Port Knocking is a technique that consist in the protection of the access to a service. Initially the server presents no open ports to allow connections, with iptables configuring a default deny policy. The server passively monitor all the connection attempts and the client initiates a sequence of connection attempts to the server by sending SYN packets to the server. If the sequence sent by the client are in the correct order the server will open the specified port and the client can connect to the server. For an effective use of port knocking we have to:

  • Mix the use of UDP and TCP for the sequence connection.
  • Use three ports sequence number at least or more.
  • Configure a strong port number sequence, don’t use the default sequence.

The primary purpose of port knocking is protect service that can be scanned and exploited by an attacker, appearing the port number closed.
The implementation used here is the knockd daemon protecting the SSH service. You can see more information in the project web page: http://www.zeroflux.org/projects/knock

Server configuration

– Installing knockd

# apt-get install knockd

– Configuring iptables to drop as default policy for input connections:

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED

– Enabling knockd:

# vi /etc/default/knockd
START_KNOCKD=1
KNOCKD_OPTS="-i eth2"

– Edit knockd configuration:

# vi /etc/knockd.conf
[options]
UseSyslog

[openSSH]
sequence = 8123:udp,3024:tcp,45567:udp
seq_timeout = 5
command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

[closeSSH]
sequence = 2222,3333,4444
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn

Client connection

– Install package knockd for the knock utility:

# apt-get install knockd

– Establishing a connection with the sequence ports to open port 22:

$ knock -v 192.168.1.144 8123:udp 3024:tcp 45567:udp
hitting udp 192.168.1.144:8123
hitting tcp 192.168.1.144:3024
hitting udp 192.168.1.144:45567
[email protected] ~ $ ssh [email protected]
[email protected]'s password:

– See the rule added to iptables server:

# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- 192.168.1.129 anywhere tcp dpt:ssh

– Closing the connection:

$ knock -v 192.168.1.144 2222 3333 4444
hitting tcp 192.168.1.144:2222
hitting tcp 192.168.1.144:3333
hitting tcp 192.168.1.144:4444

Server configuration to automate the port close

– Configure knockd to open ssh port and close the port after 15 seconds:

[options]
UseSyslog

[opencloseSSH]
sequence = 8123:udp,3024:tcp,45567:udp
seq_timeout = 5
tcpflags = syn
start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
cmd_timeout = 15
stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

– This configuration requires in iptables to accept all the established connections remain connected after close ssh port:

# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
Implementing Port Knocking
Tagged on:     

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Follow

Get every new post delivered to your Inbox

Join other followers: