    $all = 1;}
#--------------------# If both 'ports-only' and 'all' is set, terminate.if ($ports_only and $all) {    die "ERROR: Define either 'ports-only' or 'all' (default is 'all').\n";}
#--------------------# If more than allowed ports have been instructed.if ($knockd_port_count > $knockd_port_count_limit) {    die "ERROR: Maximum number of ports is " . $knockd_port_count_limit . ". You have defined " . $knockd_port_count . " ports.\n"}
#--------------------# Check for invalid port values (min & max)my $port_fault = "";if (($knockd_min_port < 1) or ($knockd_min_port > 65535)){    print "ERROR: Minimum port value is not in valid range 1-65535 (Value: " . $knockd_min_port . ")\n";    $port_fault = "true";}
if (($knockd_max_port < 1) or ($knockd_max_port > 65535)){    print "ERROR: Maximum port value is not in valid range 1-65535 (Value: " . $knockd_max_port . ")\n";    $port_fault = "true";}
# If faulty port values, exit the program# We define the exit procedure separately because we want to print all previous port-related error messagesif ( $port_fault eq "true" ) { exit }
#--------------------# Inform user that the minimum port value exceeds maximum port value.if ($knockd_min_port > $knockd_max_port) {    die "ERROR: Minimum port value is set above maximum port value.\n";}
#--------------------# Inform user that more random ports must be available in the given pool.if (($knockd_max_port - $knockd_min_port) < $knockd_port_count){    die "ERROR: You must have more ports for randomizable port sequence (Current port pool size: " . ($knockd_max_port - $knockd_min_port) . ")\n";}
#--------------------# Minimum connection time out value can't be less than the limit value defines.if ($connection_timeout < $connection_timeout_minlimit){    die "ERROR: Connection time out can't be set below " . $connection_timeout_minlimit . " seconds.\n";}
# Maximum connection time out value can't exceed the maximum limit value.if ($connection_timeout > $connection_timeout_maxlimit){    print "WARNING: Connection time out limit is set above recommended limit (" . $connection_timeout_maxlimit . " seconds).\n";}
#--------------------# If user is not having dry-gen parameter set...if (not $dry_gen) {
    # ...check for valid IP address syntax.    if (not $target_ip =~ /^$RE{net}{IPv4}$/ or $target_ip eq "localhost") {        die "ERROR: Invalid IPv4 address given (" . $target_ip . ")\n"    }
    # ... check that we can establish a connection to the target IP address.    my $p = Net::Ping->new;    if (not $p->ping($target_ip, $connection_timeout_maxlimit)) {        die "ERROR: Can't find the host computer.\n"    }}
#-----------------------------------------# PORT & PROTOCOL GENERATION
# Split user input into a new array, defined by @ symbol.my @knockd_protocols = split /,/, $knockd_protocols;
# Set port range.my @knockd_port_range = ($knockd_min_port .. $knockd_max_port);
# Declare a new array for generated ports (+ protocols).# Fill with zeros, size is value of $knockd_port_seqs.my @randoms = (0) x $knockd_port_count;
my $i = 0;while ($knockd_port_count > 0){
    while ()    {
        # Generate a random port from given port range.        my $random_port = $knockd_port_range[rand @knockd_port_range];
        # Choose randomly between protocols tcp & udp.        my $random_protocol = $knockd_protocols[rand @knockd_protocols];
        # TODO make this optional with '$always_random' user input parameter        # Never accept already generated port in port sequence.        if (not grep {$_ =~ /$random_port/} @randoms)        {
            # Initialize socket value            my $socket = 0;
            if (not $dry_gen) {
                # Test the generated port for a connection.                # Protocol must always be else than udp because udp doesn't give                # a response whether the connection was successful or not.                # This is in the procotol specification.                #                # Therefore, udp would fail the connection test we establish here                #                $socket = IO::Socket::INET->new(PeerHost => $target_ip,                                                PeerPort => $random_port,                                                Proto    => "tcp", #This is hardcoded purposefully                                                Timeout  => $connection_timeout);
            }            else             {                undef $socket;            }
            # If socket dest is not used            if (not $socket)            {                if ( $all ) {                    $randoms[$i] = $random_port . ":" . $random_protocol;                }                else                {                    $randoms[$i] = $random_port;                }                last;            }        }    }    $knockd_port_count--;    $i++;}
my $knockd_seqs = join(',', @randoms);print $knockd_seqs . "\n";
#-----------------------------------------# HELP TEXT
__END__

# TODO IMPROVE THIS SECTION# TODO UPDATE HELP TEXT TO CORRESPOND WITH THE COMMANDS ABOVE
=head1 SYNOPSIS
knockgen [options] (--help or -h for more information)    knockgen 0.1 - Random port & protocol sequence generator for knockd daemon

    knockgen  Copyright (C) 2018 Pekka Helenius <fincer89@hotmail.com>    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.    This is free software, and you are welcome to redistribute it    under certain conditions; type `show c' for details.
    =head1 OPTIONS
=item A<------------------------------>
=item A<Output format:>
=item B<--all> or B<-a>
Print randomly generated ports & protocols (Default)
=item B<--ports-only> or B<-p>
Print randomly generated ports only
=item B<--dry-gen> or B<-d>
Generate port (& protocol) sequence without trying to connect anywhere.
=item A<------------------------------>
=item A<Port testing:>
=item B<--target-pc> or B<-i>            IPv4 address of the target computer (server). Default: 127.0.0.1
=item B<--protocols> or B<-c>
Use these protocols. Default: tcp,udp (Syntax: tcp or tcp,udp)
=item B<--conn-timeout> or B<-t>
Connection timeout for a port test in seconds. Default: 0.3
=item A<------------------------------>
=item A<Generated values:>
=item B<--min-port> or B<-m>
Minimum port number to be used for knockd daemon. Default: 1
=item B<--max-port> or B<-x>
Maximum port number to be used for knockd daemon. Default: 65535
=item B<--port-seqs> or B<-n>
Number of port (+ protocol) sequences for knockd daemon. Default: 6
=item B<--help> or B<-h>
Prints this help text.
=cut