Port Knocking is a technique to secure services behind a firewall until a specific knock sequence is given. Once that sequence is given, the IP address that initiated the knock may be allowed to access the service for a short period of time. A knocking server listens to all traffic on an Ethernet (or PPP) interface, looking for special "knock" sequences of port-hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server.
This is a bit paranoid, but it add another layer of security, an attacker will have either to try all ports combinations or know the secret combination (knock) to be able to connect to your SSH daemon for example.
First, you’ll have to be sure to have a port knocking client, or you will be kick out forever of your own server!
- Cygwin/Win32 Knock Client
- Native Win32 Client
- MacOS Client
- You can find of information and a nice list of other knock clients and servers over at http://www.portknocking.org/
Define the secret knocking sequence
I will take the default sequence of knockd as an example
- .. but you can add more port and not follow any pattern like above.
Install a Knocking server on OpenSuSE
As root of course
# zypper se knockd
Change the configuration file
# vi /etc/knockd.conf
Below is the default content
sequence = 2222:udp,3333:tcp,4444:udp
seq_timeout = 15
tcpflags = syn,ack
start_command = /usr/sbin/iptables -I INPUT 1 -s %IP% -p tcp --dport ssh -j ACCEPT
cmd_timeout = 10
stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport ssh -j ACCEPT
Which is quite readable:
- A wrong knock expire after 15 seconds
- A successful knock, open for 10 seconds the firewall. The daemon will open a hole for the knocking %IP% source on port 22 (ssh), plenty of time for you to connect!
- start_command add an IPTABLE rule in the firewall to allow the connection while
- stop_command close the connection
Starting the daemon
Check first if there is not any conflicting ssh rules
# iptables -L | grep ssh
Start the server
# rcknockd start
and monitor the logs file
# tail -f /var/log/knockd.log
You can now install a knock client..
Install a knocking client under windows
I’ll use the command line client, put the following in a .bat or .sh file
knock.exe -v myserverIP 2222:udp 3333:tcp 4444:udp
then run it once. You now have 10 second to open a ssh session with either Putty
PuTTY is an SSH and telnet client, developed originally by Simon Tatham for the Windows platform. PuTTY is open source software that is available with source code and is developed and supported by a group of volunteers.
You can download PuTTY here.
or Cygwin ssh.
Cygwin is a Linux-like environment for Windows. It consists of two parts:
- A DLL (cygwin1.dll) which acts as a Linux API emulation layer providing substantial Linux API functionality.
- A collection of tools which provide Linux look and feel.
And under the iPhone?
Luckily there is a FREE application for that! iPhone Knock Client