TroubleShoot / Frequently Asked Questions (FAQ)
Is it better than port knocking
Yes, this method is considered as a two-factor pre-authentication, one of the most secure way to protect a service. Without pre-authentication the attacker unable to send a single byte to the service. This protect against exploits that is do not need authentication.
Is it exploit proof?
Well everything could be exploited if there is a buffer overflow flaw in the code. We using LLVM high level api on our framework to make it safe, so should be very hard to be exploited. Also we implemented a service guardian and every network related code running unprivileged. Also we added a lot of high quality protection, like stack and frame protectors, Denial Of Service prevention and so on.
Why I see multiple running processes on Linux and FreeBSD?
It is because the software running a service guardian and an unprivileged child process. These processes also has more threads launched.
One of the process is still running as root
Due in fact the software has a guardian process which monitoring the worker process, kill or restart if necessary.
Does it sending usage statistics?
Yes. To be fair we only get error reporting and initial info such as hostname, OS version, License status.
Configuration File
/var/lib/nPulse/trackit-portguard/main.conf
; Configuration File
core
{
date_format = %Y/%m/%d ; Date format, using C-API strftime()
setuid_user = nobody ; Unprivileged daemon user, should not be `root` but there is no restriction, you are the owner above the system
time_format = %H:%M:%S ; Time format, using C-API strftime()
version = v32 ; Config File Version
}
dns_auth
{
dns_server_ip = 8.8.8.8 ; DNS Server IP to be use name resolution, discarding the system ones
enable = no ; Enable this Auth Type (yes/no)
zone_1 = personal.dyndns.tld ; DNS Zone (A) & (AAAA) to be fetch when connection received, the software determines the right record type
zone_2 = personal2.dyndns.tld
; you can define maximum 100 zones with prefixing it with (_) underscore.
}
http_auth
{
enable = no
url = https://auth.realm.server.tld/?IP=$IP
verfyTLS = yes
}
proxy_1 ; You can define maximum 100 proxy group with prefixing it with (_) underscore.
{
auth_target = 127.0.0.1:22 ; Authenticated Target
unauth_target = disable ; UnAuthenticated Target disabled, connection will refused
auto_blacklist_sec = 600 ; Too many connections and or any harmful behavior welcomed on x seconds blacklist
enable = no ; Enable this Auth Type (yes/no)
idle_timeout_ms = 60000 ; Connection will reset when idling x amount of millisecond (zero packets)
ipv4_listen = 0.0.0.0 ; IPv4 Listen address, empty to disable
ipv6_listen = :: ; IPv4 Listen address, empty to disable
max_connections_per_ip = 20 ; Max allowed connection from a single IP address
min_wait_retry = 25 ; Deny further connection after denied, new attempts will reset the counter and starts over, default is 1 second
port = 2222 ; TCP Port listetning on
}
proxy_2 ; This redirects all HTTP traffic to internal web_auth before authentication, then pass it through the local webserver
{
auth_target = 127.0.0.1:8080 ; Authenticated Target
unauth_target = web_auth ; UnAuthenticated Target, it will redirect to IP:PORT defined in web_auth section
auto_blacklist_sec = 600 ; Too many connections and or any harmful behavior welcomed on x seconds blacklist
enable = no ; Enable this Auth Type (yes/no)
idle_timeout_ms = 60000 ; Connection will reset when idling x amount of millisecond (zero packets)
ipv4_listen = 0.0.0.0 ; IPv4 Listen address, empty to disable
ipv6_listen = :: ; IPv4 Listen address, empty to disable
max_connections_per_ip = 50 ; Max allowed connection from a single IP address
port = 80 ; TCP Port listetning on
}
proxy_3 ; This redirects all HTTPS traffic to external server before authentication, then pass it through the authenticated webserver
{
auth_target = private.webserver.tld:443 ; Authenticated Target
unauth_target = public.webserver.tld:443 ; UnAuthenticated Target, it will redirect to IP:PORT defined in web_auth section
auto_blacklist_sec = 600 ; Too many connections and or any harmful behavior welcomed on x seconds blacklist
enable = no ; Enable this Auth Type (yes/no)
idle_timeout_ms = 60000 ; Connection will reset when idling x amount of millisecond (zero packets)
ipv4_listen = 0.0.0.0 ; IPv4 Listen address, empty to disable
ipv6_listen = :: ; IPv4 Listen address, empty to disable
max_connections_per_ip = 50 ; Max allowed connection from a single IP address
port = 443 ; TCP Port listetning on
}
proxy_4 ; This redirects all HTTPS (TLS) traffic to a single HTTP nonTLS session, so it adds TLS session to an unencrypted channel
{
auth_target = 172.16.0.2:80 ; nonTLS target
auto_blacklist_sec = 600
enable = no
idle_timeout_ms = 60000
ipv4_listen = 0.0.0.0
ipv6_listen = ::
max_connections_per_ip = 50
port = 443
ssl_cert = ssl/cert.pem ; SSL Certificate (.crt, .pem) realtive or absolute path
ssl_chain = ssl/chain.pem ; SSL Full-Chain (.crt, .pem) realtive or absolute path
ssl_key = ssl/pkey.pem ; SSL Private-Key password does not supported
unauth_target = web_auth
use_ssl = yes ; Froce TLS/SSL
}
proxy_5 ; Advanced example, filter RDP traffic
{
auth_target = winserver.tld:3389
auto_blacklist_sec = 600
enable = yes
idle_timeout_ms = 60000
ipv4_listen = 0.0.0.0
ipv6_listen = ::
max_connections_per_ip = 5
min_wait_retry = 25
port = 3389
unauth_target = 192.168.1.250:3389
debug_first_bytes = 39 ; Log debug first 39 bytes, for debugging purposes only!
match_first_bytes = 030000 ; First packet should start with 3 bytes presented as hexadecimal
;match_first_datalen = 19 ; First packet should be exactly 19 bytes
match_first_datalen = 19-47 ; First packet should between 19-47 bytes
drop_packet_if_contains = 3d 68 65 6c 6c 6f ; If a 'hello' is found in the first byte, packet should be dropped
connection_delay = 2000 ; Initial delay, wait 2 seconds before passthrough the connection
}
security
{
api_key = DBE4A775C1509CEAA36A8404C8F227108D74EF0722446E184EF43AABB2135AF0 ; Unused, future proof, dont dispose
secret = E259D52C84A5B619164C5302C3B30BCCDE938A12BC102F3C521040698845FC42 ; Unused, future proof, dont dispose
}
text_auth
{
enable = no ; Enable this Auth Type (yes/no)
file = ips.txt ; Textfile realtive or absolute location that list all valid IP addresses in new line, now supports subnet addresses
}
trackit_global_auth ; This is for our enterprise users
{
enable = no
trackit_api_url = trackit.api.company.tld:3030/trackit_global_api_key
}
trackit_prefix_auth ; This is for our enterprise users
{
enable = no
trackit_api_url = trackit.api.company.tld:3030/prefix/prefix_api_key
}
web_auth
{
auto_blacklist_sec = 600 ; Too many connections and or any harmful behavior welcomed on x seconds blacklist
enable = no ; Enable this Auth Type (yes/no)
force_ssl = no ; Force HTTPS connection
ipv4_listen = 0.0.0.0 ; IPv4 Address to listen on, empty to disable
ipv6_listen = :: ; IPv4 Address to listen on, empty to disable
; Language Section Begin
lang_access_denied = Access is denied
lang_login_success = Login Accepted
lang_login_text = Secure Login
lang_login_text_auth = Your token is valid until [EXPDATE]
lang_login_text_unauth = Please authorize yourself
lang_password_text = Enter Password
; Language Section End
max_connections_per_ip = 50 ; maximum connection from single IP address
password = SIcK7zIQ ; Plaintext Password for access
port = 8080 ; Webserver Port number
session_duration_min = 15 ; After a success login IP address will be valid for x amount of minutes.
ssl_cert = ssl/cert.pem ; SSL Certificate (.crt, .pem) realtive or absolute path
ssl_chain = ssl/chain.pem ; SSL Full-Chain (.crt, .pem) realtive or absolute path
ssl_key = ssl/pkey.pem ; SSL Private-Key password does not supported
use_ssl = yes ; Enable TLS/SSL
}