server

package
v0.0.0-...-b318bcb Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 10, 2024 License: BSD-3-Clause Imports: 16 Imported by: 0

README

hypd server

hypd is the port knocking daemon which runs on an edge device connecting to an untrusted network. Leveraging eBPF's XDP hook point, it extracts header information directly and sends to userspace the specific information required. This method is faster than alternative methods such as using libpcap.

eBPF

The hyp_bpf.c program can be recompiled using go generate.

# Debian: sudo apt install git clang linux-headers-amd64 libbpf-dev
go generate .
Generating vmlinux.h

vmlinux.h is included in hyp_bpf.c and can be regenerated with bpftool.

# Debian: sudo apt install bpftool
sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c > ../headers/vmlinux.h
Building hypd

hypd has no CGO dependencies and so can run on musl systems as well.

# To ensure it can run on  systems don't use CGO
CGO_ENABLED=0 go build .

Documentation

Index

Constants

View Source 
const (
	KnockSequenceTimeout = 3 // TBD: Make this a configurable value
)

Variables

This section is empty.

Functions

func PacketServer 

func PacketServer(config *configuration.HypdConfiguration, secrets [][]byte) error

PacketServer is the main function when operating in server mode it sets up the pcap on the capture device and starts a goroutine to rotate the knock sequence

Types

type Client 

type Client struct {
	Progress    int       // index of current progress in sequence.   Value of 1 means first port has been matched
	Sequence    [4]uint16 // stores the knock sequence the current client is attempting.  It's set and tracked here to prevent race conditions during a knock sequence being received and key rotations
	LastSuccess time.Time
}

Client is used to keep track of a client attempting to perform an authentic knock sequence

type KnockSequence 

type KnockSequence struct {
	Used         bool      // If true, that means this knock sequence has already been used once.  It may still be within the valid time window, but it can't be used again
	PortSequence [4]uint16 // Each knock sequence is four ports long
}

KnockSequence is used keep track of an ordered knock sequence and whether it's been marked for use (to prevent replay attacks)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.
JackTT - Gopher 🇻🇳