From 00f3aaca240d171106aba324dbe5b31433fad90c01832b310d302806e3b496fc Mon Sep 17 00:00:00 2001 From: Daniel Donisa Date: Fri, 17 Jan 2025 15:08:04 +0000 Subject: [PATCH] - Remove conditionals around systemd as all versions use systemd now. OBS-URL: https://build.opensuse.org/package/show/network:utilities/knock?expand=0&rev=23 --- .gitattributes | 23 ++++++++++ .gitignore | 1 + knock-0.8.tar.gz | 3 ++ knock.changes | 93 ++++++++++++++++++++++++++++++++++++++++ knock.spec | 107 +++++++++++++++++++++++++++++++++++++++++++++++ knockd.conf | 11 +++++ knockd.init | 103 +++++++++++++++++++++++++++++++++++++++++++++ knockd.service | 22 ++++++++++ knockd.sysconfig | 5 +++ 9 files changed, 368 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 knock-0.8.tar.gz create mode 100644 knock.changes create mode 100644 knock.spec create mode 100644 knockd.conf create mode 100644 knockd.init create mode 100644 knockd.service create mode 100644 knockd.sysconfig diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/knock-0.8.tar.gz b/knock-0.8.tar.gz new file mode 100644 index 0000000..4eb8458 --- /dev/null +++ b/knock-0.8.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:698d8c965624ea2ecb1e3df4524ed05afe387f6d20ded1e8a231209ad48169c7 +size 377107 diff --git a/knock.changes b/knock.changes new file mode 100644 index 0000000..54c9b34 --- /dev/null +++ b/knock.changes @@ -0,0 +1,93 @@ +------------------------------------------------------------------- +Mon Jan 13 10:06:09 UTC 2025 - Daniel Donisa + +- Remove conditionals around systemd as all versions use systemd now. + +------------------------------------------------------------------- +Tue Sep 28 13:19:54 UTC 2021 - Johannes Segitz + +- Added hardening to systemd service(s) (bsc#1181400). Modified: + * knockd.service + +------------------------------------------------------------------- +Wed May 19 08:49:35 UTC 2021 - Daniel Donisa + +- Update to version 0.8 + * Multiple fixes (#67, #77) + * IPv6 support (Sebastien Valat) +- dropped knock-0.5.patch, knock-include.patch + +------------------------------------------------------------------- +Wed Jul 10 08:48:00 CET 2019 - brassh@web.de + +- fix uninitialized tcpflags variables in knockd.c + (Bug#1138376: Knockd unable to start after upgrade to LEAP 15.1) + +------------------------------------------------------------------- +Thu Nov 23 13:46:18 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + +------------------------------------------------------------------- +Tue Dec 1 14:49:38 UTC 2015 - p.drouand@gmail.com + +- Update to version 0.7 + * Document the 'target' configuration directive. + * Merging OS-specific networking code to reduce LOCs and the + sea of #ifdefs. + * Added 50ms timeout to pcap_open_live() to reduce CPU usage + on network-heavy hosts. Pcap recommends we not use zero. +- Changes from version 0.6 + * Cleanup: Don't null-check before free + * Cleanup: Consolidate flag-check logic + * Accept single-knock sequences + * Introduce a 'target' configuration directive, enabling knockd to + react to connect attempts to a target host. Useful in cases where + knockd is on a router and you want to send a target a wakeup packet. +- Add systemd support for openSUSE > 12.1 +- Update knock-include.patch > knock-0.5-include.patch +- Remove obsolete AUTHORS section +- Use download Url as source +- Perform a spec-cleaner + +------------------------------------------------------------------- +Mon Jun 15 11:53:12 CEST 2009 - aj@suse.de + +- Add knock-0.5-include.patch to fix build failure. + +------------------------------------------------------------------- +Thu Jul 26 16:55:09 CEST 2007 - prusnak@suse.cz + +- changed libpcap to libpcap-devel in BuildRequires + +------------------------------------------------------------------- +Tue Nov 14 15:07:38 CET 2006 - mskibbe@suse.de + +- fix bug #220355 (iptables call is wrong) + +------------------------------------------------------------------- +Wed Oct 4 13:23:02 CEST 2006 - mskibbe@suse.de + +- fix bug in iptables call + +------------------------------------------------------------------- +Mon Sep 25 11:20:44 CEST 2006 - mskibbe@suse.de + +- fix iptables call in config + +------------------------------------------------------------------- +Fri Sep 22 13:00:46 CEST 2006 - mskibbe@suse.de + +- fix sysconfig file + +------------------------------------------------------------------- +Wed Jan 25 21:37:14 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Thu Jun 30 16:12:57 CEST 2005 - hvogel@suse.de + +- Initial Package, Version 0.5 + diff --git a/knock.spec b/knock.spec new file mode 100644 index 0000000..877caa3 --- /dev/null +++ b/knock.spec @@ -0,0 +1,107 @@ +# +# spec file for package knock +# +# Copyright (c) 1980 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir /var/adm/fillup-templates +%endif + +Name: knock +Version: 0.8 +Release: 0 +Summary: A Port-Knocking Client +License: GPL-2.0-or-later +Group: Productivity/Networking/Security +URL: http://www.zeroflux.org/knock/ +Source0: http://www.zeroflux.org/proj/knock/files/%{name}-%{version}.tar.gz +Source1: %{name}d.sysconfig +Source2: %{name}d.init +Source3: %{name}d.conf +Source4: %{name}d.service +BuildRequires: libpcap-devel +BuildRequires: systemd-rpm-macros + +%description +The server part (package knockd) listens to all traffic on an ethernet +(or PPP) interface, looking for special "knock" sequences of port hits. +This client makes these port hits by sending a TCP (or UDP) packet to a +port on the server. This port does not need to be open. Since knockd +listens at the link-layer level, it sees all traffic even if it is +destined for a closed port. When the server detects a specific sequence +of port hits, it runs a command defined in its configuration file. This +can be used to open up holes in a firewall for quick access. + +%package -n knockd +Summary: A port-knocking server +Group: Productivity/Networking/Security +%{?systemd_requires} + +%description -n knockd +It listens to all traffic on an ethernet (or PPP) interface, looking +for special "knock" sequences of port-hits. A client (package knock) +makes these port-hits by sending a TCP (or UDP) packet to a port on the +server. This port need not be open -- since knockd listens at the +link-layer level, it sees all traffic even if it's destined for a +closed port. When the server detects a specific sequence of port-hits, +it runs a command defined in its configuration file. This can be used +to open up holes in a firewall for quick access. + +%prep +%setup -q + +%build +%configure +make %{?_smp_mflags} + +%install +make DESTDIR=%{buildroot} install %{?_smp_mflags} +sed -i -e "s:iptables:%{_sbindir}/iptables:" %{SOURCE3} +install -m 600 -D %{SOURCE3} %{buildroot}%{_sysconfdir}/%{name}d.conf +install -D -m 644 %{SOURCE4} %{buildroot}/%{_unitdir}/%{name}d.service +ln -s /usr/sbin/service %{buildroot}%{_sbindir}/rc%{name}d +rm -rf %{buildroot}%{_datadir}/doc + +%pre -n knockd +%service_add_pre %{name}d.service + +%post -n knockd +%service_add_post %{name}d.service + +%preun -n knockd +%service_del_preun %{name}d.service + +%postun -n knockd +%service_del_postun %{name}d.service + +%files +%defattr(-,root,root) +%attr(0755,root,root) %{_bindir}/%{name} +%{_mandir}/man?/%{name}.* +%{_sbindir}/knock_helper_ipt.sh + +%files -n knockd +%defattr(-,root,root) +%doc README.md ChangeLog TODO +%license COPYING +%{_sbindir}/%{name}d +%{_unitdir}/%{name}d.service +%{_sbindir}/rc%{name}d +%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/%{name}d.conf +%{_mandir}/man?/%{name}d.* + +%changelog diff --git a/knockd.conf b/knockd.conf new file mode 100644 index 0000000..19f00ce --- /dev/null +++ b/knockd.conf @@ -0,0 +1,11 @@ +[options] + UseSyslog + +[opencloseSSH] + sequence = 2222:udp,3333:tcp,4444:udp + seq_timeout = 15 + tcpflags = syn,ack + start_command = iptables -I INPUT 1 -s %IP% -p tcp --dport ssh -j ACCEPT + cmd_timeout = 10 + stop_command = iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT + diff --git a/knockd.init b/knockd.init new file mode 100644 index 0000000..813dfa4 --- /dev/null +++ b/knockd.init @@ -0,0 +1,103 @@ +#! /bin/sh +# Copyright (c) 1997-2006 SUSE Linux AG, Nuernberg, Germany. +# All rights reserved. +# +# Author: Henne Vogelsang +# Please send feedback to http://www.suse.de/feedback/ +# +# /etc/init.d/knockd +# and its symbolic link +# /usr/sbin/rcknockd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# +### BEGIN INIT INFO +# Provides: knockd +# Required-Start: $syslog $remote_fs $network +# Required-Stop: $syslog $remote_fs +# Default-Start: 3 5 +# Default-Stop: 0 1 2 6 +# Short-Description: knock daemon providing port-knocking +# Description: Start knockd to allow port-knocking +### END INIT INFO + +# Check for missing binaries (stale symlinks should not happen) +# Note: Special treatment of stop for LSB conformance +KNOCKD_BIN=/usr/sbin/knockd +test -x $KNOCKD_BIN || { echo "$KNOCKD_BIN not installed"; + if [ "$1" = "stop" ]; then exit 0; + else exit 5; fi; } + +# Check for existence of needed config file and read it +KNOCKD_CONFIG=/etc/sysconfig/knockd +test -r $KNOCKD_CONFIG || { echo "$KNOCKD_CONFIG not existing"; + if [ "$1" = "stop" ]; then exit 0; + else exit 6; fi; } + +# Read config +. $KNOCKD_CONFIG + +# Shell functions sourced from /etc/rc.status: +. /etc/rc.status + +# Reset status of this service +rc_reset + +case "$1" in + start) + echo -n "Starting knockd " + startproc $KNOCKD_BIN $KNOCKD_OPTIONS + rc_status -v + ;; + stop) + echo -n "Shutting down knockd " + killproc -TERM $KNOCKD_BIN + rc_status -v + ;; + try-restart) + $0 status + if test $? = 0; then + $0 restart + else + rc_reset + fi + rc_status + ;; + restart) + $0 stop + $0 start + rc_status + ;; + force-reload) + echo -n "Reload service KNOCKD " + killproc -HUP $KNOCKD_BIN + rc_status -v + ;; + reload) + echo -n "Reload service KNOCKD " + killproc -HUP $KNOCKD_BIN + rc_status -v + ;; + status) + echo -n "Checking for service KNOCKD " + checkproc $KNOCKD_BIN + rc_status -v + ;; + *) + echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload}" + exit 1 + ;; +esac +rc_exit diff --git a/knockd.service b/knockd.service new file mode 100644 index 0000000..6ee1183 --- /dev/null +++ b/knockd.service @@ -0,0 +1,22 @@ +[Unit] +Description=Port-Knocking Daemon +After=network.target + +[Service] +# added automatically, for details please see +# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort +ProtectSystem=full +ProtectHome=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +RestrictRealtime=true +# end of automatic additions +ExecStart=/usr/sbin/knockd + +[Install] +WantedBy=multi-user.target diff --git a/knockd.sysconfig b/knockd.sysconfig new file mode 100644 index 0000000..04cbe0f --- /dev/null +++ b/knockd.sysconfig @@ -0,0 +1,5 @@ +## Path: Network/Security/Knockd +## Description: Basic configuration of knockd +## Type: string +## Default: "" +KNOCKD_OPTIONS="-d"