ipt_sysrq - IP Tables network magic SysRq

What is ipt_sysrq?

ipt_sysrq 100% is a new iptables target that allows you to do the same as the magic sysrq key on a keyboard does, but over the network.

Why to use the remote sysrq?

Sometimes a remote server hangs and only responds to icmp echo request (ping). Every administrator of such machine is very unhappy because (s)he must go there and press the reset button. It takes a long time and it’s inconvenient. So here is a solution. Use the Network Magic SysRq and you will be able to do more than just pressing a reset button. You can remotely sync disks, remount them read-only, then do a reboot. And everything comfortably and only in a few seconds. ;-)

Is it secure?

That depends. ;-) Let me explain: You can restrict who can do this by setting the iptables firewall. But unfortunately, for simplicity, the Network Magic SysRq is based on a single packet request. This packet is encrypted and password protected, but if somebody can sniff it (s)he will be able to repeat (but not to change) the query (so-called replay attack). The query is also protected by a timestamp. When the packet is generated, it is stamped by current date and time. Then on the server side that stamp is compared with the current time of the server and if it is within the tolerance the request is accepted. Together with some other information, the timestamp is protected by SHA1 hash. This means that the potential attacker has a limited time to repeat the sniffed packet. If anybody requires a better security than this, some secure encrypted tunnel can be used. (not depending on userspace, of course! ;-))

How to install it?

Just type make.

When everything is compiled type make install as root and after that run depmod -a. Now you can load the kernel module by the command _modprobe ipt_SYSRQ_.

You would also like to configure the server password and the tolerance. This can be set when installing the module into a kernel, by specifying the module parameters passwd for password and tolerance for tolerance in seconds. The default values are passwd=”“ and tolerance=43200.

Example:

Module options can also be specified in file /etc/modules.conf.

Example:

What to do on a server?

After the module is loaded you are able to deploy it using the iptables command.

Some examples of usage:

Note that UDP port 9 is used. This is the default port for send_sysrq program, which shouldn’t do any harm, as it defaults to discard service.

What to do on the remote machine?

Copy the executable binary _send_sysrq_ to the remote (client) machine. Alternatively, you can compile ipt_sysrq there yourselves. After uncompressing the source package, you just need to do a _make send_sysrq_.

Now you can use the client program _send_sysrq_ to send the sysrq request.

Usage of send_sysrq:

my favorite string is “sisub” ;-)

Important note: send_sysrq sends two copies of the request for each command character separately. It does this to deal with the potential packet loss, because send_sysrq has no feedback from the remote host. Delay between the requests is one second.

Requirements

Works on Linux 2.4.x and on 2.6.x too.
To successful compile you need to have installed:

• GCC
• Linux kernel sources of your running kernel

• Header files of your iptables command

Debian users

I am new to debian and I am not sure I did it right, but you can run script
make_debian.sh from this package and it will produce 3 debian binary packages:

1. Kernel module for running kernel
2. Target library for program iptables

1. Send_sysrq tool for sending sysrq requests

Please, if anybody can debianize this package the better way, contact me. Thanks.

Links

• netfilter/iptables project homepage – The netfilter.org project

• What the Google says

Author

Marek Zelem <marek@terminus.sk>