Using fail2ban to open back door ports in your iptables [Port Knocking]

The opposite of fail2ban would probably be called auth2allow (authenticate to allow) or fail2allow – but that’s not necessary because fail2ban’s configs can be customized to do exactly what I’m talking about. What am I talking about you ask? Basically what I’ve done and am about to explain how to do is setup fail2ban to look for a successful login on a FTP to allow the authenticated IP to get access to another port that isn’t as secure as FTP so is usually 100% black listed in IPTables. It’s just a hack of a security mechanism to allow your self or others into places securely through obscure means. Like most security it’s not perfect but it seems pretty solid in my mind.

If someone can authenticate on the FTP (could even be anonymous ftp, but I’d recommend using a special username you want to specifically grant access) then fail2ban triggers an ALLOW command for their IP on some port (or all ports), for example SSH (22) or apache https (443) with a private site on it that you want to keep private and totally hidden from the internet at large. This concept could really apply to anything. Any command IPTables can run can be triggered through something fail2ban sees in a log file basically, the possibilities are endless. In my example I’ll use https, port 443, but in real life I’m using an obscure port number and the program running on it that is not very secure by default.

So here are my slightly modified configuration files for setting up a custom fail2ban service that does the opposite of what fail2ban typically does.

In /etc/fail2bain/jail.conf I added:

 [vsftpd2allow443]
 
 enabled  = true
 port     = 443
 filter   = vsftpd-2-https
 banaction = iptables-accept-https
 logpath  = /var/log/vsftpd.log
 maxretry = 1
 bantime  = -1

filter has to match the name of the corresponding file in the /etc/fail2ban/filter.d folder. banaction has to match the corresponding file in the /etc/fail2ban/action.d folder. Max retry is 1 so the person doesn’t need to successfully login to the FTP more than once to get access to our secret port back door. Bantime -1 should add the person for ever. For added security try bantime = 86400 for 1 days access (bantime uses seconds).

Next make a copy of a default action for a template:

 cp -vip /etc/fail2ban/action.d/iptables.conf /etc/fail2ban/action.d/iptables-accept-https.conf

Then modify all the DENYs to ACCEPT and change the port:

 actionban = iptables -I fail2ban-<name> 1 -s <ip> -j DROP
 # Becomes
 actionban = iptables -I fail2ban-<name> 1 -s <ip> -j ACCEPT
 
 actionunban = iptables -D fail2ban-<name> -s <ip> -j DROP
 # Becomes
 actionunban = iptables -D fail2ban-<name> -s <ip> -j ACCEPT
 
 port = ssh
 # Becomes
 port = 443

And lastly you need your fail2ban filter that watches vsftpd for successful authenticions of our special user who gets special ports opened up for them. Since I’m using vsftpd as my FTP I just copied it’s current filter and modified it to look for good auths instead of bad auths.

 cp -vip /etc/fail2ban/filter.d/vsftpd.conf /etc/fail2ban/filter.d/vsftpd-2-accept-https.conf

Change ‘specialuser‘ to whatever FTP user you want to gain special access to your server.

 failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
     \[.+\] FAIL LOGIN: Client "<HOST>"\s*$
 # Becomes
 failregex = vsftpd(?:\(pam_unix\))?(?:\[\d+\])?:.* authentication failure; .* rhost=<HOST>(?:\s+user=\S*)?\s*$
     \[specialuser\] OK LOGIN: Client "<HOST>"\s*$

If you’re not using VFTPd then fail2ban has many other popular linux FTP client’s setup in the filter.d folder. You should also look in your log file (ls /var/log/*ftp* should find it) to find out what syntax it uses to denote a successful FTP login because it will most likely be different than what VSFTPd uses.

Now you just need to remember the password for your specialuser and you just FTP to your server with that login from any computer in the world to open your hidden port to access your secret content. This idea is mostly for personal use and I recommend against trying to have any beginner users use this as a mechanism for accessing content or even using it in a serious This slight modification isn’t revolutionary or anything and I may not be the first to come up with it but it definitely isn’t a well search indexed idea so I thought I’d throw this out there for others.

Be Sociable, Share!
  • Google Reader
  • HackerNews
  • Reddit
  • email
  • StumbleUpon
  • Delicious
  • Posterous

One thought on “Using fail2ban to open back door ports in your iptables [Port Knocking]

  1. That’s brilliant!
    It’s one of those things that’s simple enough to do, but thinking to do it in the first place is what’s brilliant. Nice work.

    Thanks for posting this.

    The REAL, Original Tachyon
    Accept no substitutes!

Leave a Reply