Port Knocking |
Security - Training |
Port knocking provides a way to close your ports on the server and still be able to connect to the server. The constant battle with attacks focused on the SSH daemon are a prime example. Knockd listens at the link layer so ports do not need to be open. When the daemon detects hits on the knock sequence it executes a command to open the SSH port. Knockd The knockd file contains both the daemon and the client. Install on all systems that you will use the program with. Install the package from this site: http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki or download the RPM for Centos5 from:
rpm -ivh knock*.rpm Once it is installed edit /etc/knockd.conf. If you are using CentOS 5 you will need to change the path to iptables as by default the path is /usr/sbin/iptables but CentoS is /sbin/iptables. The other change you will need to make is to change the command to /sbin/iptables -I which will insert this rule at the beginning of the firewall to allow a connection. If you use the -A that is in the default configuration file it will append at the end which will not allow you to connect in most cases. The default knock sequence is 7000,8000,9000 which is OK to use for testing but change it once you have it figured out so you can protect your system. The timeout allows a 5 second interval and then a command is run to allow the IP Address that is connecting make the connection to the server. The tpcflag is the SYN flag which is used to initiate a new connection. Once you run the knock sequence you should be able to use ssh to connect to the server. This will allow you to block port 22 on the firewall because the knock sequence will happen at the link layer level allowing you to block your SSH port for security. Basic Server Setup [options] logfile = /var/log/knockd.log
[openSSH] sequence = 7000,8000,9000 seq_timeout = 5 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
[closeSSH] sequence = 9000,8000,7000 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
Start the program with the path to the application. Install the program on the client and then issue this command at the command line using the knock command followed by the IP Address and the knock sequence. knock -v 122.32.36.11 7000 8000 9000 The -v is verbose so you can verify the sequence.
Here is the the log at /var/log/knockd.log should look like for a successful knock and connection.
[2007-11-04 01:38] 122.32.36.11: openSSH: Stage 1 [2007-11-04 01:38] 122.32.36.11: openSSH: Stage 2 [2007-11-04 01:38] 122.32.36.11: openSSH: Stage 3 [2007-11-04 01:38] 122.32.36.11: openSSH: OPEN SESAME [2007-11-04 01:38] openSSH: running command: /sbin/iptables -I INPUT -s 122.32.36.11 -p tcp --dport 22 -j ACCEPT
Now you can connect to the server using ssh. knock 122.32.36.11 9000 8000 7000 Here is an example of the modified iptables and what it will look like to enable access. Note that the -I places the rule right at the start of the rules for INPUT.
# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- 122-32-36-11.static.black8.net anywhere tcp dpt:ssh Copyright CyberMontana Inc. and BeginLinux.com All rights reserved. Cannot be reproduced without written permission. Box 1262 Trout Creek, MT 59874 |
BeginLinux.com
(407)-620-4092
mike at beginlinux.com