-
Notifications
You must be signed in to change notification settings - Fork 1
/
wit.1
118 lines (109 loc) · 2.92 KB
/
wit.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
.\" Manpage for wit.
.\" Contact [email protected] to correct errors or typos.
.TH man 8 "30 Jan 2019" "0.2" "wit man page"
.SH NAME
wit -
.B "Who Is There"
or
.B "WIT"
A port knocking server
.SH SYNOPSIS
.SY wit
.OP -a,--auto-cert
.OP -b,--bind-address bind_address
.OP -h,--host-name host_name
.OP -l,--list-name ListName
.OP -P,--policy iptables_policy
.OP -c,--cert-path CertPath
.OP -p,--http-port http_port
.OP -tp,--tls-port https_port
.OP -cp,--covering-ports CoveringPorts
.OP -psk PresharedKey
.OP -h,--help
.OP -version
.SH DESCRIPTION
.B "Who Is There"
or
.B "WIT"
is a linux app using
.B iptables
and
.B ipset
to cover your precious services. In fact it's a
.B "Port knocking"
server. It waits for your knock and if it recognize you, it will let you in! It creates an ipset list (default name :"WhiteList") and adds iptables rules for each given CoveringPort.
So it redirects all traffic to wit! Then you can authenticate by a HTTP_GET request like below and boom! You can reach your service for 6 hours :)
.I https://YOUR_BIND_IP/login/?pks=YOUR_PRESHARED_KEY
If you do not set any psk user will be authenticated by any key.
.SH OPTIONS
.TP
.B -a,--auto-cert
If you pass this option, you will need a valid internet ip(bind address) and a domain name(server domain) and also port 443 covered, then it will automatically get a valid certificate from `Let's Encrypt`.
Default value is
.B false
.TP
.B -b,--bind-address
The ip address you wish to run the service on.
Default value is
.B "127.0.0.1"
.TP
.B -H,--host-name
The domain name of server you are running your service on.
Default is
.B empty
.TP
.B -l,--list-name
The ipset list name.
Default value is
.B "WhiteList"
.TP
.B -P,--policy
This defines the policy to be applied on iptables, DROP or REDIRECT
Default value is
.B "REDIRECT"
.TP
.B -c,--cert-path
Path to certificate and key file to start an https web server. The app will look for "server.key" and "server.crt" in the given path, and if it could not find each it will create one.
Default value is
.B "cert"
.TP
.B -p,--http-port
Http port for web server. In case you used auto cert, web page will be redirected to https port.
Default is
.B 8001
.TP
.B -tp,--tls-port
Https port for web server.
Default is
.B 8002
.TP
.B -cp,--covering-ports
A list of comma separated lists to be covered.
Default is
.B "80,443,1194,8388"
.TP
.B -psk
A pre-shared key used to authenticate users.
Default is empty and if it's left empty it will authenticate users with any psk!
.TP
.B -h,--help
Prints out help.
.TP
.B -version
Prints out version and help.
.SH EXAMPLES
.B wit
-a -b xxx.xxx.xxx.xxx -h my.server.com -cp 443,8080 -psk mysecret
.SH SIGNALS
.TP
.B SIGINT
performs a clean shutdown by cleaning all iptables rules and removing ipset list.
.TP
.B SIGTERM
exits immediately without cleaning up.
.SH AUTHORS
.I Hamed Bahadorzadeh <[email protected]>
.SH COPYRIGHT
.I github.com/hbahadorzadeh/wit
is licensed under the
.B GNU General Public License v3.0