Skip to content

Latest commit

 

History

History
125 lines (104 loc) · 4.33 KB

installation.md

File metadata and controls

125 lines (104 loc) · 4.33 KB

Howto Install Tariq?

Requirements

  • Python >= 2.6
  • python-imaging - Python Imaging Library (PIL)
  • GnuGP
  • Scapy
  • Linux kernel with iptables (eg. 2.6)

Installation and Configuration

Configuring the Client

First we need to preparing GnuPG to be used, so you need to create a directory for gnupg and generate a pair of keys using the following commands:

mkdir /etc/tariq/.client-gpg
chmod 600 /etc/tariq/.client-gpg
gpg --homedir /etc/tariq/.client-gpg –gen-key

You need to export client's public key:

gpg --homedir /etc/tariq/.client-gpg -a --export [email protected] > key.pub.txt

Edit the 'client.conf' file to specify the client gpg directory and the default gpg user:

client_gpg_dir=/etc/tariq/.client-gpg [email protected]

And specify the image directory used for steganography, containing at least 1 reasonable png image file, just like the one included as a sample 'sample.png':

img_dir=/usr/share/TariqClient?/img

Now specify the default secret knock sequence to match the sequence configured on the tariq server:

secret_ports=10000,7456,22022,12121,10001

Note: you may pass the gpg user and knock sequence as arguments to TariqClient? (see howto use section).

Configuring the Server

After installing the requirements, the first step is to download, unpack, and install Tariq. Tariq can be downloaded from: http://code.google.com/p/tariq/. Once this is done, we need to configure the server. We also need to prepare GnuPG. So you need to create a directory for gnupg using the following commands:

mkdir /etc/tariq/.server-gpg
chmod 600 /etc/tariq/.server-gpg

You need to import and trust the client(s) public key(s):

gpg --homedir /etc/tariq/.server-gpg --import < client.pub.txt
gpg --homedir /etc/tariq/.server-gpg --edit-key [email protected]

Then select trust (5)

Preparing iptables: Create an iptables chain to be used by tariq server:

iptables -P INPUT DROP iptables -N tariq
iptables -A INPUT -j tariq
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Optional: you may specify a range of ports to be filtered (dropped) in case you are running normal services on the same box:

iptables -A INPUT -p tcp -m tcp --dport 1000,65535 -j DROP
iptables -A INPUT -p udp -m udp --dport 1000,65535 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT

IMPORTANT NOTE: Do not use the REJECT target with tariq.

Now edit 'server.conf' and specify the correct sequence of ports, by using the secret_ports variable. Example:

secret_ports=10000,7456,22022,12121,10001

Now specify the server's gpg path:

server_gpg_dir=/etc/tariq/.server-gpg

Specify the iptables chain name you have created for tariq:

iptables_chain=tariq

Now please adjust the iptables chain name used to open ports for a successful knock:

open_tcp_port=-A tariq -s {ip} -p tcp -m state --state NEW -m tcp --dport {dport} -j ACCEPT
open_udp_port=-A tariq -s {ip} -p udp -m state --state NEW -m udp --dport {dport} -j ACCEPT

Howto use Tariq?

To start running tariq server, just run the following command using user root:

./TariqServer

Now that you have tariq server running, the firewall rules configured on the server, and your profile installed on the client, you're ready to run some commands remotely or open some ports. Using user root, to open, for instance, ssh (22) on the remote server (example.com), all you simply need to do on the client, is run:

./TariqCleint -u [email protected] example.com O 22

If you don't want to open a port but perform a remote command for instance restarting the httpd service on the box, you don't need to login remotely and do it yourself and still working with the default drop firewall. All you simply need to do on the client is run the following command:

./TariqCleint -u [email protected] example.com E service httpd restart

Another example, here I'm sending an echo message to the box:

./TariqCleint -u [email protected] example.com E echo “Hello, It's me tariq”

Finally to close the port you requested to open, all you need to do is:

./TariqCleint -u [email protected] example.com C 22

Future Work (aka TODO):

  • Make installer (rpm/deb based package)
  • Check if client uses a passphrase gpg key
  • Make system work as a daemon (write init scripts)