-
Notifications
You must be signed in to change notification settings - Fork 1
/
OpenVPN.startup
38 lines (26 loc) · 1.61 KB
/
OpenVPN.startup
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# Open VPN service offering acccess to enterprise LAN
# for outsiders but also to insiders to potential
# facilities outside. Due to this, it is a highly risky
# asset due to the impact of someone accessing the
# inside without being entitled to and for this reason
# it is placed to a distinguished DMZ that it's well
# monitored, compared to the Mail server DMZ that is able
# to accommodate Fileservers, Application, Web Servers etc.
ifconfig eth0 172.16.1.2/30
# Defaults to DMZ Gateway for VPN.
route add default gw 172.16.1.1
while true; do nc -lvp 1194; done &
# One of the following ports is used for
# port knocking, the rest are for misdirection.
while true; do nc -lvp 1887; done &
while true; do nc -lvp 22456; done &
while true; do nc -lvp 38964; done &
/etc/init.d/ssh start
# Port Knocking to 1887 and within 45 seconds ssh through the unconventional port 36747.
# Useful Commands:
# 1) The server should first have a root password set using the command: "passwd".
# 2) Knock the port 1887 using: "nmap -Pn --max-retries 0 -p 1887 172.16.1.2". Netcat can be used too.
# 3) Within 45 seconds, perform the following command from admin: "ssh -p 36747 [email protected]".
iptables -A INPUT -s 10.0.13.0/30 -p tcp --syn --dport 1887 -m comment --comment "Portknock sequence" -m recent --set --name portknock
iptables -A INPUT -s 10.0.13.0/30 -p tcp --syn --dport 36747 -m recent --rcheck --seconds 45 --name portknock -m conntrack --ctstate NEW -m comment --comment "SSH Unconventional Port" -j ACCEPT
iptables -A INPUT -p tcp --syn --dport 36747 -m comment --comment "Restrics connections without first portknocking" -j DROP