The sys admin's daily grind: Knockd

Knock-Knock

Article from Issue 94/2008
Author(s):

Horror stories are full of scary characters knocking on doors at night. On Linux, we just call this port knocking, and it can actually be quite useful.

If you prefer not to have an obvious administrative port for your iptables firewall – but do need a secret one – port knocking is an interesting option that can put off script-based attacks. For the ambitious but secretive admin, the tool of choice is Knockd [1].

The package includes two components: Knock is the client that sends knocking signals, which the Knockd daemon receives.

Knocking

To monitor the process, Knock, the knocking client, only needs the port number on which to knock and a -v option.

For example:

knock -v 10.0.0.42 7000 8000 9000

The tool responds immediately with the command-line output shown in Figure 1.

Figure 1: If it recognizes the knock signal, the tool responds.

The /etc/knockd.conf configuration file lets the system administrator specify the action the daemon performs when it receives a valid hit.

See Listing 1 for an example.

Listing 1

/etc/knockd.conf

01 [options]
02    logfile = /var/log/knockd.log
03 [openSSH]
04    sequence    = 7000,8000,9000
05    seq_timeout = 5
06    command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
07    tcpflags    = syn
08 [closeSSH]
09    sequence    = 9000,8000,7000
10    seq_timeout = 5
11    command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
12    tcpflags    = syn

In a production environment, choose a more unusual port number, of course.

Morse Code for Fun and Profit

If it recognizes the signal, Knockd opens up port 22 for the requesting IP, which passes in its own IP (see Figure 2).

Figure 2: The Knockd daemon uses iptables to open up port 22 for the requesting IP, but only if it recognizes the knock signal.

If you knock on the ports in the wrong order, the daemon will shut down SSH access. Scatterbrained admins (like me) have another option – knockd.conf, which looks like this:

start_command = /usr/sbin/iptables -A INPUTU
 -s %IP% -p tcp --syn --dport 22 -j ACCEPT
cmd_timeout = 10
stop_command = /usr/sbin/iptables -D INPUTU
 -s %IP% -p tcp --syn --dport 22 -j ACCEPT

After knocking, the daemon launches start_command, then waits the number of minutes specified in cmd_timeout before executing stop_command.

Conclusion

Really paranoid system administrators will relish the option of configuring a file with a sequence of ports. Each sequence expires after use.

The Author

Charly Kühnast is a Unix operating system administrator at the Data Center in Moers, Germany. His tasks include firewall and DMZ security and availability. He divides his leisure time into hot, wet, and eastern sectors, where he enjoys cooking, fresh water aquariums, and learning Japanese, respectively.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Charly's Column

    Conventional, woodpecker-style port knocking is open to sniffing and brute force knocking attacks. Sending an encrypted packet with an access request to the server is safer and more modern. Learn more about Firewall Knock Operator, a.k.a. Fwknop.

  • Single-Packet Port Knocking

    If you are looking for an extra layer of remote access security, try single-packet port knocking.

  • Charly’s Column: PortSentry

    To celebrate 10 years of his column, Charly sets up a sensitive detector that measures the cosmic background radiation of the Internet.

  • Charly's Column – Whowatch

    For no particular reason, Charly occasionally patrols his server farm and hunts down attackers. He has put together a neat toolbox for this job.

  • Charly's Column

    Checking email for viruses is typically the domain of the SMTP gateway or a server directly downstream of it. In this month’s column, Charly decides to move this protection to the other side – that is, to the client connections
    with their SMTP and POP servers.

comments powered by Disqus

Direct Download

Read full article as PDF:

Charly_Column.pdf  (110.18 kB)

News

njobs Europe
What:
Where:
Country:
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia