Search:  
Gentoo Wiki

Port_Knocking

Merge-arrows.gifIt has been suggested that this article be Merged into one article with HOWTO Port Knocking.    (Discuss)

Contents

Knock Daemon Installation

Two tools are necessary for port knocking - iptables and the Knock Daemon. You're also going to be needing a root login.

Before we install these programs, we must make sure that the kernel has compiled-in iptables support (otherwise nothing will work). To install iptables you must enable the option "Network packet filtering (replaces ipchains)" (A.K.A. NETFILTER). You can find this option under:

Code: make menuconfig
Networking-->
 Networking options-->
  [*] Network packet filtering (replaces ipchains)

ATTENTION : The fast switching option ignores all network packet Filtering options. Make sure that it isn't enabled, or nothing we do in this guide will work.

Now recompile the kernel, reboot the system and run:

Code: /bin/bash
$ emerge net-firewall/iptables
$ emerge net-misc/knock

Next, we write our Knock Daemon config file. Here's an example securing port 22 (SSHD):

File: /etc/knockd.conf
[options]
       logfile = /var/log/knockd.log
[openSSH]
       sequence    = 7000,8000,9000
       seq_timeout = 5
       command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
       tcpflags    = syn
[closeSSH]
       sequence    = 9000,8000,7000
       seq_timeout = 5
       command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
       tcpflags    = syn

You may write your own (new) entries using this format or use this file as a template and modify it to your needs (like changing ports or sequences).

Note : It might be a good idea to use the iptables option -I instead of -A, since the latter simply hangs the rule onto the end of the existing iptables rule chain. If there's already an option before this that's preventing access, the rule becomes ineffectual. A rule using -I instead of -A might look something like this:

/sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

A rule closing the port can co-exist with our method in this way.

(%IP% is the address of the knocking host. That way, not all source addresses but only the address of the host that actually knocked is allowed through the firewall. The german one seems to be wrong here. It states %IP% to be the address the daemon bound to, which would make this entry useless as only local (i.e. same ip-address) connects would be allowed.)

You can also dictate the type of each knock by appending the numbers with : TCP or : UDP, as in the following example: 9000: tcp, 8000: UDP, 7000: tcp. If no type is specified, knockd defaults to TCP.

This approach is all very well, but we can save time by having the port close itself again automatically. This is achieved thus:

File: /etc/knockd.conf
[opencloseSSH]
       sequence    = 7000,8000,9000
       seq_timeout = 5
       tcpflags    = syn
       start_command = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
       cmd_timeout   = 10
       stop_command  = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT

In this example, you got ten seconds to establish the connection (you may increase this time if you want), after that no new connections will be accepted. Established ones won't be terminated either. That way, you don't need to worry about somebody else being able to connect during the time of your session. You just installed an automatic-door-closer.

Sequences may be changed freely. You should NEVER use the sequences taken for this HowTo but make up your own.

You should modify cmd_timeout because 10 seconds aren't much actually. 25 seconds do fit better.

To secure another service, you may use this as a template and modify sequence and port-number accordingly.

Starting the Knock Server Automatically

Code: /bin/bash
$ rc-update add knock default
$ /etc/init.d/knock start

If you want to run the Knock Daemon on an interface other than your default, you need to add the option -i <interface> to /etc/conf.d/knock:

File: /etc/conf.d/knock
OPTS="-d -i ppp0"


Additional Measures

Make sure all ports you do not want to be exposed are protected by Portknocking. To find exposed ports (i.e. running services) you may emerge nmap

Code: /bin/bash
$ emerge nmap

then run nmap &lt;your public ip-address&gt; (the german one says nmap localhost at this piont which is somehow useless as services running on the loopback don't necessarily also run on "public" interfaces and vice versa depending on the service configuration. Best is to use another machine to try "real" external connects, see comment below) to do a portscan. If you ignore tools like this, then using techniques such as portknocking becomes pretty much pointless.

With any luck, all ports protected by knockd will be either “closed” (REJECT target in iptables) or “stealth” (DROP target), until the sequence is sent (and in our example they'd go back that way after 10 seconds).

Comment: A portscan on localhost doesn't mean much - it's much better to run one on the external interface. Fortunately, a fellow named Steve Gibson runs a portscanning service called "Shields Up!" - it'll check your machine (and only yours) in a variety of handy ways. Go here: https://www.grc.com/x/ne.dll?bh0bkyd2 and click "Proceed".

Use of the Knock Clients

OK, so now we've set up our Knock Daemon. However, a daemon's pretty pointless without a client, so we have knock. This is part of the package that you emerged to get knockd, so (as long as you've been following this guide) you already have it installed.

You can get a client for Windows machines too - it's available at http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki .

If you want to knock from Linux box that doesn't already have the client installed, you could simply stick /usr/bin/knock onto a disk along with a basic BASH script like this:

Code: /bin/bash
#!/bin/bash
knock 127.0.0.1 7000 8000 9000

You can use the same syntax as above for specifying TCP and UDP packets.


Last modified: Sun, 21 Sep 2008 06:58:00 +0000 Hits: 8,389