Port Knocking

Port knocking is one of hardening method to prevent unauthorized user access the services. This method ability to externally open ports that, by default, keep closed by firewall. It works by sending  TCP packets to predefined closed ports in right order. In my virtual environment, I have two Linux based systems one is Debian8 and the other is Centos7.

Debian8(Server):

IP:192.168.17.139

Services:knockd,ssh

Centos7(client):

IP:192.168.17.135

Services:ssh

I closed ssh port accessing anywhere except for my current connection to configure knockd service on Debian8.

root@debian:~# iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
root@debian:~# iptables -A INPUT -p tcp --dport 22 -j REJECT

Installing knockd service :

root@debian:~# apt-get install knockd

Configuration of knockd service:

First we need to activate knockd service by configuring  parameter START_KNOCKD=0 to  START_KNOCKD=1 on /etc/default/knockd file.(Figure-1)

knockd

 

 

 

 

 

Figure-1

After that, we configure consecutive of ports to be used and what TCP packet will be send, before open  SSH port file by editing /etc/knockd.conf  file.(Figure-2)

knockd2

Figure-2

According to configuration Figure-2 – To open SSH port, we have to  send TCP SYN packet for each port 7000, 8000, 9000 in order which is not more than 50 seconds. To close SSH port, we have to  send TCP SYN packet for each  port 9000, 8000, 7000 in order which is not more than 50 seconds.

Enabling knockd service:(It will also start after reboot)

root@debian:~# systemctl enable knockd.service

Starting knockd service:

root@debian:~# systemctl start knockd.service

To send a TCP SYN packet for specific ports you can use nmap network utility. Below you can find shell script to do that.

Make sure that nmap is installed on your system. If It is not, you can install as it below.

#For Debian System
apt-get install nmap
#For Redhat,Centos System
yum install nmap

Usage:

./portKnock.sh <IP> <open,close>

./portKnocking.sh 192.168.17.139 open

./portKnocking.sh 192.168.17.139 close

#!/bin/bash
IP=$1
choose=$2
count=$#
echo $count
if [[ count -eq 2 ]] ; then
case $choose in
	open) 
		echo "---opening ports for $IP"
		for port in 7000 8000 9000 
		do
			echo "sending SYN for port $port"
			nmap -v -PS --disable-arp-ping -p $port $IP
			
		done

		;;
	
	close)
		echo "---closing ports for $IP"
		for port in 9000 8000 7000 
		do
			echo "sending SYN for port $port"
			nmap -v -PS --disable-arp-ping -p $port $IP
		done
		;;
	*)
	esac
else
		echo "Wrong usage... ./portKnock.sh <IP> <open/close>"
fi

Syslog:

./portKnocking.sh 192.168.17.139 open

Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: Stage 1
Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: Stage 2
Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: Stage 3
Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: OPEN SESAME
Nov 27 11:52:23 debian knockd: openSSH: running command: /sbin/iptables -I INPUT 1 -s 192.168.17.135 -p tcp --dport 22 -j ACCEPT

./portKnocking.sh 192.168.17.139 close

Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: Stage 1
Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: Stage 2
Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: Stage 3
Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: OPEN SESAME
Nov 27 11:53:32 debian knockd: closeSSH: running command: /sbin/iptables -D INPUT -s 192.168.17.135  -p tcp --dport 22 -j ACCEPT

For more information about port knocking you can visit http://www.zeroflux.org/projects/knock

Happy Hardening.