Implementing knockd in Ubuntu

access_denied[1]
Share

knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special “knock” sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open — since knockd listens at the link-layer level, it sees all traffic even if it’s destined for a closed port. When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.

The following instructions will guide you to implement a small knockd service in your client-server system.

In this example I will try to secure access to the default ssh port 22 by using port knocking.

So let us have a look at the initial status.

Port 22 in the server 20.0.0.7 is open. And the client 20.0.0.6 can access it.

 

Default Status

Default Status

Now we will do secure the server:

  • Install a firewall.

In this example I am using UFW, the default firewall of Ubuntu. To install UFW use the following command:

        $ sudo apt-get install ufw

  • Secure the firewall

We will close all the ports of the server just to ensure security. Use the following command:

        $ sudo ufw default deny

 

Securing Firewall

Securing Firewall

  • Enable the firewall

Enable the firewall by using the command:

        $ sudo ufw enable

 

Firewall Enabled

Firewall Enabled

So now your firewall is enabled and working. You can check the status by using the following command:

                $ sudo ufw status

Now I tried to access port 22 from another system. But now since the firewall is working it failed to connect:

 Access Denied

Access Denied

 

  • Install knockd on both the clinet and server

Use the following command to install knockd on both the server:

        $ sudo apt-get install knockd

  • Configure knockd:

After installation you need to edit the knockd configuration (/etc/knockd.conf). I have used the following to configuration:

 

[options]

      logfile = /var/log/knockd.log

[SSH]

      sequence    = 7000,8000,9000

      seq_timeout = 5

      start_command = ufw allow from %IP% to any port 22

      tcpflags    = syn

      cmd_timeout   = 100

      stop_command  = ufw delete allow from %IP% to any port 22

 

Explanations:

  • Sequence: it specifies the sequence and the port numbers which should be knocked in the specified sequence to knock.
  • seq_timeout : this specifies the time within which the ports should be knocked. If the sequence is followed but the timeout period expires then the request is discarded.
  • Start_command: this specifies the command to be executed after a successful port knock event has occurred
  • Tcpflags: this specifies the type of packet used to knock the ports. Generally it is the syn request.
  • Cmd_timeout: this is time period after which the request will expire
  • Stop_command: this will be executed once the timeout period has expired.
  • Start the knockd service in the server:

$ sudo service knockd start

 Starting knockd service

Starting knockd service

 

  • Now knock the ports from the remote server:

 

$ knock –v 20.0.0.7 7000 8000 9000

 knocking remote server

knocking remote server

 I have in my example used the sequence 7000 8000 9000

  • Check the firewall status of the server:

 

 $ sudo ufw status

Firewall status
Firewall status

The firewall has opened the port 22 for the system with IP: 20.0.0.6

  •  Login from the remote server:

$ ssh 20.0.0.7

 Successfully logging in

Successfully logging in

You are now able to login in. If you try loggin in after the time out period you will see that the port has been blocked again.

Related External Links

Latest Comments
  1. Bernd

    FYI
    You could even use knockd to blackhole %ip% on a specific sequence
    all you have to do add a [BLACKHOLE](or what ever you name it) sequence to knockd.conf
    i.e ( [BLACKHOLE](or what ever you named it)
    sequence = 9090:tcp,80:tcp
    seq_timeout = 60
    command = ip route add blackhole %IP%)
    then a blackhole route added to your routing table
    and the attacke gets blackholed

    to remove the blackhole you could use the cmd_timeout of lets say 360 secs(1 hr) to trigger the stop_command (ip route del blackhole %IP%)
    The knockd is flexible :)

    greetings from germany
    Bernd aka MiDoX

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: