diff --git a/knockr.go b/knockr.go index 496299b..7780f29 100644 --- a/knockr.go +++ b/knockr.go @@ -12,12 +12,16 @@ type knockArguments struct { cli.Helper WhitelistPort int `cli:'wp' usage:'The port to launch the whitelist server on'` GatewayPort int `cli:'gp' usage:'The port to protect'` + BlacklistPort int `cli:'wp' usage:'If set: The port to blacklist the connected host'` Destination string `cli:'d' usage:'The destination to relay traffic to'` Timeout int64 `cli:'t' usage:'Time in seconds after which a whitelist entry will be removed'` } -var whitelist = make(map[string]int64) -var arguments *knockArguments +var ( + whitelist = make(map[string]int64) + blacklist []string + arguments *knockArguments +) func main() { // Parse command line arguments @@ -28,6 +32,7 @@ func main() { // Launch listeners go listener(arguments.WhitelistPort, whitelist_handler) + go listener(arguments.BlacklistPort, blacklist_handler) listener(arguments.GatewayPort, gateway_handler) } @@ -55,8 +60,26 @@ func whitelist_handler(c net.Conn) { // Handler function for whitelist socket connections, whitelisting the connecting host host, _, _ := net.SplitHostPort(c.RemoteAddr().String()) - io.WriteString(c, fmt.Sprintf("Knock Knock, %s.", host)) - add_to_whitelist(host) + if is_blacklisted(host) { + fmt.Println("[BLK] Denying blacklisted host ", host) + } else { + io.WriteString(c, fmt.Sprintf("Knock Knock, %s.", host)) + add_to_whitelist(host) + } + c.Close() +} + +func blacklist_handler(c net.Conn) { + // Handler which blocks every host connecting to it. + // Useful to place it on port (whitelistPort-1) to crash port scanners. + host, _, _ := net.SplitHostPort(c.RemoteAddr().String()) + + if ! is_whitelisted(host) { + fmt.Println("[BLK] Blacklisting ", host) + add_to_blacklist(host) + } else { + fmt.Println("[ERR] Whitelisted host ", host, " connected to blacklist port. Ignoring.") + } c.Close() } @@ -64,7 +87,9 @@ func gateway_handler(c net.Conn) { // Filter connections whether or not the connecting host is whitelisted host, _, _ := net.SplitHostPort(c.RemoteAddr().String()) - if is_whitelisted(host) { + if is_blacklisted(host) { + fmt.Println("[BLK] Blacklisted host ", host, ", ignoring") + } else if is_whitelisted(host) { fmt.Println("[OK ] Whitelisted host ", host, " connected") update_whitelist_time(host) proxy(c) @@ -111,6 +136,21 @@ func is_whitelisted(addr string) bool { return false } +func add_to_blacklist(addr string) { + // Add specified address to blacklist + blacklist = append(blacklist, addr) +} + +func is_blacklisted(addr string) bool { + // Check whether or not the specified address is blacklisted + for i:=0; i