/kms_knock_server

KMS (Key-Management-Service) Knock Server

Primary LanguagePerlGNU General Public License v2.0GPL-2.0

KMS (Key-Management-Service) Knock Server

The KMS (Key-Management-Service) knock server provides an easy way to temporarily open TCP 1688 port by knocking the server. You can use various way to authenticate a user, like POP3, Radius, LDAP, etc. It is suitable for those that dose not have VPN (Virtual Private Network).

Architecture

 (kms-server)          (kms-knock-server)
+------------+          +--------------+          +----------------+
| KMS Server | <------> | Knock Server | <------> | Windows Client |
+------------+          +--------------+          +----------------+
                socat       fail2ban     iptables
                rinetd

+----------+         +---------+         +------------+         +----------+
| knock.pl | ------> | rsyslog | ------> | local7.log | ------> | fail2ban |
+----------+         +---------+         +------------+         +----+-----+
                                                                     |
                                                                +----+-----+
                                                                | iptables |
                                                                +----+-----+
																     |
																+----+-----+
																|  socat   |
																|  rinetd  |
																+----------+

Dependencies

  • iptables/fail2ban/rsyslog: open/close tcp port 1688
  • socat/rinetd: tcp port redirection
  • httpd/lighttpd
  • Perl 5.10 or newer (Sys::Syslog, DBI, DBD::SQLite)
  • SQLite

Usage

  • Configure fail2ban and rsyslog

    # cd /etc/fail2ban
    # sudo cp [KNOCK_SRC]/fail2ban/action.d/knock.conf action.d/
    # sudo cp [KNOCK_SRC]/fail2ban/filter.d/knock.conf filter.d/
    # sudo cat [KNOCK_SRC]/fail2ban/jail.conf >> jail.conf
    # sudo systemctl restart fail2ban.service
    
    # sudo vim /etc/rsyslog.conf
    local7.*        -/var/log/local7.log
    
  • Create sqlite database

    # sqlite3 cgi-bin/databases/knock.sqlite < cgi-bin/_knock.sql
    
  • Configure CGI application

    # cd /var/www/cgi-bin
    # sudo cp [KNOCK_SRC]/cgi-bin/knock.pl .
    # sudo cp -r [KNOCK_SRC]/cgi-bin/databases .
    # sudo chown -R apache:apache knock.pl databases/
    # sudo chmod 755 knock.pl databases/
    

Sample output log

Mar 13 22:12:35 r309-1 knock[25356]: ACTION=knock IP=127.0.0.1 USER=lyshie HOST=test.edu.tw COUNT=1
Mar 13 22:13:20 r309-1 knock[26836]: ACTION=knock IP=127.0.0.1 USER=lyshie HOST=test.edu.tw COUNT=2

Author

SHIE, Li-Yi <lyshie@mx.nthu.edu.tw>

License

GNU General Public License (GPL)