Port Knocking
Security - Training

Port knocking provides a way to close your ports on the server and still be able to connect to the server. The constant battle with attacks focused on the SSH daemon are a prime example. Knockd listens at the link layer so ports do not need to be open. When the daemon detects hits on the knock sequence it executes a command to open the SSH port.

Knockd

The knockd file contains both the daemon and the client. Install on all systems that you will use the program with.

Install the package from this site:

http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki

or download the RPM for Centos5 from:
http://dag.wieers.com/rpm/packages/knock/

 

rpm -ivh knock*.rpm

Once it is installed edit /etc/knockd.conf. If you are using CentOS 5 you will need to change the path to iptables as by default the path is /usr/sbin/iptables but CentoS is /sbin/iptables. The other change you will need to make is to change the command to /sbin/iptables -I which will insert this rule at the beginning of the firewall to allow a connection. If you use the -A that is in the default configuration file it will append at the end which will not allow you to connect in most cases. The default knock sequence is 7000,8000,9000 which is OK to use for testing but change it once you have it figured out so you can protect your system. The timeout allows a 5 second interval and then a command is run to allow the IP Address that is connecting make the connection to the server. The tpcflag is the SYN flag which is used to initiate a new connection. Once you run the knock sequence you should be able to use ssh to connect to the server. This will allow you to block port 22 on the firewall because the knock sequence will happen at the link layer level allowing you to block your SSH port for security.

Basic Server Setup
To set up the server you need to edit the configuration file and then start the program.

[options]

logfile = /var/log/knockd.log

 

[openSSH]

sequence = 7000,8000,9000

seq_timeout = 5

command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

tcpflags = syn

 

[closeSSH]

sequence = 9000,8000,7000

seq_timeout = 5

command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

tcpflags = syn

 

Start the program with the path to the application.
/usr/sbin/knockd

Basic Client Set Up

Install the program on the client and then issue this command at the command line using the knock command followed by the IP Address and the knock sequence.

knock -v 122.32.36.11 7000 8000 9000

The -v is verbose so you can verify the sequence.

 

Here is the the log at /var/log/knockd.log should look like for a successful knock and connection.

 

[2007-11-04 01:38] 122.32.36.11: openSSH: Stage 1

[2007-11-04 01:38] 122.32.36.11: openSSH: Stage 2

[2007-11-04 01:38] 122.32.36.11: openSSH: Stage 3

[2007-11-04 01:38] 122.32.36.11: openSSH: OPEN SESAME

[2007-11-04 01:38] openSSH: running command: /sbin/iptables -I INPUT -s 122.32.36.11 -p tcp --dport 22 -j ACCEPT

 

Now you can connect to the server using ssh.
ssh 122.32.36.11

Close your connection when you are done.

knock 122.32.36.11 9000 8000 7000

Here is an example of the modified iptables and what it will look like to enable access. Note that the -I places the rule right at the start of the rules for INPUT.

 

# iptables -L

Chain INPUT (policy ACCEPT)

target prot opt source destination

ACCEPT tcp -- 122-32-36-11.static.black8.net anywhere tcp dpt:ssh


Copyright CyberMontana Inc. and BeginLinux.com All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874