Apr 172011
 

knockdToday, i’ll show you how to use knockd to improve the security of your linux server, the more common use that i’ve saw so far is: “i’d like to connect on port 22 (ssh) but i don’t want to leave to port open for everyone..and i’ve a dynamic IP”. In these cases you can close the ports and use knockd to knock on the ports of your Linux box and let you in.


knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.

Installation

Knockd it’s available in the repository of the major distributions, i’m using it on Ubuntu/Debian where the package it’s available.

Configuration

knockd reads all knock/event sets from a configuration file. Each knock/event begins with a title marker, in the form [name], where name is the name of the event that will appear in the log. A special marker, [options], is used to define global options.

Example:

[options]
        logfile = /var/log/knockd.log
 
[openSSH]
        sequence    = 700,800,900
        seq_timeout = 5
        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn
 
[closeSSH]
        sequence    = 900,800,700
        seq_timeout = 5
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn

This example uses two knocks. The first will allow the knocker to access port 22 (SSH), and the second will close the port when the knocker is complete. As you can see, this could be useful if you run a very restrictive (DENY policy) firewall and would like to access it discreetly.

Example 2:

 [options]
        logfile = /var/log/knockd.log
 
  [opencloseSSH]
        sequence      = 2222:udp,3333:tcp,4444:udp
        seq_timeout   = 15
        tcpflags      = syn,ack
        start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
        cmd_timeout   = 10
        stop_command  = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT

This example uses a single knock to control access to port 22 (SSH). After receiving a successful knock, the daemon will run the start_command, wait for the time specified in cmd_timeout, then execute the stop_command. This is useful to automatically

In order to make use of the following configuration scheme, it’s important that you have ESTABLISHED,RELATED rules in your iptables firewalling settings. Like this:

iptables -A INPUT -m –state ESTABLISHED,RELATED -j ACCEPT

Otherwise, you may loose your SSH session after those 10 seconds (even if you connected already).

And, of couse, the iptables DROP policy:

iptables -P INPUT DROP

How to knock

Ok, now you have set up your server, how to knock on its ports ?
The easiest way it’s to sue the knock command, that is available in the knockd package as client.

the basic usage of knock is:

knock yourserver port:protocol port:protocol  port:protocol

If you omit :protocol the default it’s to use all TCP, this can be changed using the options -u (all UDP)

Examples:

Knock on 3 TCP ports:

knock 127.0.0.1 7000 8000 9000

You can use this syntax for specifying TCP and UDP packets:

knock 127.0.0.1 123:tcp 456:udp 789:tcp

Client for Window and Mac are available at the url: http://www.zeroflux.org/projects/knock

References:

http://www.zeroflux.org/projects/knock

http://www.portknocking.org/

[amazon_enhanced asin=”0596005695″ price=”All” background_color=”FFFFFF” link_color=”FD8D00″ text_color=”FD5100″ /]

Popular Posts:

Flattr this!

  14 Responses to “Knockd, to secure your ports on Linux”

  1. Once you configure knockd, can you briefly discuss how to get in to your system. In other words, how do you knock your server with the appropriate sequence? Do you need an external file or shell script to send the knock sequence?

  2. Interesting method! So, we define the knock sequence as if it’s a password?
    Thanks for sharing.

  3. Port knocking is bad idea; a very bad idea.

    Port knocking is, in the end, a password. A sniffable one that is subject to man-in-the-middle attacks so you can’t even use one-time-passwords and be secure.

    Public/private key pairs and/or one-time-passwords (opie, skey and the like) are the real solutions, along with dynamic monitoring to prevent DOS CPU resource exhaustion attacks. (OpenBSD’s PF incorporates a nice solution, as does the iptables with fail2ban/denyhosts/etc. Even swatch can work wonders.)

  4. Sigh… Reading comprehension FAIL!
    Sorry.
    And Thanks.

  5. Hi,
    Interested method indeed, I have forgotten about it!

    But I have wrote about it before. Thanks pal.

    knockd

  6. You add an extra layer of complexity and an extra layer that can fail for less than 3 bits of entropy?
    Can I ask what threat model you have such that port knocking, with its limited usefulness, can help you?

  7. Please checkout my android knock client on the google play store, its completely free https://play.google.com/store/apps/details?id=com.droidknocker

Leave a Reply to Jeremy Cancel reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)

*