In computer networking, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received, the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specific port(s). A variant called Single Packet Authorization exists, where only a single 'knock' is needed, consisting of an encrypted packet.[1][2]
The primary purpose of port knocking is to prevent an attacker from scanning a system for potentially exploitable services by doing a port scan, because unless the attacker sends the correct knock sequence, the protected ports will appear closed.
knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.
Install knockd
Download:
Download from official site. Click Here
Unzip tar.gz file:
# tar xvfz knock-0.5.tar.gz
Configure command:
# ./configure
Compile command:
# make
Install command:
# make install
Configure Knockd
The configuration main file = /etc/knockd.conf
#vi /etc/knockd.conf
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 1025,1026,1027
seq_timeout = 5
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp -m tcp --dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 1027,1026,1025
seq_timeout = 5
command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp -m tcp --dport 22 -j ACCEPT
tcpflags = syn
Choose ports combinations in flag "sequence"; and remember that a sequence is to close ssh service and another to open ssh service.
By default
Open the SSH service: 1025, 1026, 1027
Close the SSH service: 1027, 1026, 1025
This would be the knock!!
Close ssh port in server knockd
You must be sure that ssh port "22" is closed in server machine. "Where to install the knockd"
In my case, i execute the following command to close ssh port:
# iptables -A INPUT -p tcp --dport 22 -j DROP
How to run knokd server ?
In my case i work with default Path of configuration file: /etc/knokd.conf. then execute:
#knockd -c /etc/knockd.conf
To Help .. Run:
# knockd -h
usage: knockd [options]
options:
-i, --interface
-d, --daemon run as a daemon
-c, --config
-D, --debug output debug messages
-l, --lookup lookup DNS names (may be a security risk)
-v, --verbose be verbose
-V, --version display version
-h, --help this help
Install knock Client in other machine.
Then ... go to other machine and install knock Client.
In my case i used ubuntu:
#apt-get install knockd
Open the SSH ports in server Knockd
Then ... try knock ports in remote server:
ubuntu@user$knock 192.168.0.1 1025:tcp 1026:tcp 1027:tcp
Then .. try ssh login:
ubuntu@user$ssh -l root 192.168.0.1
Note 0: If port is opened, asked for the ssh password.
Close the SSH port using remote knock:
ubuntu@user$knock 192.168.0.1 1027:tcp 1026:tcp 1025:tcp
Note 1: If port is closed, when you try start a session ssh, the terminal does not respond. "is in a loop".
TIP !!
In my case i had to create the following configuration trying to open ssh port :
In seccion [openSSH] in "command" tag from configuration file in knokd server; add following line:
command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp -m tcp --dport 22 -j ACCEPT && iptables -D INPUT -p tcp --dport 22 -j DROP && iptables -A INPUT -p tcp --dport 22 -j DROP
This line have three commands,
1. Open port to incoming IP.
2. Delete rule that block ssh port.
3. Add rule to block ssh port, again.
Note 2: In my case i dont use firewall, so i add these lines in the command tag
Thks !!
0 comentarios:
Publicar un comentario en la entrada