Instructions to set up a basic LAMP+SSH server environment
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

385 lines
13 KiB

#!/usr/bin/perl
#
# knockgen 0.1 - Random port & protocol sequence generator for knockd daemon
# Copyright (C) 2018 Pekka Helenius
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <https://www.gnu.org/licenses/>.
#
#-----------------------------------------
# PROGRAM DESCRIPTION
# This perl program generates a random port & protocol sequence for knockd daemon.
# This generated sequence can be used to knock ports of the target machine (usually a SSH server behind a firewall).
# The generated data must be equal for the server (knockd daemon computer) and your client (ssh/knock client computer).
#-----------------------------------------
# ENVIRONMENT
use strict;
use warnings;
# For CLI input parameters
use Getopt::Long;
# For help text
use Pod::Usage;
# For IP regular expressions
# Requires 'perl-regexp-common' package (e.g. Arch Linux package database)
use Regexp::Common qw/net number/;
# Requires 'perl-io-socket-inet6' package (e.g. Arch Linux package database)
use IO::Socket;
# For pinging target hosts
use Net::Ping;
# TODO output file (Default: /etc/knockd.conf)
# Check if the file exists
# Do same checks than in the bash script
# Ask user for these
# TODO knockd daemon: Configuration file? [default: /etc/knockd.conf ]
# TODO knockd daemon: Network interface for daemon? [default: eth0 ]
# TODO knockd daemon: Time limit for port knocking in seconds? [default: 10 ]
# TODO knockd daemon: Ports to be opened after knocking? [default: 22 ]
# TODO knockd daemon: Open port for specified IP or any client? [default: any ]
# TODO knockd daemon: How long to keep the port opened in seconds? [default: 15 ]
# TODO knockd daemon: TCP Flags? [default: syn ]
# TODO knockd daemon: Use log file /var/log/knockd.log? [default: n]
# TODO If previous knockd configuration detected (get creation date of it), warn sysadmin about it
# TODO add commented date tag to generated knockd.conf file (for sysadmins)
# TODO Ask user if the generated port sequence pattern is ok or generate a new one
# TODO if output/override etc parameter is given with valid input, use it instead of generating a new one
# TODO detect old SSH configurations from /etc/iptables/*.rules files. Warn user about them and delete if permission granted
# Do this by detecting the the ports which should be opened by knockd
# TODO support for multiple port openings. Can we do this just by adding a new port to IPTABLES rule or do we have to generate a new
# rule for each port?
#-----------------------------------------
# DEFAULT VALUES
#
# Port test before generating values for knockd.
# We need testing because we want to avoid any ports which may be listened/used by a running server daemon.
#
my $default_target_ip = "127.0.0.1"; # IPv4 address of the target host computer. Default: 127.0.0.1
my $connection_timeout = 0.3; # Connection timeout in seconds. Default: 0.3
my $connection_timeout_minlimit = 0.2; # This is the minimum time out limit for connection attempts
my $connection_timeout_maxlimit = 5.0; # This is the maximum time out limit for connection attempts
# Knockd specific values
my $knockd_protocols = "tcp,udp"; # Protocols to be used. Only tcp or udp is accepted.
my $knockd_port_count = 6; # How many port and protocol combinations we generate for knockd input.
my $knockd_port_count_limit = 30; # This is the maximum amount of ports accepted to output.
my ($knockd_min_port, $knockd_max_port) = (1, 65535); # Scanned port range. Default: 1, 65535
# TODO override port pattern
# TODO override port + protocol pattern
# TODO parameter: output pattern only, no knockd questions described above
# TODO knockd_protocols: check for input values (must be either tcp or udp, max values (array length) is 2"
# TODO knockd_port_count: set minimum limit to 2
# TODO check for iptables Default policy, too (does it reject all traffic etc)
#/usr/bin/iptables -I INPUT -p tcp -dport 5461 -j ACCEPT
#/usr/bin/iptables -D INPUT -p tcp -dport 5461 -j ACCEPT
#-----------------------------------------
# USER INPUT PARAMETERS
my %opts = ("all" => 0,
"ports-only" => 0,
"target-ip" => $default_target_ip,
"dry-gen" => 0,
"random-always" => 0);
GetOptions ("a|all" => \$opts{"all"},
"p|ports-only" => \$opts{"ports-only"},
"i|target-ip=s" => \$opts{"target-ip"},
"d|dry-gen" => \$opts{"dry-gen"},
"r|random-always" => \$opts{"random-always"},
"t|conn-timeout=f" => \$connection_timeout,
"c|protocols=s" => \$knockd_protocols,
"m|min-port=i" => \$knockd_min_port,
"x|max-port=i" => \$knockd_max_port,
"n|port-count=i" => \$knockd_port_count,
"h|help" => sub { pod2usage(1) })
or pod2usage(2);
my $all = $opts{"all"};
my $ports_only = $opts{"ports-only"};
my $target_ip = $opts{"target-ip"};
my $dry_gen = $opts{"dry-gen"};
my $random_always = $opts{"random-always"};
#-----------------------------------------
# ERROR HANDLING
# We don't accept regular PERL arguments here. We take arguments only from GetOptions
# Perl arguments are handled differently, we don't want them.
if (@ARGV)
{
print "Unknown option: @ARGV\n";
pod2usage(2);
}
#--------------------
# If 'target_ip' is default value and 'dry-gen' is set, clear the IP value.
if ($target_ip eq $default_target_ip and $dry_gen) {
print "WARNING: Not testing whether generated ports are being used or not.\n";
undef $target_ip;
}
#--------------------
# If both 'dry-gen' and 'target_ip' is set, terminate.
if ($target_ip and $dry_gen) {
die "ERROR: Define either target IPv4 address or 'dry-gen' parameter.\n";
}
#--------------------
# If neither 'ports-only' or 'all' hash is set, use default 'all' value.
if (not $ports_only and not $all) {
$all = 1;
}
#--------------------
# If both 'ports-only' and 'all' is set, terminate.
if ($ports_only and $all) {
die "ERROR: Define either 'ports-only' or 'all' (default is 'all').\n";
}
#--------------------
# If more than allowed ports have been instructed.
if ($knockd_port_count > $knockd_port_count_limit) {
die "ERROR: Maximum number of ports is " . $knockd_port_count_limit . ". You have defined " . $knockd_port_count . " ports.\n"
}
#--------------------
# Check for invalid port values (min & max)
my $port_fault = "";
if (($knockd_min_port < 1) or ($knockd_min_port > 65535))
{
print "ERROR: Minimum port value is not in valid range 1-65535 (Value: " . $knockd_min_port . ")\n";
$port_fault = "true";
}
if (($knockd_max_port < 1) or ($knockd_max_port > 65535))
{
print "ERROR: Maximum port value is not in valid range 1-65535 (Value: " . $knockd_max_port . ")\n";
$port_fault = "true";
}
# If faulty port values, exit the program
# We define the exit procedure separately because we want to print all previous port-related error messages
if ( $port_fault eq "true" ) { exit }
#--------------------
# Inform user that the minimum port value exceeds maximum port value.
if ($knockd_min_port > $knockd_max_port)
{
die "ERROR: Minimum port value is set above maximum port value.\n";
}
#--------------------
# Inform user that more random ports must be available in the given pool.
if (($knockd_max_port - $knockd_min_port) < $knockd_port_count)
{
die "ERROR: You must have more ports for randomizable port sequence (Current port pool size: " . ($knockd_max_port - $knockd_min_port) . ")\n";
}
#--------------------
# Minimum connection time out value can't be less than the limit value defines.
if ($connection_timeout < $connection_timeout_minlimit)
{
die "ERROR: Connection time out can't be set below " . $connection_timeout_minlimit . " seconds.\n";
}
# Maximum connection time out value can't exceed the maximum limit value.
if ($connection_timeout > $connection_timeout_maxlimit)
{
print "WARNING: Connection time out limit is set above recommended limit (" . $connection_timeout_maxlimit . " seconds).\n";
}
#--------------------
# If user is not having dry-gen parameter set...
if (not $dry_gen) {
# ...check for valid IP address syntax.
if (not $target_ip =~ /^$RE{net}{IPv4}$/ or $target_ip eq "localhost") {
die "ERROR: Invalid IPv4 address given (" . $target_ip . ")\n"
}
# ... check that we can establish a connection to the target IP address.
my $p = Net::Ping->new;
if (not $p->ping($target_ip, $connection_timeout_maxlimit)) {
die "ERROR: Can't find the host computer.\n"
}
}
#-----------------------------------------
# PORT & PROTOCOL GENERATION
# Split user input into a new array, defined by @ symbol.
my @knockd_protocols = split /,/, $knockd_protocols;
# Set port range.
my @knockd_port_range = ($knockd_min_port .. $knockd_max_port);
# Declare a new array for generated ports (+ protocols).
# Fill with zeros, size is value of $knockd_port_seqs.
my @randoms = (0) x $knockd_port_count;
my $i = 0;
while ($knockd_port_count > 0)
{
while ()
{
# Generate a random port from given port range.
my $random_port = $knockd_port_range[rand @knockd_port_range];
# Choose randomly between protocols tcp & udp.
my $random_protocol = $knockd_protocols[rand @knockd_protocols];
# TODO make this optional with '$always_random' user input parameter
# Never accept already generated port in port sequence.
if (not grep {$_ =~ /$random_port/} @randoms)
{
# Initialize socket value
my $socket = 0;
if (not $dry_gen) {
# Test the generated port for a connection.
# Protocol must always be else than udp because udp doesn't give
# a response whether the connection was successful or not.
# This is in the procotol specification.
#
# Therefore, udp would fail the connection test we establish here
#
$socket = IO::Socket::INET->new(PeerHost => $target_ip,
PeerPort => $random_port,
Proto => "tcp", #This is hardcoded purposefully
Timeout => $connection_timeout);
}
else
{
undef $socket;
}
# If socket dest is not used
if (not $socket)
{
if ( $all ) {
$randoms[$i] = $random_port . ":" . $random_protocol;
}
else
{
$randoms[$i] = $random_port;
}
last;
}
}
}
$knockd_port_count--;
$i++;
}
my $knockd_seqs = join(',', @randoms);
print $knockd_seqs . "\n";
#-----------------------------------------
# HELP TEXT
__END__
# TODO IMPROVE THIS SECTION
# TODO UPDATE HELP TEXT TO CORRESPOND WITH THE COMMANDS ABOVE
=head1 SYNOPSIS
knockgen [options] (--help or -h for more information)
knockgen 0.1 - Random port & protocol sequence generator for knockd daemon
knockgen Copyright (C) 2018 Pekka Helenius <fincer89@hotmail.com>
This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
This is free software, and you are welcome to redistribute it
under certain conditions; type `show c' for details.
=head1 OPTIONS
=item A<------------------------------>
=item A<Output format:>
=item B<--all> or B<-a>
Print randomly generated ports & protocols (Default)
=item B<--ports-only> or B<-p>
Print randomly generated ports only
=item B<--dry-gen> or B<-d>
Generate port (& protocol) sequence without trying to connect anywhere.
=item A<------------------------------>
=item A<Port testing:>
=item B<--target-pc> or B<-i>
IPv4 address of the target computer (server). Default: 127.0.0.1
=item B<--protocols> or B<-c>
Use these protocols. Default: tcp,udp (Syntax: tcp or tcp,udp)
=item B<--conn-timeout> or B<-t>
Connection timeout for a port test in seconds. Default: 0.3
=item A<------------------------------>
=item A<Generated values:>
=item B<--min-port> or B<-m>
Minimum port number to be used for knockd daemon. Default: 1
=item B<--max-port> or B<-x>
Maximum port number to be used for knockd daemon. Default: 65535
=item B<--port-seqs> or B<-n>
Number of port (+ protocol) sequences for knockd daemon. Default: 6
=item B<--help> or B<-h>
Prints this help text.
=cut