dd-wrt下载
Have you ever wanted to have that special “dorm knock” with your router, as to have it only “open the door” when the secret knock has been recognized? How-To Geek explains how to install the Knock daemon on DD-WRT.
您是否曾经想过用路由器进行特殊的“敲门声”,以使其仅在识别出秘密敲门后才“打开门”? How-To Geek解释了如何在DD-WRT上安装Knock守护程序。
Image by Bfick and Aviad Raviv
If you haven’t already, be sure and checkout previous articles in the series:
如果还没有,请确保并查看该系列中的先前文章:
Turn Your Home Router Into a Super-Powered Router with DD-WRT
How To Install Additional Software On Your Home Router (DD-WRT)
Assuming you are familiar with those topics, keep reading. Keep in mind that this guide is a little more technical, and beginners should be careful when modding their router.
假设您熟悉这些主题,请继续阅读。 请记住,本指南是一些技术性文章,初学者在更换路由器时应格外小心。
总览 (Overview)
Traditionally, in order to be able to communicate with a device/service one would have to initiate a full network connection with it. However doing so exposes, what is called in the security age, an attack surface. The Knock daemon is a kind of a network sniffer that can react when a pre-configured sequence is observed. As a connection does not have to be established in order for the knock daemon to recognize a configured sequence, the attack surface is reduced while maintaining the desired functionality. In a sense, we will precondition the router with a desired “two bits” response (unlike poor Roger…).
传统上,为了能够与设备/服务进行通信,必须与之启动完整的网络连接。 然而,这样做暴露了在安全时代所谓的攻击面。 Knock守护程序是一种网络嗅探器,可以在观察到预配置的序列时做出React。 由于不必为了使敲门守护程序识别已配置的序列而建立连接,因此在保持所需功能的同时减少了攻击面。 从某种意义上说,我们将以所需的“两位”响应对路由器进行预处理(与可怜的罗杰…不同)。
In this article we will:
在本文中,我们将:
Show how to use Knockd to have the router Wake-On-Lan a computer on your local network.
Show how to trigger the Knock sequence from an Android application, as well as a computer.
展示如何从Android应用程序以及计算机触发Knock序列。
Note: While the installation instructions are no longer relevant, you could watch the movie series I’ve created “way back when”, to see the entire rundown of configuring to knocking. (Just excuse the crude presentation).
注意:虽然安装说明不再相关,但是您可以观看我创建的电影系列“时光倒流”,以了解配置到爆震的整个过程。 (请原谅粗略的介绍)。
安全隐患 (Security implications)
The discussion about “how secure is Knockd?”, is long and dates back many a millenia (in internet years) but the bottom line is this:
关于“ Knockd有多安全?”的讨论很长,可以追溯到一千年(在互联网时代),但是最重要的是:
Knock is a layer of security by obscurity, that should only be used to enhance other means like encryption and should not be used on it’s own as an end all be all security measure.
敲门是默默无闻的一层安全保护,它只能用于增强加密之类的其他手段,不应最终全部用于所有安全措施。
先决条件,假设和建议 (Prerequisites, Assumptions & Recommendations)
It is assumed that you have an Opkg enabled DD-WRT router.
假定您具有启用了Opkg的DD-WRT路由器。
- Some patience as this may take “a while” to setup. 请耐心等待,这可能需要“一段时间”才能完成设置。
It is highly recommended that you obtain a DDNS account for your external (usually dynamic) IP.
强烈建议您为外部(通常是动态)IP获取一个DDNS帐户。
让我们破解 (Lets get cracking)
Installation & Basic configuration
安装和基本配置
Install the Knock daemon by opening a terminal to the router and issuing:
通过打开路由器的终端并发出以下命令来安装Knock守护程序:
opkg update ; opkg install knockd
opkg update ; opkg install knockd
Now that Knockd is installed we need to configure the triggering sequences and commands that will be executed once they are triggered. To do this, open the “knockd.conf” file in a text editor. On the router this would be:
现在已经安装了Knockd,我们需要配置触发序列和一旦被触发将执行的命令。 为此,请在文本编辑器中打开“ knockd.conf”文件。 在路由器上,这将是:
vi /opt/etc/knockd.conf
vi /opt/etc/knockd.conf
Make its content look like:
使它的内容看起来像:
[options]
logfile = /var/log/knockd.log
UseSyslog
[options]
logfile = /var/log/knockd.log
UseSyslog
[wakelaptop]
sequence = 56,56,56,43,43,43,1443,1443,1443
seq_timeout = 30
command = /usr/sbin/wol aa:bb:cc:dd:ee:22 -i $( nvram get lan_ipaddr | cut -d . -f 1,2,3 ).255
tcpflags = sync
[wakelaptop]
sequence = 56,56,56,43,43,43,1443,1443,1443
seq_timeout = 30
command = /usr/sbin/wol aa:bb:cc:dd:ee:22 -i $( nvram get lan_ipaddr | cut -d . -f 1,2,3 ).255
tcpflags = sync
Lets explain the above:
让我们解释一下以上内容:
The “options” segment allows one to configure global parameters for the daemon. In this example we’ve instructed the daemon to keep a log both in the syslog and in a file. While it doesn’t harm using both options in conjunction, you should consider keeping just one of them.
“选项”段允许您为守护程序配置全局参数。 在此示例中,我们指示守护程序在syslog和文件中都保留一个日志。 虽然同时使用这两个选项并没有什么害处,但您应该考虑保留其中一个选项。
The “wakelaptop” segment, is an example of a sequence that will trigger the WOL command to your LAN for a computer with the MAC address of aa:bb:cc:dd:ee:22.
“ wakelaptop”段是一个序列示例,它将为MAC地址为aa:bb:cc:dd:ee:22的计算机触发向您的LAN发出WOL命令。
Note: The command above, assumes the default behavior of having a class C subnet.
注意:上面的命令假定具有C类子网的默认行为。
To add more sequences, simply copy & paste the “wakelaptop” segment and adjust with new parameters and/or commands to be executed by the router.
要添加更多序列,只需复制并粘贴“ wakelaptop”段,并使用路由器要执行的新参数和/或命令进行调整。
启动 (Startup)
To have the router invoke the daemon on startup, append the below to the “geek-init” script from the OPKG guide:
要让路由器在启动时调用守护程序,请将以下内容附加到OPKG指南中的“ geek-init”脚本中:
knockd -d -c /opt/etc/knockd.conf -i "$( nvram get wan_ifname )"
knockd -d -c /opt/etc/knockd.conf -i "$( nvram get wan_ifname )"
This will start the Knock daemon on the “WAN” interface of your router, so that it will listen to packets from the internet.
这将在路由器的“ WAN”接口上启动Knock守护程序,以便它将侦听来自Internet的数据包。
从Android敲 (Knock from Android)
In the age of portability its almost imperative to “have an app for that”… so StavFX created one for the task :) This app performs the knocking sequences right from your Android device and it supports creating widgets on your home screens.
在可移植性时代,几乎必须“为此配备一个应用程序”……因此StavFX为此任务创建了一个应用程序:)该应用程序直接从您的Android设备执行敲门序列,并支持在主屏幕上创建小部件。
Install the Knocker application from the Android market (also please be kind and give it a good rating).
从Android市场安装Knocker应用程序(也请友好并给予良好的评价)。
Once installed on your device, launch it. You should be greeted by something like:
在设备上安装后,启动它。 您应该受到类似以下内容的欢迎:
You may long press the example icon to edit it, or click “menu” to add a new entry. A new entry would look like:
您可以长按示例图标进行编辑,或单击“菜单”添加新条目。 新条目如下所示:
Add lines and fill the information required for your Knocking. For the example WOL configuration from above this would be:
添加行并填写敲门所需的信息。 对于上面的示例WOL配置,这将是:
- Optionally change the icon by long pressing the icon next to the Knock name. (可选)通过长按“敲除”名称旁边的图标来更改图标。
- Save the Knock. 保存敲门声。
- Single tap the new Knock in the main screen to activate it. 在主屏幕中单击新的敲门将其激活。
Optionally create a widget for it on a home screen.
(可选)在主屏幕上为其创建小部件。
Keep in mind that while we’ve configured the example configuration file with groups of 3 for each port (because of the Telnet section below), with this application there is no restriction on the amount of repeats (if at all) for a port. Have fun using the app that StavFX has donated :-)
请记住,尽管我们为每个端口配置了示例配置文件(每个端口3组)(由于下面的Telnet部分),但是对于此应用程序,端口的重复次数(如果有的话)没有任何限制。 使用StavFX捐赠的应用程序玩得开心:-)
Knock from Windows/Linux
从Windows / Linux敲
While it is possible to perform the Knocking with the simplest of network utility a.k.a “Telnet”, Microsoft has decided that Telnet is a “security risk” and subsequently no longer install it by default on modern windows. If you ask me “They that can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety. ~Benjamin Franklin” but i digress.
尽管可以使用最简单的网络实用程序(也称为“ Telnet”)执行敲门,但Microsoft认为Telnet存在“安全风险”,因此默认情况下不再将其安装在现代Windows上。 如果您问我:“那些可以放弃基本自由以获得一点暂时安全的人,则既不应享有自由,也不应享有安全。 〜本杰明·富兰克林”,但我离题。
The reason we set the example sequence to groups of 3 for each port, is that when telnet is unable to connect to the desired port, it will automatically try again 2 more times. This means that telnet will actually knock 3 times before giving up. So all we have to do is execute the telnet command once for each port in the port group. It is also the reason a 30 seconds timeout interval has been selected, as we have to wait for telnet’s timeout for each port until we execute the next port-group. It is recommended that when you’ve finished with the testing phase, that you automate this procedure with a simple Batch/Bash script.
我们为每个端口将示例序列设置为3组的原因是,当telnet无法连接到所需的端口时,它将自动再次尝试2次。 这意味着telnet实际上会在放弃之前敲3次。 因此,我们要做的就是对端口组中的每个端口执行一次telnet命令。 这也是选择30秒超时间隔的原因,因为我们必须等待每个端口的telnet超时,直到执行下一个端口组为止。 建议您在完成测试阶段后,使用简单的Batch / Bash脚本自动执行此过程。
Using our example sequence this would look like:
使用我们的示例序列,它看起来像:
If your on windows, follow the MS instruction to install Telnet.
如果您使用的是Windows,请按照MS指示安装Telnet 。
Drop to a command line and issue:
放入命令行并发出:
telnet geek.dyndns-at-home.com 56
telnet geek.dyndns-at-home.com 56
telnet geek.dyndns-at-home.com 43
telnet geek.dyndns-at-home.com 43
telnet geek.dyndns-at-home.com 1443
telnet geek.dyndns-at-home.com 1443
If all went well, that should be it.
如果一切顺利,那就应该了。
Troubleshooting
故障排除
If your router doesn’t react to sequences, here are a couple of troubleshooting steps you may take:
如果您的路由器对序列没有React,则可以执行以下几个故障排除步骤:
View the log – Knockd will keep a log you can view in real time to see if the knocking sequences have arrived to the daemon and if the command has been executed correctly.
查看日志– Knockd会保留一个日志,您可以实时查看该日志,以了解敲除序列是否已到达守护程序以及命令是否已正确执行。
Assuming you are at least using the log-file as in the example above, to see it in real-time, issue in a terminal:
假设您至少像上面的示例一样使用日志文件,要实时查看它,请在终端中发出:
tail -f /var/log/knockd.logtail -f /var/log/knockd.log- Be mindful of firewalls – Sometimes your ISP, workplace or internet cafe, take the liberty of blocking communication for you. In such a case, while your router may be listening, the knocks on ports that are blocked by any part of the chain, will not reach the router and it will have a hard time reacting to them. That is why it is recommended to try combinations that use the well known ports such as 80, 443, 3389 and so on before trying more random ones. Again, you may view the log to see what ports do reach the router’s WAN interface. 注意防火墙–有时,您的ISP,工作场所或网吧会为您阻止通信。 在这种情况下,虽然路由器可能正在侦听,但链中任何部分阻塞的端口敲门都不会到达路由器,并且很难对它们做出React。 因此,建议在尝试使用更多随机端口之前,先尝试使用众所周知的端口(例如80、443、3389等)进行组合。 同样,您可以查看日志以查看哪些端口确实到达路由器的WAN接口。
Try the sequences internally – Before involving the above complexity that other parts of the chain may introduce, it is recommended that you try to execute the sequences internally to see that they A. hit the router like you think they should B. execute the command/s as expected. To accomplish this, you may start Knockd while bound to your LAN interface with:
在内部尝试序列–在涉及链的其他部分可能会带来的上述复杂性之前,建议您尝试在内部执行序列,以查看它们是否A.像您认为应该击中路由器一样B.执行命令/符合预期。 为此,可以在绑定到LAN接口的情况下启动Knockd:
knockd -d -i "$( nvram get lan_ifnameq )" -c /opt/etc/knockd.confknockd -d -i "$( nvram get lan_ifnameq )" -c /opt/etc/knockd.confOnce the above is executed, you can direct the Knocking client to the router’s internal IP instead of its external one. Tip: Because knockd listens at the “interface” level and not IP level, you may wish to have an instance of KnockD running on the LAN interface all the time. As “Knocker” has been updated to support two hosts for knocking, doing so will in order to simplify and consolidate your knocking profiles.
一旦执行了上述操作,就可以将Knocking客户端定向到路由器的内部IP,而不是其外部IP。 提示:因为敲敲是在“接口”级别而不是IP级别监听,所以您可能希望一直在LAN接口上运行KnockD实例。 由于“ Knocker ”已更新为支持两名主持人进行敲门,因此这样做是为了简化和合并敲门资料。
- Remember which side your on – It is not possible to Knock the WAN interface from the LAN interface in the above configuration. If you would like to be able to knock no matter “what side your on” you can simply run the demon twice, Once bound to the WAN as in the article and once bound to the LAN as in the debugging step from above. There is no problem running both in conjunction by simply appending the command from above to the same geek-init script. 记住您站在哪一边–在上述配置中,无法从LAN接口来敲响WAN接口。 如果您希望无论“站在哪一边”都可以敲门,您可以简单地运行该恶魔两次,如本文所述绑定到WAN,然后如上面的调试步骤绑定到LAN。 只需将命令从上方附加到相同的geek-init脚本,就可以同时运行这两个问题。
备注 (Remarks)
通过敲门,您将能够:动态打开端口,禁用/启用服务,远程WOL计算机等等。
翻译自: https://www.howtogeek.com/104548/how-to-knock-into-your-network-dd-wrt/
dd-wrt下载
4722
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
