Port Knocking is a technique that consist in the protection of the access to a service. Initially the server presents no open ports to allow connections, with iptables configuring a default deny policy. The server passively monitor all the connection attempts and the client initiates a sequence of connection attempts to the server by sending SYN packets to the server. If the sequence sent by the client are in the correct order the server will open the specified port and the client can connect to the server. For an effective use of port knocking we have to:
- Mix the use of UDP and TCP for the sequence connection.
- Use three ports sequence number at least or more.
- Configure a strong port number sequence, don’t use the default sequence.
The primary purpose of port knocking is protect service that can be scanned and exploited by an attacker, appearing the port number closed.
The implementation used here is the knockd daemon protecting the SSH service. You can see more information in the project web page: http://www.zeroflux.org/projects/knock
– Installing knockd
# apt-get install knockd
– Configuring iptables to drop as default policy for input connections:
# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
– Enabling knockd:
# vi /etc/default/knockd
START_KNOCKD=1 KNOCKD_OPTS="-i eth2"
– Edit knockd configuration:
# vi /etc/knockd.conf
[options] UseSyslog [openSSH] sequence = 8123:udp,3024:tcp,45567:udp seq_timeout = 5 command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn [closeSSH] sequence = 2222,3333,4444 seq_timeout = 5 command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT tcpflags = syn
– Install package knockd for the knock utility:
# apt-get install knockd
– Establishing a connection with the sequence ports to open port 22:
$ knock -v 192.168.1.144 8123:udp 3024:tcp 45567:udp hitting udp 192.168.1.144:8123 hitting tcp 192.168.1.144:3024 hitting udp 192.168.1.144:45567
[email protected] ~ $ ssh [email protected] [email protected]'s password:
– See the rule added to iptables server:
# iptables -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- 192.168.1.129 anywhere tcp dpt:ssh
– Closing the connection:
$ knock -v 192.168.1.144 2222 3333 4444 hitting tcp 192.168.1.144:2222 hitting tcp 192.168.1.144:3333 hitting tcp 192.168.1.144:4444
Server configuration to automate the port close
– Configure knockd to open ssh port and close the port after 15 seconds:
[options] UseSyslog [opencloseSSH] sequence = 8123:udp,3024:tcp,45567:udp seq_timeout = 5 tcpflags = syn start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT cmd_timeout = 15 stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
– This configuration requires in iptables to accept all the established connections remain connected after close ssh port:
# iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT