Bug#305584: RFP: doorman -- Port knocking daemon for SSH and other servers

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#305584: RFP: doorman -- Port knocking daemon for SSH and other servers
From: Jari Aalto <jari.aalto@cante.net>
Date: Thu, 21 Apr 2005 00:43:26 +0300
Message-id: <[🔎] E1DOMyk-0007Wx-BT@cante.cante.net>
Reply-to: Jari Aalto <jari.aalto@cante.net>, 305584@bugs.debian.org

Package: wnpp
Severity: wishlist

* Package name    : doorman
  Version         : 0.8
  Upstream Author : <bward2@users.sourceforge.net>
* URL             : http://doorman.sourceforge.net/
* License         : GPL
  Description     : Port knocking daemon for SSH and other servers

(Include the long description here.)

How doorman differs from knockd (a Debian package)

This particular implementation deviates a bit from his original
proposal, in that the doorman watches for only a single UDP packet.
To get the doorman to open up, the packet must contain an MD5 hash
which correctly hashes a shared secret, salted with a 32-bit random
number, the identifying user or group-name, and the requested service
port-number.

Download

  http://sourceforge.net/project/showfiles.php?group_id=92394&release_id=257407

Further reading

  Port Knocking By Martin Krzywinski on Sun, 2003-06-15 23:00.
  http://www.linuxjournal.com/article.php?sid=6811&mode=thread&order=0

  http://www.portknocking.org/

Description

The doorman is intended to run on systems which have their firewall
rules turned down tightly enough as to be effectively invisible to the
outside world.  The doorman adds and removes extra rules in a
carefully controlled manner.

The doorman daemon "guards the door" of a host, admitting only
recognized parties.  It allows a server which is not intended for
general public access to run with all of it's TCP ports closed to the
outside world.  A matching "knocker" is provided, with which to
persuade the doorman to open the door a crack, just wide enough for a
single TCP connection from a single IP address.

And now, switching to metaphor 2... :) A private server thus rigged
for silent running has greatly enhanced security.  Port scans cannot
reveal it's existence.  Even if it's existence is known by other means
(or the firewall isn't all that tight), possible bugs in server code
cannot be exploited; packets from unknown sources simply never get to
the bug.

The current implementation of the doorman, "doormand", is suitable for
protecting only TCP services on Unix-type systems.  The door-knocker,
"knock", can be run under Unix, GNU/Linux, or Microsoft Windows.

The doorman is based on an original idea of Martin Krzywinski, who
proposed watching firewall logs for a sequence of packets directed to
closed ports, which method he described in Sysadmin magazine and
linuxjournal.com.  You might also visit his pages at
www.portknocking.org.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ISO-8859-1) (ignored: LC_ALL set to en_US)

Reply to:

Prev by Date: Bug#303240: marked as done (ITP: libpam-ccred -- Pam module to cache authentication credentials)
Next by Date: Bug#305587: RFP: cryptknock -- Encrypted port knocking daemon with high security
Previous by thread: Bug#305573: ITP: kio-sword A lightweight easy-to-use Bible tool for KDE
Next by thread: Bug#305587: RFP: cryptknock -- Encrypted port knocking daemon with high security
Index(es):
- Date
- Thread