ipset
ipsets are a powerful way of making a dynamic firewall on a normal Linux machine. A feature of the netfilter code, an ipset is an in-memory list of IPs, that can be referenced in any fireawall rules.
Knocknoc can add and remove IPs from an ipset, thereby allowing an arbitrary application of dynamic allow-listing to any linux box.
Sudoers first
To create a custom sudoers file in the /etc/sudoers.d/
directory for the user knocknoc-agent
, allowing them to run the command /usr/sbin/ipset
with any arguments, follow these steps:
-
Create a New File in
/etc/sudoers.d/
:- Choose a meaningful name for the file, such as
knocknoc-agent
. - The command would be
sudo visudo -f /etc/sudoers.d/knocknoc-agent
. - This opens a new file in the
sudoers.d
directory for editing with proper syntax checking.
- Choose a meaningful name for the file, such as
-
Add the Necessary Rule:
- In the editor that opens, add the following line:
knocknoc-agent ALL=(ALL) NOPASSWD: /usr/sbin/ipset *
- This line follows the same syntax and meaning as described previously.
- In the editor that opens, add the following line:
-
Save and Exit:
- Save the file and exit the editor.
visudo
will automatically check the syntax.
- Save the file and exit the editor.
-
Set Correct Permissions:
- Ensure that the file has the correct permissions. It should be readable by root only and should not be writable by any other user.
- You can set the appropriate permissions using:
sudo chmod 0440 /etc/sudoers.d/knocknoc-agent
.
-
Verify the Configuration:
- To check if your configuration works, switch to the
knocknoc-agent
user (if possible) and try executing theipset
command withsudo
without a password.
- To check if your configuration works, switch to the
Important Notes:
- Always use
visudo
to edit sudoers files to prevent syntax errors. - Ensure that the files in
/etc/sudoers.d/
have strict permissions (like 0440) to maintain security. - Be cautious with
NOPASSWD:
as it allows executing the specified command without a password, which can be a security risk if not properly managed.