I finally got tired of all the script-kiddies trying to guess my root and other common user passwords by brute force attack. Even though I have SSH configured to allow only a few selected users to login, their brute force attempts create some quite large syslog files in my system.
I went around looking for a portknocker, but since many times we’re behind restrictive firewalls, it becomes impossible to remotely “open” SSH to your current IP address.
I then decided to write something myself, and webknock is the result of it.
Webknock is a Perl program that sits idly in the background monitoring your apache “access” logfile. Once a pre-determined sequence is hit, it executes a configurable command, with the calling IP as an argument. A popular choice here would be “iptables”, allowing access to your current IP.
After a pre-determined (but configurable) amount of time, another command is executed, this time “closing” access to the previously used IP address.
Note that this is only useful if you already have Apache running in your server, and port 80 or 443 can be accessed from anywhere in the net (my case). Also, no modifications are required to the Apache configuration.
Keywords: webknock, apache, port knocking, port knocker
[Permalink] | | | | |