Today, i’ll show you how to use knockd to improve the security of your linux server, the more common use that i’ve saw so far is: “i’d like to connect on port 22 (ssh) but i don’t want to leave to port open for everyone..and i’ve a dynamic IP”. In these cases you can close the ports and use knockd to knock on the ports of your Linux box and let you in.
knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.
Installation
Knockd it’s available in the repository of the major distributions, i’m using it on Ubuntu/Debian where the package it’s available.Configuration
knockd reads all knock/event sets from a configuration file. Each knock/event begins with a title marker, in the form [name], where name is the name of the event that will appear in the log. A special marker, [options], is used to define global options.Example:
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 700,800,900
seq_timeout = 5
command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 900,800,700
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
tcpflags = syn
Example 2:
[options]
logfile = /var/log/knockd.log
[opencloseSSH]
sequence = 2222:udp,3333:tcp,4444:udp
seq_timeout = 15
tcpflags = syn,ack
start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
cmd_timeout = 10
stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --syn --dport 22 -j ACCEPT
In order to make use of the following configuration scheme, it’s important that you have ESTABLISHED,RELATED rules in your iptables firewalling settings. Like this:
iptables -A INPUT -m –state ESTABLISHED,RELATED -j ACCEPT
And, of couse, the iptables DROP policy:
iptables -P INPUT DROP
How to knock
Ok, now you have set up your server, how to knock on its ports ?The easiest way it’s to sue the
knock
command, that is available in the knockd package as client.the basic usage of knock is:
knock yourserver port:protocol port:protocol port:protocol
Examples:
Knock on 3 TCP ports:
knock 127.0.0.1 7000 8000 9000
knock 127.0.0.1 123:tcp 456:udp 789:tcp
References:
http://www.zeroflux.org/projects/knock
http://www.portknocking.org/
No comments:
Post a Comment