Port knocking is one of hardening method to prevent unauthorized user access the services. This method ability to externally open ports that, by default, keep closed by firewall. It works by sending TCP packets to predefined closed ports in right order. In my virtual environment, I have two Linux based systems one is Debian8 and the other is Centos7.
Debian8(Server):
IP: 192.168.17.139
Services: knockd,ssh
Centos7(client):
IP: 192.168.17.135
Services: ssh
I closed ssh port accessing anywhere except for my current connection to configure knockd service on Debian8.
root@debian:~# iptables -A INPUT -p tcp --dport 22 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
root@debian:~# iptables -A INPUT -p tcp --dport 22 -j REJECT
Installing knockd Service
root@debian:~# apt-get install knockd
Configuration of knockd service
First we need to activate knockd service by configuring parameter START_KNOCKD=0 to START_KNOCKD=1 on /etc/default/knockd file.(Figure-1)
After that, we configure consecutive of ports to be used and what TCP packet will be send, before open SSH port file by editing /etc/knockd.conf file.(Figure-2)
According to configuration Figure-2 – To open SSH port, we have to send TCP SYN packet for each port 7000, 8000, 9000 in order which is not more than 50 seconds. To close SSH port, we have to send TCP SYN packet for each port 9000, 8000, 7000 in order which is not more than 50 seconds.
root@debian:~# systemctl enable knockd.service
root@debian:~# systemctl start knockd.service
To send a TCP SYN packet for specific ports you can use nmap network utility. Below you can find shell script to do that.
Make sure that nmap is installed on your system. If It is not, you can install as it below.
#For Debian System
apt-get install nmap
#For Redhat,Centos System
yum install nmap
```shell
Usage:
**./portKnock.sh <IP> <open,close>**
**./portKnocking.sh 192.168.17.139 open**
**./portKnocking.sh 192.168.17.139 close**
#!/bin/bash
IP=$1
choose=$2
count=$#
echo $count
if [[ count -eq 2 ]] ; then
case $choose in
open)
echo "---opening ports for $IP"
for port in 7000 8000 9000
do
echo "sending SYN for port $port"
nmap -v -PS --disable-arp-ping -p $port $IP
done
;;
close)
echo "---closing ports for $IP"
for port in 9000 8000 7000
do
echo "sending SYN for port $port"
nmap -v -PS --disable-arp-ping -p $port $IP
done
;;
*)
esac
else
echo "Wrong usage... ./portKnock.sh <IP> <open/close>"
fi
Syslog
./portKnocking.sh 192.168.17.139 open
Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: Stage 1
Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: Stage 2
Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: Stage 3
Nov 27 11:52:23 debian knockd: 192.168.17.135: openSSH: OPEN SESAME
Nov 27 11:52:23 debian knockd: openSSH: running command: /sbin/iptables -I INPUT 1 -s 192.168.17.135 -p tcp --dport 22 -j ACCEPT
./portKnocking.sh 192.168.17.139 close
Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: Stage 1
Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: Stage 2
Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: Stage 3
Nov 27 11:53:32 debian knockd: 192.168.17.135: closeSSH: OPEN SESAME
Nov 27 11:53:32 debian knockd: closeSSH: running command: /sbin/iptables -D INPUT -s 192.168.17.135 -p tcp --dport 22 -j ACCEPT
For more information about port knocking you can visit http://www.zeroflux.org/projects/knock
Happy Hardening 😀
Leave a Reply