
	IP Tables Network Magic SysRq function 0.3

What is it?

	ipt_sysrq is a new iptables target that allows you to do the same as
the magic sysrq key on a keyboard does, but over the network.

Why to use the remote sysrq?

	Sometimes a remote server hangs and only responds to icmp echo request
(ping). Every administrator of such machine is very unhappy because (s)he must
go there and press the reset button. It takes a long time and it's
inconvenient. So here is a solution. Use the Network Magic SysRq and you
will be able to do more than just pressing a reset button. You can remotely
sync disks, remount them read-only, then do a reboot. And everything
comfortably and only in a few seconds. ;-)

Is it secure?

	That depends. ;-) Let me explain: You can restrict who can do this by
setting the iptables firewall. But unfortunately, for simplicity, the Network
Magic SysRq is based on a single packet request. This packet is encrypted and
password protected, but if somebody can sniff it (s)he will be able to
repeat (but not to change) the query (so-called replay attack). The query
is also protected by a timestamp. When the packet is generated, it is stamped
by current date and time. Then on the server side that stamp is compared
with the current time of the server and if it is within the tolerance
the request is accepted. Together with some other information, the timestamp
is protected by SHA1 hash. This means that the potential attacker has a limited
time to repeat the sniffed packet. If anybody requires a better security
than this, some secure encrypted tunnel can be used. (not depending on
userspace, of course! ;-))

How to install it?

	Just type 'make'.

	When everything is compiled type 'make install' as root and after that
run 'depmod -a'. Now you can load the kernel module by the command
'modprobe ipt_SYSRQ'.

	You would also like to configure the server password and the tolerance.
This can be set when installing the module into a kernel, by specifying
the module parameters 'passwd' for password and 'tolerance' for tolerance
in seconds. The default values are passwd="" and tolerance=43200.

  Example:
	modprobe ipt_SYSRQ passwd="my_very_secret_password" tolerance=3600

	Module options can also be specified in file /etc/modules.conf.

  Example:
	options ipt_SYSRQ passwd="my_very_secret_password" tolerance=3600

What to do on a server?

	After the module is loaded you are able to deploy it
using the iptables command.

  Some examples of usage:

	iptables -I INPUT -p udp --dport 9 -j SYSRQ

		or

	iptables -I INPUT -i eth1 -s 192.168.1.2 -p udp --dport 9 -j SYSRQ

Note that UDP port 9 is used. This is the default port for send_sysrq program,
which shouldn't do any harm, as it defaults to 'discard' service.

What to do on the remote machine?

	Copy the executable binary 'send_sysrq' to the remote (client) machine.
Alternatively, you can compile ipt_sysrq there yourselves. After uncompressing
the source package, you just need to do a 'make send_sysrq'.

	Now you can use the client program 'send_sysrq' to send the sysrq
request.

Usage of send_sysrq:

	send_sysrq [-p <port>] <remote host> <sysrq commands>

	where <port> is destination UDP port (9 by default).
	      <remote host> is DNS name or IP address of the remote host.
	      <sysrq commands> is a string of letters such as:
		s - for sync
		i - for kill all processes
		u - for umount (remount read-only) all filesystems
		b - for reboot
		o - for power off ;-)
		and other characters same as with the magic sysrq key

	my favorite string is "sisub" ;-)

Important note: send_sysrq sends two copies of the request for each command
character separately. It does this to deal with the potential packet loss,
because send_sysrq has no feedback from the remote host. Delay between the
requests is one second.

Author:

	Marek Zelem <marek@terminus.sk>

