Tuesday, April 19, 2011

Knockd, to secure your ports on Linux

Today, i’ll show you how to use knockd to improve the security of your linux server, the more common use that i’ve saw so far is: “i’d like to connect on port 22 (ssh) but i don’t want to leave to port open for everyone..and i’ve a dynamic IP”. In these cases you can close the ports and use knockd to knock on the ports of your Linux box and let you in.

knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.


Knockd it’s available in the repository of the major distributions, i’m using it on Ubuntu/Debian where the package it’s available.


knockd reads all knock/event sets from a configuration file. Each knock/event begins with a title marker, in the form [name], where name is the name of the event that will appear in the log. A special marker, [options], is used to define global options.
        logfile = /var/log/knockd.log
        sequence    = 700,800,900
        seq_timeout = 5
        command     = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn
        sequence    = 900,800,700
        seq_timeout = 5
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn
This example uses two knocks. The first will allow the knocker to access port 22 (SSH), and the second will close the port when the knocker is complete. As you can see, this could be useful if you run a very restrictive (DENY policy) firewall and would like to access it discreetly.
Example 2:
        logfile = /var/log/knockd.log
        sequence      = 2222:udp,3333:tcp,4444:udp
        seq_timeout   = 15
        tcpflags      = syn,ack
        start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
        cmd_timeout   = 10
        stop_command  = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
This example uses a single knock to control access to port 22 (SSH). After receiving a successful knock, the daemon will run the start_command, wait for the time specified in cmd_timeout, then execute the stop_command. This is useful to automatically
In order to make use of the following configuration scheme, it’s important that you have ESTABLISHED,RELATED rules in your iptables firewalling settings. Like this:
Otherwise, you may loose your SSH session after those 10 seconds (even if you connected already).
And, of couse, the iptables DROP policy:
iptables -P INPUT DROP

How to knock

Ok, now you have set up your server, how to knock on its ports ?
The easiest way it’s to sue the knock command, that is available in the knockd package as client.
the basic usage of knock is:
knock yourserver port:protocol port:protocol  port:protocol
If you omit :protocol the default it’s to use all TCP, this can be changed using the options -u (all UDP)
Knock on 3 TCP ports:
knock 7000 8000 9000
You can use this syntax for specifying TCP and UDP packets:
knock 123:tcp 456:udp 789:tcp
Client for Window and Mac are available at the url: http://www.zeroflux.org/projects/knock


No comments:

Post a Comment