Howto: Port knocking with knockd

A collection of tips on howto tweak your Bubba.
Post Reply
mad
Posts: 43
Joined: 11 Oct 2008, 14:48

Howto: Port knocking with knockd

Post by mad » 27 Nov 2008, 12:02

Quick and dirty...

1. Make sure you have root priviliges.
2. Install knockd package

Code: Select all

apt-get install knock
3. Edit /etc/knockd.conf in your favourite editor

Code: Select all

emacs -nw /etc/knockd.conf
Below is an example of what you might like to end up with.

Code: Select all

[options]
        logfile = /var/log/knockd.log

[FTP]
        sequence    = 99,2,155
        seq_timeout = 5
        tcpflags    = syn
        start_command = /sbin/iptables -A INPUT -i eth0 -s %IP% -p tcp --dport 21 -j ACCEPT
        cmd_timeout = 600
        stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp -dport 21 -j ACCEPT

[SSH]
        sequence    = 1024,35,2,2048
        seq_timeout = 5
        tcpflags    = syn
        start_command = /sbin/iptables -A INPUT -i eth0 -s %IP% -p tcp --dport 22 -j ACCEPT
        cmd_timeout = 180
        stop_command = /sbin/iptables -D INPUT -i eth0 -s %IP% -p tcp --dport 22 -j ACCEPT
The [FTP] and [SSH] sections are examples of how you might want to configure knock rules. Each knock rule section must start with a unique identifier enclosed in [] brackets.
The sequence option is a comma separated list of port numbers that have to be "knocked" in the defined sequence to activate the rule.
The seq_timeout option defines how much time a client has to perform the knock.
The tcpflags option is beyond the scope of this howto, read the manual.
The start_command is a command to be run when this rule is triggered. It can be pretty much anything, in this case it would open port 22 in the firewall to the IP address that issued the knock.
The cmd_timeout option specifies how long the window between the start_command and the stop_command is.
And finally the stop_command is a command that is run (in this case) when cmd_timeout seconds has elapsed since the knock. Here it closes the hole in the firewall again by deleting the rule that opened it.

There are lots of other possibilities, again read the manual if you want more.

Once you are satisfied with your rules go on to the next step.
4. Edit /etc/default/knockd in your favourite editor.

Code: Select all

emacs -nw /etc/default/knockd
You want to end up with something like this:

Code: Select all

################################################
#
# knockd's default file, for generic sys config
#
################################################

# control if we start knockd at init or not
# 1 = start
# anything else = don't start
START_KNOCKD=1

# command line options
KNOCKD_OPTS="-i eth0"
Assuming your WAN interface is eth0.
5. Make sure knockd starts at boot.

Code: Select all

update-rc.d knockd defaults
6. Start knockd.

Code: Select all

/etc/init.d/knockd start
7. Test knockd.
On the server with knockd installed:

Code: Select all

tail -f /var/log/knockd.log
If you get a successfull knock you will see it here.

On a client machine:
Install some kind of port knocking "client" (the knockd package comes with one).

Code: Select all

# knock <someserver.somedomain.com> <knock sequence>
# ssh/ftp <someserver.somedomain.com>
Thats it!

Post Reply