- Linux Training
- Desktop Tutorials
- Server Tutorials
|Security - Training|
Port knocking provides a way to close your ports on the server and still be able to connect to the server. The constant battle with attacks focused on the SSH daemon are a prime example. Knockd listens at the link layer so ports do not need to be open. When the daemon detects hits on the knock sequence it executes a command to open the SSH port.
The knockd file contains both the daemon and the client. Install on all systems that you will use the program with.
Install the package from this site:
or download the RPM for Centos5 from:
rpm -ivh knock*.rpm
Once it is installed edit /etc/knockd.conf. If you are using CentOS 5 you will need to change the path to iptables as by default the path is /usr/sbin/iptables but CentoS is /sbin/iptables. The other change you will need to make is to change the command to /sbin/iptables -I which will insert this rule at the beginning of the firewall to allow a connection. If you use the -A that is in the default configuration file it will append at the end which will not allow you to connect in most cases. The default knock sequence is 7000,8000,9000 which is OK to use for testing but change it once you have it figured out so you can protect your system. The timeout allows a 5 second interval and then a command is run to allow the IP Address that is connecting make the connection to the server. The tpcflag is the SYN flag which is used to initiate a new connection. Once you run the knock sequence you should be able to use ssh to connect to the server. This will allow you to block port 22 on the firewall because the knock sequence will happen at the link layer level allowing you to block your SSH port for security.
Basic Server Setup
logfile = /var/log/knockd.log
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
Start the program with the path to the application.
Install the program on the client and then issue this command at the command line using the knock command followed by the IP Address and the knock sequence.
knock -v 188.8.131.52 7000 8000 9000
The -v is verbose so you can verify the sequence.
Here is the the log at /var/log/knockd.log should look like for a successful knock and connection.
[2007-11-04 01:38] 184.108.40.206: openSSH: Stage 1
[2007-11-04 01:38] 220.127.116.11: openSSH: Stage 2
[2007-11-04 01:38] 18.104.22.168: openSSH: Stage 3
[2007-11-04 01:38] 22.214.171.124: openSSH: OPEN SESAME
[2007-11-04 01:38] openSSH: running command: /sbin/iptables -I INPUT -s 126.96.36.199 -p tcp --dport 22 -j ACCEPT
Now you can connect to the server using ssh.
knock 188.8.131.52 9000 8000 7000
Here is an example of the modified iptables and what it will look like to enable access. Note that the -I places the rule right at the start of the rules for INPUT.
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 122-32-36-11.static.black8.net anywhere tcp dpt:ssh
Copyright CyberMontana Inc. and BeginLinux.com All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874