Howto Install Tariq?
Requirements
- Python >= 2.6
- python-imaging - Python Imaging Library (PIL)
- GnuGP
- Scapy
- Linux kernel with iptables (eg. 2.6)
Installation and Configuration
Configuring the Client
First we need to preparing GnuPG to be used, so you need to create a directory for gnupg and generate a pair of keys using the following commands:
mkdir /etc/tariq/.client-gpg
chmod 600 /etc/tariq/.client-gpg
gpg --homedir /etc/tariq/.client-gpg –gen-key
You need to export client’s public key:
gpg --homedir /etc/tariq/.client-gpg -a --export tariq@arabnix.com > key.pub.txt
Edit the ‘client.conf’ file to specify the client gpg directory and the default gpg user:
client_gpg_dir=/etc/tariq/.client-gpg user=tariq@arabnix.com
And specify the image directory used for steganography, containing at least 1 reasonable png image file, just like the one included as a sample ‘sample.png’:
img_dir=/usr/share/TariqClient?/img
Now specify the default secret knock sequence to match the sequence configured on the tariq server:
secret_ports=10000,7456,22022,12121,10001
Note: you may pass the gpg user and knock sequence as arguments to TariqClient? (see howto use section).
Configuring the Server
After installing the requirements, the first step is to download, unpack, and install Tariq. Tariq can be downloaded from: http://code.google.com/p/tariq/. Once this is done, we need to configure the server. We also need to prepare GnuPG. So you need to create a directory for gnupg using the following commands:
mkdir /etc/tariq/.server-gpg
chmod 600 /etc/tariq/.server-gpg
You need to import and trust the client(s) public key(s):
gpg --homedir /etc/tariq/.server-gpg --import < client.pub.txt
gpg --homedir /etc/tariq/.server-gpg --edit-key tariq@arabnix.com
Then select trust (5)
Preparing iptables: Create an iptables chain to be used by tariq server:
iptables -P INPUT DROP iptables -N tariq
iptables -A INPUT -j tariq
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Optional: you may specify a range of ports to be filtered (dropped) in case you are running normal services on the same box:
iptables -A INPUT -p tcp -m tcp --dport 1000,65535 -j DROP
iptables -A INPUT -p udp -m udp --dport 1000,65535 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j ACCEPT
IMPORTANT NOTE: Do not use the REJECT target with tariq.
Now edit ‘server.conf’ and specify the correct sequence of ports, by using the secret_ports variable. Example:
secret_ports=10000,7456,22022,12121,10001
Now specify the server’s gpg path:
server_gpg_dir=/etc/tariq/.server-gpg
Specify the iptables chain name you have created for tariq:
iptables_chain=tariq
Now please adjust the iptables chain name used to open ports for a successful knock:
open_tcp_port=-A tariq -s {ip} -p tcp -m state --state NEW -m tcp --dport {dport} -j ACCEPT
open_udp_port=-A tariq -s {ip} -p udp -m state --state NEW -m udp --dport {dport} -j ACCEPT
Howto use Tariq?
To start running tariq server, just run the following command using user root:
./TariqServer
Now that you have tariq server running, the firewall rules configured on the server, and your profile installed on the client, you’re ready to run some commands remotely or open some ports. Using user root, to open, for instance, ssh (22) on the remote server (example.com), all you simply need to do on the client, is run:
./TariqCleint -u tariq@arabnix.com example.com O 22
If you don’t want to open a port but perform a remote command for instance restarting the httpd service on the box, you don’t need to login remotely and do it yourself and still working with the default drop firewall. All you simply need to do on the client is run the following command:
./TariqCleint -u tariq@arabnix.com example.com E service httpd restart
Another example, here I’m sending an echo message to the box:
./TariqCleint -u tariq@arabnix.com example.com E echo “Hello, It's me tariq”
Finally to close the port you requested to open, all you need to do is:
./TariqCleint -u tariq@arabnix.com example.com C 22
Future Work (aka TODO):
- Make installer (rpm/deb based package)
- Check if client uses a passphrase gpg key
- Make system work as a daemon (write init scripts)