我們已經向您展示瞭如何透過路由器上的“埠敲門”遠端觸發WOL。在本文中，我們將展示如何使用它來保護VPN服務。

Aviad Raviv&amp；bfick提供的圖片。

前言

如果您使用過DD-WRT的VPN內建功能，或者在您的網路中有另一個VPN伺服器，那麼您可能會欣賞透過將其隱藏在敲打序列後面來保護其免受暴力攻擊的能力。透過這樣做，您將過濾掉試圖訪問您的網路的指令碼小子。如上所述，正如前一篇文章中所述，埠敲門並不能取代良好的密碼和/或安全策略。請記住，只要有足夠的耐心，攻擊者就可以發現序列並執行重播攻擊。還有請記住，實現這一點的缺點是，當任何VPN客戶端想要連線時，它們必須事先觸發敲打序列，如果它們由於任何原因無法完成該序列，他們根本無法使用VPN。

概述

為了保護VPN服務，我們將首先透過阻塞1723的例項化埠來禁用所有可能的通訊。為了實現這個目標，我們將使用iptables。這是因為，在大多數現代Linux/GNU發行版上，尤其是在DD-WRT上，通訊就是這樣被過濾的。如果您想了解iptables的更多資訊，請檢視它的wiki條目，並檢視我們之前關於這個主題的文章。一旦服務受到保護，我們將建立一個敲打序列，該序列將臨時開啟VPN例項化埠，並在配置的時間後自動關閉它，同時保持已建立的VPN會話連線。

注意：在本指南中，我們以pptpvpn服務為例。也就是說，同樣的方法也可以用於其他VPN型別，您只需更改被阻止的埠和/或通訊型別。

前提條件、假設和建議

• 假設/要求您有一個支援Opkg的DD-WRT路由器。
• 假設/要求您已經執行了“如何進入您的網路（DD-WRT）”指南中的步驟。
• 假設有一些網路知識。

我們開始吧。

DD-WRT上的預設“阻止新VPN”規則

雖然下面的“程式碼”片段可能適用於每一個使用Linux/GNU發行版的、自尊的iptables，但因為有太多的變體，我們將只展示如何在DD-WRT上使用它。如果您願意，沒有什麼可以阻止您直接在VPN盒上實現它。然而，如何做到這一點，超出了本指南的範圍。

因為我們想增強路由器的防火牆，所以新增到“防火牆”指令碼是合乎邏輯的。這樣做，將導致每次重新整理防火牆時都執行iptables命令，從而使我們的增強功能保持不變。

從DD-WRT的Web GUI：

• 轉到“管理”->“命令”。
• Enter the below “code” into the text-box:

  inline="$( iptables -L INPUT -n | grep -n "state RELATED,ESTABLISHED"  | awk -F : {'print $1'} )"; inline=$(($inline-2+1)); iptables -I INPUT "$inline" -p tcp --dport 1723 -j DROP

• 單擊“儲存防火牆”。
• 完成。

What is this “Voodoo” command?

The above “voodoo magic” command does the following:

• Finds where is the iptable line that enables already established communication to pass through. We do this, because A. On DD-WRT routers, if the VPN service is enabled, it will be located just below this line and B. It is essential to our goal of continuing to allow already established VPN sessi*** to live on after the knocking event.
• Deducts two (2) from the output of the listing command to account for the offset caused by the informational column headers. Once that’s done, adds one (1) to the above number, so that the rule that we are inserting will come just after the rule that allows already established communication. I’ve left this very simple “math problem” in here, just to make the logic of “why one needs to reduce one from the rule’s place instead of adding one to it” clear.

KnockD configuration

We need to create a new triggering sequence that will enable new VPN connecti*** to be created. To do this, edit the knockd.conf file by issuing in a terminal:

vi /opt/etc/knockd.conf

Append to the existing configuration:

[enable-VPN] sequence = 02,02,02,01,01,01,2010,2010,2010 seq_timeout = 60 start_command = iptables -I INPUT 1 -s %IP% -p tcp --dport 1723 -j ACCEPT cmd_timeout = 20 stop_command = iptables -D INPUT -s %IP% -p tcp --dport 1723 -j ACCEPT

This configuration will:

• Set the window of opportunity to complete the sequence, to 60 seconds. (It’s recommended to keep this as short as possible)
• Listen to a sequence of three knocks on ports 2, 1 and 2010 (this order is deliberate to throw ports scanners off track).
• Once the sequence has been detected, execute the “start_command”. This “iptables” command will place an “accept traffic destined to port 1723 from where the knocks came from” on the top of the firewall rules. (The %IP% directive is treated specially by KnockD and is replaced with the IP of the knocks origin).
• Wait for 20 seconds before issuing the “stop_command”.
• Execute the “stop_command”. Where this “iptables” command does the reverse of the above and deletes the rule that allows communication.

That’s it, your VPN service should now be connectable only after a successful “knock”.

Author‘s tips

While you should be all set, there are a couple of points that i feel need mentioning.

• Troubleshooting. Remember that if you’re having problems, the “troubleshooting” segment at the end of the first article should be your first stop.
• If you want, you can have the “start/stop” directives execute multiple commands by seperating them with a semi-colen (;) or even a script. Doing so will enable you to do some nifty stuff. For example, I have knockd send me an *Email telling me that a sequence has been triggered and from where.
• Don’t forget that “There’s an app for that” and  even though its not mentioned in this article, you are encouraged to grab StavFX‘s Android knocker program.
• While on the subject of Android, don’t forget that there is a PPTP VPN client usually built into the OS from the manufacturer.
• The method of, blocking something initially and then continuing to allow already established communication, can be used on practically any TCP based communication. In fact in the Knockd on DD-WRT 1 ~ 6 movies, I’ve done way back when, I’ve used the remote desktop protocol (RDP) which uses port 3389 as an example.

Note: In order to do this, you will need to get Email functionality on your router, which currently there really isn’t one that works because the SVN snapshot of OpenWRT’s opkg packages is in disarray. That is why I suggest using knockd directly on the VPN box which enables you to use all the opti*** of sending email that are available in Linux/GNU, like SSMTP and sendEmail to mention a few.

誰擾亂了我的睡眠？