What I made is to translate the concept behind port knocking to web, instead of knocking a sequence of pre-shared port number, I send an HTTP POST with a MD5 hash of a pre-shared password plus a timestamp. A flow diagram can make my idea more clearly.
#!/bin/sh
KEY=`echo SharedKey$(date +%Y%m%d%H%M) | md5sum | awk '{print $1}'`
wget --post-data="key=$KEY" http://SERVER/webknocking.php --delete-after
This file contains the per-shared password (MyKey in this case) and a wget to system.
On server side, I have a file named webknocking.php that catch the key and request's source IP and pass them to a script for verify and open firewall:
<?php
$key = $_POST['key'];
$ip = $_SERVER['REMOTE_ADDR'];
$cmd = 'sudo /var/dev.zonablog.net/openfirewall-300min.sh '.$key.' '.$ip.' >> /var/log/knock.log &';
shell_exec($cmd);
?>
Request forwarded.
Notice that I call the bash script with sudo because the user that run the PHP is apache, that doesn't have rigth to change firewall configuration (iptables).
Insert into sudoers the row:
apache ALL= NOPASSWD: /var/dev.zonablog.net/openfirewall-300min.sh
to give the rigth to apache to run the script below as root. The content of openfirewall-300min.sh is:
#!/bin/bash
echo " "
echo $(date) "Verifico Ip "$2", Key "$1
KEY=`echo SharedKey$(date +%Y%m%d%H%M) | md5sum | awk '{print $1}'`
KEY_1m=`echo SharedKey$(date --date='1 minute ago' +%Y%m%d%H%M) | md5sum | awk '{print $1}'`
if [ $1 != $KEY -a $1 != $KEY_1m ]
then
echo $(date) "Respingo Ip "$2", Key "$1
exit 1
fi
# open firewall
echo $(date) "Ok, apro per 5 ore"
/sbin/iptables -I INPUT -j ACCEPT -i eth0 -p tcp -s $2
sleep 180000
# deny incoming packets
echo $(date) "Chiudo a Ip "$2", Key "$1
/sbin/iptables -D INPUT -j ACCEPT -i eth0 -p tcp -s $2
This file check the key of request and if it is valid, open firewall to that ip for 5 hours. The log of this operation are put in /var/log/knock.log, create this file and change the owner to apache:
# touch /var/log/knock.log
# chown apache.apache /var/log/knock.log
This is it, folks!