franciscodavid · August 2, 2010 11:19 · franciscodavid · Jan 11, 2011
diff --git a/doorman.sh b/doorman.sh
 #!/bin/bash

 #
 # Port Knocking server configuration. It closes all ports but the webserver one.
 # When the correct sequence of ports is detected (1000. 2000. 3000. 4000), the
 # SSH port is opened for 5 seconds to allow connections.
 #

 # Erase all the rules
 iptables -F

 # Close all incoming connections
 iptables -P INPUT DROP
 iptables -P OUTPUT ACCEPT
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


 # Open the web server port to the public
 iptables -A INPUT -m state --state NEW -p TCP --dport 80 -j ACCEPT

 # Allow the loopback interface (mysql, ...)
 iptables -A INPUT -i lo -j ACCEPT


 # Port Knocking
 ###############
 # Original Script http://pub.ligatura.org/fs/netfilter/misc/portknock_multi
 #
 # Netfilter/IPtables - example of multiple-port knocking
 # Note: Knock ports to open SSH port for 5 seconds.

 iptables -N INTO-PHASE2
 iptables -A INTO-PHASE2 -m recent --name PHASE1 --remove
 iptables -A INTO-PHASE2 -m recent --name PHASE2 --set
 iptables -A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: "

 iptables -N INTO-PHASE3
 iptables -A INTO-PHASE3 -m recent --name PHASE2 --remove
 iptables -A INTO-PHASE3 -m recent --name PHASE3 --set
 iptables -A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: "

 iptables -N INTO-PHASE4
 iptables -A INTO-PHASE4 -m recent --name PHASE3 --remove
 iptables -A INTO-PHASE4 -m recent --name PHASE4 --set
 iptables -A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: "

 iptables -A INPUT -m recent --update --name PHASE1

 iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PHASE1
 iptables -A INPUT -p tcp --dport 2000 -m recent --rcheck --name PHASE1 -j INTO-PHASE2
 iptables -A INPUT -p tcp --dport 3000 -m recent --rcheck --name PHASE2 -j INTO-PHASE3
 iptables -A INPUT -p tcp --dport 4000 -m recent --rcheck --name PHASE3 -j INTO-PHASE4

 iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name PHASE4 -j ACCEPT
diff --git a/psscp.sh b/psscp.sh
 #!/bin/bash

 # SCP Connection Port Knocker
 #
 # 1 - Append this code to your .bashrc or .bash_profile file
 # 2 - Create a .portknocks file in your home directory with a list like
 # host1 port1
 # host1 port2
 # ...
 # host1 portN
 # host2 port1
 # ...
 # 3 - You must open a new terminal session to use the new function
 # 4 - Use it as you would use the ssh command
 # scp user@server:~/hello ~/hello => psscp user@server:~/hello ~/hello
 #
 # It accepts the usual options of the SCP program

 psscp() {
  while getopts "dfl:prtvBCc:i:P:q1246S:o:F:" FLAG
  do
 true
 done

 j=$OPTIND
  while [ ${@:$j:1} ]
  do
 HOST=${@:$j:1}
    HOST=${HOST#*@}
    HOST=${HOST%:*}
    if [ "$HOST" != "." ] && [ "$HOST" != ".." ]
    then
 HOSTS="${HOSTS}${HOST}\n"
    fi
    ((j++))
  done

 echo -e $HOSTS | sort -u | \
  while read HOST
  do
 if [ $HOST ]
    then
 CNT=1
      cat ~/.portknocks | grep ^$HOST | awk '{ for(i=2; i <= NF; i++) printf "%s\n", $i}' | \
      while read PORT
      do
 echo "Knocking $HOST ($CNT)"
        nc -w 1 $HOST $PORT & sleep 0.5 &&
        ((CNT++))
      done
 fi
 done

 scp $*
 }
diff --git a/pssh.sh b/pssh.sh
 #!/bin/bash

 # SSH Connection Port Knocker
 #
 # 1 - Append this code to your .bashrc or .bash_profile file
 # 2 - Create a .portknocks file in your home directory with a list like
 # host1 port1
 # host1 port2
 # ...
 # host1 portN
 # host2 port1
 # ...
 # 3 - You must open a new terminal session to use the new function
 # 4 - Use it as you would use the ssh command
 # ssh user@server => pssh user@server
 #
 # It accepts the usual options of the SSH program

 pssh() {

  while getopts "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:W:XYy" FLAG
  do
 true
 done

 HOST=${@:$OPTIND:1}
  HOST=${HOST#*@}
  CNT=1

  cat ~/.portknocks | grep ^$HOST | awk '{ for(i=2; i <= NF; i++) printf "%s\n", $i}' | \
  while read PORT
  do
 echo "Knocking $HOST ($CNT)"
    nc -w 1 $HOST $PORT & sleep 0.5 &&
    ((CNT++))
  done

 ssh $*
 }
	#!/bin/bash

	#
	# Port Knocking server configuration. It closes all ports but the webserver one.
	# When the correct sequence of ports is detected (1000. 2000. 3000. 4000), the
	# SSH port is opened for 5 seconds to allow connections.
	#

	# Erase all the rules
	iptables -F

	# Close all incoming connections
	iptables -P INPUT DROP
	iptables -P OUTPUT ACCEPT
	iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
	iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


	# Open the web server port to the public
	iptables -A INPUT -m state --state NEW -p TCP --dport 80 -j ACCEPT

	# Allow the loopback interface (mysql, ...)
	iptables -A INPUT -i lo -j ACCEPT


	# Port Knocking
	###############
	# Original Script http://pub.ligatura.org/fs/netfilter/misc/portknock_multi
	#
	# Netfilter/IPtables - example of multiple-port knocking
	# Note: Knock ports to open SSH port for 5 seconds.

	iptables -N INTO-PHASE2
	iptables -A INTO-PHASE2 -m recent --name PHASE1 --remove
	iptables -A INTO-PHASE2 -m recent --name PHASE2 --set
	iptables -A INTO-PHASE2 -j LOG --log-prefix "INTO PHASE2: "

	iptables -N INTO-PHASE3
	iptables -A INTO-PHASE3 -m recent --name PHASE2 --remove
	iptables -A INTO-PHASE3 -m recent --name PHASE3 --set
	iptables -A INTO-PHASE3 -j LOG --log-prefix "INTO PHASE3: "

	iptables -N INTO-PHASE4
	iptables -A INTO-PHASE4 -m recent --name PHASE3 --remove
	iptables -A INTO-PHASE4 -m recent --name PHASE4 --set
	iptables -A INTO-PHASE4 -j LOG --log-prefix "INTO PHASE4: "

	iptables -A INPUT -m recent --update --name PHASE1

	iptables -A INPUT -p tcp --dport 1000 -m recent --set --name PHASE1
	iptables -A INPUT -p tcp --dport 2000 -m recent --rcheck --name PHASE1 -j INTO-PHASE2
	iptables -A INPUT -p tcp --dport 3000 -m recent --rcheck --name PHASE2 -j INTO-PHASE3
	iptables -A INPUT -p tcp --dport 4000 -m recent --rcheck --name PHASE3 -j INTO-PHASE4

	iptables -A INPUT -p tcp --dport 22 -m recent --rcheck --seconds 5 --name PHASE4 -j ACCEPT
	#!/bin/bash

	# SCP Connection Port Knocker
	#
	# 1 - Append this code to your .bashrc or .bash_profile file
	# 2 - Create a .portknocks file in your home directory with a list like
	# host1 port1
	# host1 port2
	# ...
	# host1 portN
	# host2 port1
	# ...
	# 3 - You must open a new terminal session to use the new function
	# 4 - Use it as you would use the ssh command
	# scp user@server:~/hello ~/hello => psscp user@server:~/hello ~/hello
	#
	# It accepts the usual options of the SCP program

	psscp() {
	while getopts "dfl:prtvBCc:i:P:q1246S:o:F:" FLAG
	do
	true
	done

	j=$OPTIND
	while [ ${@:$j:1} ]
	do
	HOST=${@:$j:1}
	HOST=${HOST#*@}
	HOST=${HOST%:*}
	if [ "$HOST" != "." ] && [ "$HOST" != ".." ]
	then
	HOSTS="${HOSTS}${HOST}\n"
	fi
	((j++))
	done

	echo -e $HOSTS \| sort -u \| \
	while read HOST
	do
	if [ $HOST ]
	then
	CNT=1
	cat ~/.portknocks \| grep ^$HOST \| awk '{ for(i=2; i <= NF; i++) printf "%s\n", $i}' \| \
	while read PORT
	do
	echo "Knocking $HOST ($CNT)"
	nc -w 1 $HOST $PORT & sleep 0.5 &&
	((CNT++))
	done
	fi
	done

	scp $*
	}
	#!/bin/bash

	# SSH Connection Port Knocker
	#
	# 1 - Append this code to your .bashrc or .bash_profile file
	# 2 - Create a .portknocks file in your home directory with a list like
	# host1 port1
	# host1 port2
	# ...
	# host1 portN
	# host2 port1
	# ...
	# 3 - You must open a new terminal session to use the new function
	# 4 - Use it as you would use the ssh command
	# ssh user@server => pssh user@server
	#
	# It accepts the usual options of the SSH program

	pssh() {

	while getopts "1246ab:c:e:fgi:kl:m:no:p:qstvxACD:F:I:KL:MNO:PR:S:TVw:W:XYy" FLAG
	do
	true
	done

	HOST=${@:$OPTIND:1}
	HOST=${HOST#*@}
	CNT=1

	cat ~/.portknocks \| grep ^$HOST \| awk '{ for(i=2; i <= NF; i++) printf "%s\n", $i}' \| \
	while read PORT
	do
	echo "Knocking $HOST ($CNT)"
	nc -w 1 $HOST $PORT & sleep 0.5 &&
	((CNT++))
	done

	ssh $*
	}