Linux Ports Security with Knockd
Today, i’ll show you how to use knockd to improve the security of your linux server, the more common use that i’ve saw so far is: “i’d like to connect on port 22 (ssh) but i don’t want to leave to port open for everyone..and i’ve a dynamic IP”. In these cases you can close the ports and use knockd to knock on the ports of your Linux box and let you in.
knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.
Knockd it’s available in the repository of the major distributions, i’m using it on Ubuntu/Debian where the package it’s available.
knockd reads all knock/event sets from a configuration file. Each knock/event begins with a title marker, in the form [name], where name is the name of the event that will appear in the log. A special marker, [options], is used to define global options.
[options] logfile = /var/log/knockd.log [openSSH] sequence = 700,800,900 seq_timeout = 5 command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 900,800,700 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
This example uses two knocks. The first will allow the knocker to access port 22 (SSH), and the second will close the port when the knocker is complete. As you can see, this could be useful if you run a very restrictive (DENY policy) firewall and would like to access it discreetly.
[options] logfile = /var/log/knockd.log [opencloseSSH] sequence = 2222:udp,3333:tcp,4444:udp seq_timeout = 15 tcpflags = syn,ack start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT cmd_timeout = 10 stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
This example uses a single knock to control access to port 22 (SSH). After receiving a successful knock, the daemon will run the start_command, wait for the time specified in cmd_timeout, then execute the stop_command. This is useful to automatically
In order to make use of the following configuration scheme, it’s important that you have ESTABLISHED,RELATED rules in your iptables firewalling settings. Like this:
iptables -A INPUT -m –state ESTABLISHED,RELATED -j ACCEPT
Otherwise, you may loose your SSH session after those 10 seconds (even if you connected already).
And, of couse, the iptables DROP policy:
iptables -P INPUT DROP
How to knock
Ok, now you have set up your server, how to knock on its ports ?
The easiest way it’s to sue the
knock command, that is available in the knockd package as client.
the basic usage of knock is:
knock yourserver port:protocol port:protocol port:protocol
If you omit :protocol the default it’s to use all TCP, this can be changed using the options -u (all UDP)
Knock on 3 TCP ports:
knock 127.0.0.1 7000 8000 9000
You can use this syntax for specifying TCP and UDP packets:
knock 127.0.0.1 123:tcp 456:udp 789:tcp
Client for Window and Mac are available at the url: http://www.zeroflux.org/projects/knock