Yet another tech blog
Connecting to Wi-Fi from GUI = Very Easy. From BASH, less so. The following steps should get you connected to Wi-Fi. Followed this guide.
Not sure if last step is necessary. Shouldn’t be, but I also wasn’t able to connect, even after bringing the interface down and up again. Rebooting immediately connected.
56 Raspberry Pi – Portknocking with knockd Security through Obscurity is not Security. That being said, obscuring your SSH port via port knocking can be a great way to protect your SSH service from drive-bys and script kiddies. It is no replacement for a proper service configuration, but when paired with a good config can greatly improve your security. Also, it’s just kind of cool; who doesn’t wish they had a secret passage in their home?
Port knocking, at its core, is pretty simple. The daemon listens for connection attempts, and if attempts are made to the correct ports, in the correct order, in the specified amount of time, then it executes a command. Typically the command is to either add or delete a firewall rule. I followed this guide to get it up and running, but it is deprecated, and therefore there were some issues. All of the solutions are contained herein. First, we need to set up our firewall rules per this guide, ensuring that we don’t lock ourselves out of SSH access until we are certain that everything works.
1 2 3 4 5 6 7 8 9 10 11 | [options] LogFile = /var/log/knockd.log interface = wlan0 [SSH] sequence = 7303,40303,33528 tcpflags = syn seq_timeout = 15 start_command = /sbin/iptables -I INPUT 4 -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 10 stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT |
Next edit
and change the following line
IMPORTANT! This is where we run into some issues. The Debian version of knockd will not start at boot, no matter what you do. In theory, the above modification to /etc/default/knockd should make this happen, but it doesn’t. After countless Google searches, I found a patch in a Debian bug post. The patch follows:
Append the following:
Finally, run the following and knockd will start at boot
Start knockd and test it out. If you have any issues, you can run the following to try to debug your problems
In order to carry out the port knocking, I chose to write a Python script, since I knew that that would work on both my Linux and Windows machines since they all have Python installed. As long as Scapy is installed then it’s good to go. See the script here.
54 Raspberry Pi – iptables for knockd I’m sure that there are more secure ways to configure iptables, what follows is a basic configuration to get knockd up and running (the guide to which can be found here rel=”noopener” target=”_blank”). All of the below came from following the linked guide at DigitalOcean.
Our iptables configuration will block most traffic, while still allowing local, established, and port 80 connections. Our first rule will allow local traffic which the machine uses to talk to itself
You’ll notice that the rule is being applied to the INPUT chain, to the lo or loopback interface (where you find local traffic), and has been configured to ACCEPT rather than DENY the traffic.
Next we want to ensure that all established connections and traffic related to them are allowed. I’m a bit hazy on the specifics of what we’re doing in this rule, so I’ll need to look up the particulars later.
This rule is pretty important, because without it we would lose our active SSH connection (which we are presumably using rather than hooking our pi up to a monitor) when we enter our deny all rule. Next, since we have a web service running, we’ll make a rule to ensure that that is accessible.
Pretty straight forward stuff. Now that we know that all traffic we want to allow has been accounted for, we will add our final rule. It’s important to note that as we add each of these rules, they get appended to the bottom of that list. When iptables checks the firewall rules to determine whether or not to allow traffic, it starts at the top of the list and works towards the bottom until it finds a rule that tells it what to do. So if traffic doesn’t match any of the above, iptables will check it against our final rule which will tell it to drop the traffic.
Go ahead and view the rules with the following command
This is a useful way to look at them because each rule is in a more orderly format, and has a line number attached. If you ever wanted to delete a rule or insert one at a specific point in the list, you would need to know which line number you needed. With this command, you can easily determine that. An alternative is
Unfortunately, iptables has an annoying tendency to flush your rules on shutdown if you don’t make them persistent. We’ll do this by installing iptables-persistent.
At this point, I learned that the service that we need to start is no longer iptables-persistent, but netfilter-persistent. That’s what I get for following a deprecated guide. I don’t know if we could avoid installing iptables-persistent and just install netfilter-persistent, which comes with it, but I’m not going to bother trying to figure it out. It works. So now just start the service and we’re good to go, the rules will remain persistent over power cycles.
Save the current rules to persistence:
With that, we’re ready to move on to setting up knockd.
I recently received a Raspberry Pi 3, and I’m an immediate fan. I’ve had a 2 for a while, but having wireless services built into the board makes things so much easier. Pretty much all of my stuff is still packed, so I was a bit limited in terms of what projects I could use it for, so instead I decided to just mess around with various services and configurations on it. These posts will follow.
A LAMP (Linux, Apache, MySQL, PHP) Stack is a pretty standard solution for running a web service like WordPress. Whatever I use my Pi for, chances are that I’m going to want a pleasant HTML interface. And since I have little experience with WordPress, I decided to start there. To do so, I followed the guide here.
First off, perform the necessary installations. I imagine you could probably install them all at once, on one line, but I did it piece by piece.
Accept defaults ensuring to set a password
Create wordpress database in mysql
Create wordpress user in mysql
Set up wordpress online
Some final configurations:
add after line 1