knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.
The following instructions will guide you to implement a small knockd service in your client-server system.
In this example I will try to secure access to the default ssh port 22 by using port knocking.
So let us have a look at the initial status.
Port 22 in the server 220.127.116.11 is open. And the client 18.104.22.168 can access it.
Now we will do secure the server:
In this example I am using UFW, the default firewall of Ubuntu. To install UFW use the following command:
$ sudo apt-get install ufw
We will close all the ports of the server just to ensure security. Use the following command:
$ sudo ufw default deny
Enable the firewall by using the command:
$ sudo ufw enable
So now your firewall is enabled and working. You can check the status by using the following command:
$ sudo ufw status
Now I tried to access port 22 from another system. But now since the firewall is working it failed to connect:
- Install knockd on both the clinet and server
Use the following command to install knockd on both the server:
$ sudo apt-get install knockd
After installation you need to edit the knockd configuration (/etc/knockd.conf). I have used the following to configuration:
logfile = /var/log/knockd.log
sequence = 7000,8000,9000
seq_timeout = 5
start_command = ufw allow from %IP% to any port 22
tcpflags = syn
cmd_timeout = 100
stop_command = ufw delete allow from %IP% to any port 22
- Sequence: it specifies the sequence and the port numbers which should be knocked in the specified sequence to knock.
- seq_timeout : this specifies the time within which the ports should be knocked. If the sequence is followed but the timeout period expires then the request is discarded.
- Start_command: this specifies the command to be executed after a successful port knock event has occurred
- Tcpflags: this specifies the type of packet used to knock the ports. Generally it is the syn request.
- Cmd_timeout: this is time period after which the request will expire
- Stop_command: this will be executed once the timeout period has expired.
- Start the knockd service in the server:
$ sudo service knockd start
- Now knock the ports from the remote server:
$ knock –v 22.214.171.124 7000 8000 9000
I have in my example used the sequence 7000 8000 9000
- Check the firewall status of the server:
$ sudo ufw status
- Firewall status
The firewall has opened the port 22 for the system with IP: 126.96.36.199
- Login from the remote server:
$ ssh 188.8.131.52
You are now able to login in. If you try loggin in after the time out period you will see that the port has been blocked again.
Related External Links