Today, i’ll show you how to use knockd to improve the security of your linux server, the more common use that i’ve saw so far is: “i’d like to connect on port 22 (ssh) but i don’t want to leave to port open for everyone..and i’ve a dynamic IP”. In these cases you can close the ports and use knockd to knock on the ports of your Linux box and let you in.
knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.
Installation
Knockd it’s available in the repository of the major distributions, i’m using it on Ubuntu/Debian where the package it’s available.
Configuration
knockd reads all knock/event sets from a configuration file. Each knock/event begins with a title marker, in the form [name], where name is the name of the event that will appear in the log. A special marker, [options], is used to define global options.
Example:
[options] logfile = /var/log/knockd.log [openSSH] sequence = 700,800,900 seq_timeout = 5 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 900,800,700 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn |
This example uses two knocks. The first will allow the knocker to access port 22 (SSH), and the second will close the port when the knocker is complete. As you can see, this could be useful if you run a very restrictive (DENY policy) firewall and would like to access it discreetly.
Example 2:
[options] logfile = /var/log/knockd.log [opencloseSSH] sequence = 2222:udp,3333:tcp,4444:udp seq_timeout = 15 tcpflags = syn,ack start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT cmd_timeout = 10 stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT |
This example uses a single knock to control access to port 22 (SSH). After receiving a successful knock, the daemon will run the start_command, wait for the time specified in cmd_timeout, then execute the stop_command. This is useful to automatically
In order to make use of the following configuration scheme, it’s important that you have ESTABLISHED,RELATED rules in your iptables firewalling settings. Like this:
iptables -A INPUT -m –state ESTABLISHED,RELATED -j ACCEPT |
Otherwise, you may loose your SSH session after those 10 seconds (even if you connected already).
And, of couse, the iptables DROP policy:
iptables -P INPUT DROP |
How to knock
Ok, now you have set up your server, how to knock on its ports ?
The easiest way it’s to sue the knock command, that is available in the knockd package as client.
the basic usage of knock is:
knock yourserver port:protocol port:protocol port:protocol |
If you omit :protocol the default it’s to use all TCP, this can be changed using the options -u (all UDP)
Examples:
Knock on 3 TCP ports:
knock 127.0.0.1 7000 8000 9000 |
You can use this syntax for specifying TCP and UDP packets:
knock 127.0.0.1 123:tcp 456:udp 789:tcp |
Client for Window and Mac are available at the url: http://www.zeroflux.org/projects/knock
References:
http://www.zeroflux.org/projects/knock
http://www.portknocking.org/
[amazon_enhanced asin=”0596005695″ price=”All” background_color=”FFFFFF” link_color=”FD8D00″ text_color=”FD5100″ /]
Popular Posts:
- None Found
Once you configure knockd, can you briefly discuss how to get in to your system. In other words, how do you knock your server with the appropriate sequence? Do you need an external file or shell script to send the knock sequence?
Hello Mark,
I’ve add to the article: “how to knock”
Thanks for the feedback.
Interesting method! So, we define the knock sequence as if it’s a password?
Thanks for sharing.
Yes, just be sure not use the default
Port knocking is bad idea; a very bad idea.
Port knocking is, in the end, a password. A sniffable one that is subject to man-in-the-middle attacks so you can’t even use one-time-passwords and be secure.
Public/private key pairs and/or one-time-passwords (opie, skey and the like) are the real solutions, along with dynamic monitoring to prevent DOS CPU resource exhaustion attacks. (OpenBSD’s PF incorporates a nice solution, as does the iptables with fail2ban/denyhosts/etc. Even swatch can work wonders.)
Just published an article about fail2ban, IMO these are different layers of security, the more you use the better.
Thanks for the feedback.
Went over to fail2ban.org, but couldn’t find the article.
Am I looking in the right place? Any hints?
It’s here: http://www.linuxaria.com/howto/fail2ban-brute-force-attacks?lang=en
Sigh… Reading comprehension FAIL!
Sorry.
And Thanks.
Hi,
Interested method indeed, I have forgotten about it!
But I have wrote about it before. Thanks pal.
knockd
Thanks for the contribute Guillermo 😉
You add an extra layer of complexity and an extra layer that can fail for less than 3 bits of entropy?
Can I ask what threat model you have such that port knocking, with its limited usefulness, can help you?
Brute force ssh bot ?
Please checkout my android knock client on the google play store, its completely free https://play.google.com/store/apps/details?id=com.droidknocker