TroubleShoot / Frequently Asked Questions (FAQ)
Is it better than port knocking
Yes, this method is considered as a two-factor pre-authentication, one of the most secure way to protect a service. Without pre-authentication the attacker unable to send a single byte to the service. This protect against exploits that is do not need authentication.
Is it exploit proof?
Well everything could be exploited if there is a buffer overflow flaw in the code. We using LLVM high level api on our framework to make it safe, so should be very hard to be exploited. Also we implemented a service guardian and every network related code running unprivileged. Also we added a lot of high quality protection, like stack and frame protectors, Denial Of Service prevention and so on.
Why I see multiple running processes on Linux and FreeBSD?
It is because the software running a service guardian and an unprivileged child process. These processes also has more threads launched.
One of the process is still running as root
Due in fact the software has a guardian process which monitoring the worker process, kill or restart if necessary.
Does it sending usage statistics?
Yes. To be fair we only get error reporting and initial info such as hostname, OS version, License status.
Configuration File
/var/lib/nPulse/trackit-portguard/main.conf
; Configuration File core { date_format = %Y/%m/%d ; Date format, using C-API strftime() setuid_user = nobody ; Unprivileged daemon user, should not be `root` but there is no restriction, you are the owner above the system time_format = %H:%M:%S ; Time format, using C-API strftime() version = v32 ; Config File Version } dns_auth { dns_server_ip = 8.8.8.8 ; DNS Server IP to be use name resolution, discarding the system ones enable = no ; Enable this Auth Type (yes/no) zone_1 = personal.dyndns.tld ; DNS Zone (A) & (AAAA) to be fetch when connection received, the software determines the right record type zone_2 = personal2.dyndns.tld ; you can define maximum 100 zones with prefixing it with (_) underscore. } http_auth { enable = no url = https://auth.realm.server.tld/?IP=$IP verfyTLS = yes } proxy_1 ; You can define maximum 100 proxy group with prefixing it with (_) underscore. { auth_target = 127.0.0.1:22 ; Authenticated Target unauth_target = disable ; UnAuthenticated Target disabled, connection will refused auto_blacklist_sec = 600 ; Too many connections and or any harmful behavior welcomed on x seconds blacklist enable = no ; Enable this Auth Type (yes/no) idle_timeout_ms = 60000 ; Connection will reset when idling x amount of millisecond (zero packets) ipv4_listen = 0.0.0.0 ; IPv4 Listen address, empty to disable ipv6_listen = :: ; IPv4 Listen address, empty to disable max_connections_per_ip = 50 ; Max allowed connection from a single IP address port = 1234 ; TCP Port listetning on } proxy_2 ; This redirects all HTTP traffic to internal web_auth before authentication, then pass it through the local webserver { auth_target = 127.0.0.1:8080 ; Authenticated Target unauth_target = web_auth ; UnAuthenticated Target, it will redirect to IP:PORT defined in web_auth section auto_blacklist_sec = 600 ; Too many connections and or any harmful behavior welcomed on x seconds blacklist enable = no ; Enable this Auth Type (yes/no) idle_timeout_ms = 60000 ; Connection will reset when idling x amount of millisecond (zero packets) ipv4_listen = 0.0.0.0 ; IPv4 Listen address, empty to disable ipv6_listen = :: ; IPv4 Listen address, empty to disable max_connections_per_ip = 50 ; Max allowed connection from a single IP address port = 80 ; TCP Port listetning on } proxy_3 ; This redirects all HTTPS traffic to external server before authentication, then pass it through the authenticated webserver { auth_target = private.webserver.tld:443 ; Authenticated Target unauth_target = public.webserver.tld:443 ; UnAuthenticated Target, it will redirect to IP:PORT defined in web_auth section auto_blacklist_sec = 600 ; Too many connections and or any harmful behavior welcomed on x seconds blacklist enable = no ; Enable this Auth Type (yes/no) idle_timeout_ms = 60000 ; Connection will reset when idling x amount of millisecond (zero packets) ipv4_listen = 0.0.0.0 ; IPv4 Listen address, empty to disable ipv6_listen = :: ; IPv4 Listen address, empty to disable max_connections_per_ip = 50 ; Max allowed connection from a single IP address port = 443 ; TCP Port listetning on } proxy_4 ; This redirects all HTTPS (TLS) traffic to a single HTTP nonTLS session, so it adds TLS session to an unencrypted channel { auth_target = 172.16.0.2:80 ; nonTLS target auto_blacklist_sec = 600 enable = no idle_timeout_ms = 60000 ipv4_listen = 0.0.0.0 ipv6_listen = :: max_connections_per_ip = 50 port = 443 ssl_cert = ssl/cert.pem ; SSL Certificate (.crt, .pem) realtive or absolute path ssl_chain = ssl/chain.pem ; SSL Full-Chain (.crt, .pem) realtive or absolute path ssl_key = ssl/pkey.pem ; SSL Private-Key password does not supported unauth_target = web_auth use_ssl = yes ; Froce TLS/SSL } security { api_key = DBE4A775C1509CEAA36A8404C8F227108D74EF0722446E184EF43AABB2135AF0 ; Unused, future proof, dont dispose secret = E259D52C84A5B619164C5302C3B30BCCDE938A12BC102F3C521040698845FC42 ; Unused, future proof, dont dispose } text_auth { enable = no ; Enable this Auth Type (yes/no) file = ips.txt ; Textfile realtive or absolute location that list all valid IP addresses in new line } trackit_global_auth ; This is for our enterprise users { enable = no trackit_api_url = trackit.api.company.tld:3030/trackit_global_api_key } trackit_prefix_auth ; This is for our enterprise users { enable = no trackit_api_url = trackit.api.company.tld:3030/prefix/prefix_api_key } web_auth { auto_blacklist_sec = 600 ; Too many connections and or any harmful behavior welcomed on x seconds blacklist enable = no ; Enable this Auth Type (yes/no) force_ssl = no ; Force to HTTPS connection ipv4_listen = 0.0.0.0 ; IPv4 Address to listen on, empty to disable ipv6_listen = :: ; IPv4 Address to listen on, empty to disable ; Language Section Begin lang_access_denied = Access is denied lang_login_success = Login Accepted lang_login_text = Secure Login lang_login_text_auth = Your token is valid until [EXPDATE] lang_login_text_unauth = Please authorize yourself lang_password_text = Enter Password ; Language Section End max_connections_per_ip = 50 ; maximum connection from single IP address password = SIcK7zIQ ; Plaintext Password for access port = 8080 ; Webserver Port number session_duration_min = 15 ; After a success login IP address will be valid for x amount of minutes. ssl_cert = ssl/cert.pem ; SSL Certificate (.crt, .pem) realtive or absolute path ssl_chain = ssl/chain.pem ; SSL Full-Chain (.crt, .pem) realtive or absolute path ssl_key = ssl/pkey.pem ; SSL Private-Key password does not supported use_ssl = yes ; Enable TLS/SSL }