Port Knocking
Protect your Network with Port Knocking
Knocking at Heaven's Door
At this stage, you can test your installation. Yet again, I ask you to please make sure that you're not going to lock yourself out of your remote server. With regard to creating a knocking sequence from the client side, in addition to a tiny binary called knock
, I've also seen a handy, lightweight Android app that conveniently sends the knocking sequence from your smartphone.
Other than adjusting the secret knock sequences, one final piece of config needs to change, which means going back to the higher level file /etc/default/knockd
to set the daemon live. To begin, change the interface setting to the correct network card on which you want knockd to listen:
KNOCKD_OPTS="-i eth0"
To set the service live, enable the daemon:
START_KNOCKD=1
This next part is optional; but, before restarting your daemon, I suggest adding the -D
to the init.d
startup script and watching your logfile closely. If you get stuck, it's probably thanks to a superfluous character in your /etc/knockd.conf
. If push comes to shove, you can packet sniff your connection to make sure your knocking is getting through.
To add debugging information to your logfile, use -D
on the OPTIONS
line in /etc/init.d/knockd
, paying careful attention to the spacing inside the double quotation marks on that line (be sure to make a copy before editing):
OPTIONS=" -d -D"
After a daemon config refresh, then,
service knockd restart
you're ready to go.
Come On In
To see if you can get access, run through the following tests:
1. Check that you have don't have access to the SSH server first (i.e., the IP address from which you'll be connecting to the server isn't already in the /etc/hosts.allow
file in one incarnation or another, such as a wide IP range or DNS name).
2. Send your knocking sequence to append your IP address to the end of /etc/hosts.allow
and check your /var/log/knockd.log
file for an OPEN SESAME
command to denote success. You can use this to watch that file in real time (or at least updates every second) in another terminal with:
watch -n1 cat /etc/hosts.allow
3. Assuming you have access, try closing access with the other knocking sequence, such as in this example of the tiny knock
client program running on ports 1022, 3022, and 3204:
knock -v 12.34.56.78 1022 3022 3024
To knock solely on one of the 65,535 UDP ports, rather than TCP, you can universally switch to UDP with the -u
parameter:
knock -vu 203.1.2.3 2022 3022 3022
However, as one of the examples in the knockd documentation shows, it's also perfectly possible to mix up both TCP and UDP ports at the client side,
knock myserver.example.com 123:tcp 456:udp 789:tcp
thus making the sequence safer, akin to using upper- and lowercase letters in your passwords.
If all is going well, you have now seen a line appended to your /etc/hosts.allow
file and then seen that exact same line deleted after locking up access again with your second knocking sequence.
More, More, More
Critics of port knocking claim that it's nothing more than security through obscurity , a term used to describe the act of disguising any valuable resources that might be there for the taking, as opposed to actually securing them with locks and keys and suchlike.
Indeed, they have a point, but alongside your other security measures, port knocking is a helpful extra layer of protection for an attacker to penetrate. You have to admit that using iptables and so forth to hide your precious ports from the world at large is a really nice, if not somewhat clandestine, touch.
Although TCP Wrappers won't be for everyone, I wanted to demonstrate the customizable knockd. For those who want to use firewalling instead of tcpd, here are two examples of start and stop commands for the uncomplicated firewall (UFW; Listing 5) and for iptables (Listing 6). Your mileage may vary.
Listing 6
Iptables Start and Stop Commands
start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT stop_command = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
Listing 5
UFW Start and Stop Commands
start_command = ufw allow from %IP% to any port 22 stop_command = ufw delete allow from %IP% to any port 22
Buy this article as PDF
(incl. VAT)