Knock is a great tool for helping to secure your machines. Knock works by listening to your network interfaces for specific sequences of ports hits. When a special sequence is seen it will execute a command. The following example shows how to configure knock to open up the ssh port. This allows you to close the ssh port to everybody, stopping brute force ssh attacks and attacks that might be successful due to security flaws.
We’ll configure knock first and test it before setting up the firewall to close the ssh port. I accept no responsibility if you accidentally lock yourself out of your machine.
We’ll first emerge the knock and iptables packages.
We then need to tell knock which interface to listen in, in this example we’ll be listening on the venet0 interface.
Now we need to setup the sequence that knock should listen out for. In the example below knock will listen for knocks on port 1221, 1232 and 4232 (in that order). I recommend changing this sequence an noting it down.
-
[options]
-
UseSyslog
-
[opencloseSSH]
-
sequence = 1221:tcp,1232:tcp,4232:tcp
-
seq_timeout = 15
-
tcpflags = syn
-
start_command = /sbin/iptables -I INPUT -i venet0 -s %IP% –protocol tcp –dport ssh -j ACCEPT
-
cmd_timeout = 60
-
stop_command = /sbin/iptables -D INPUT -i venet0 -s %IP% –protocol tcp –dport ssh -j ACCEPT
There are many way to configure knock. In the example above knock will listen for our sequence and when see will open up the ssh port for 60 seconds and then close it again.
Now we can start knock and add it to our startup.
> /etc/init.d/knock start
To test that knock is working, use the knock client to send the sequence while watching the logs
yourmachinesip should be the ip being used by the interface you configured above.
May 19 10:05:23 [knockd] 123.345.567.678: opencloseSSH: Stage 1
May 19 10:05:23 [knockd] 123.345.567.678: opencloseSSH: Stage 2
May 19 10:05:23 [knockd] 123.345.567.678: opencloseSSH: Stage 3
May 19 10:05:23 [knockd] 123.345.567.678: opencloseSSH: OPEN SESAME
May 19 10:05:23 [knockd] opencloseSSH: running command: /sbin/iptables -I INPUT -i venet0 -s 123.345.567.678 –protocol tcp –dport ssh -j ACCEPT_
Once that you are happy that knock is configured correctly you can close the ssh port.
I have a little script that I use to configure the firewall, it leaves open the ports that I need and closes everything else including the ssh port.
-
#!/bin/bash
-
IPTABLES=‘/sbin/iptables’
-
FW_BANNED_IPS=banned_ips
-
# External Interfaces
-
# vnet0 vnet0:1
-
$IPTABLES -F
-
$IPTABLES -X
-
$IPTABLES -t mangle -F
-
$IPTABLES -t mangle -X
-
$IPTABLES -t nat -F
-
$IPTABLES -t nat -X
-
-
# Ban the IPs listed in the file $FW_BANNED_IPS
-
echo -e "Banning IPs in $FW_BANNED_IPS…"
-
if [ -f $FW_BANNED_IPS ];
-
then
-
for ip in $(<$FW_BANNED_IPS);
-
do
-
# $IPTABLES -A INPUT -s $ip -j LOG –log-prefix "Blocking IP:"
-
$IPTABLES -A INPUT -s $ip -j DROP
-
done
-
fi
-
-
for extif in ‘venet+’
-
do
-
echo -e "Configuring $extif …"
-
# ALLOW INCOMING SMTP, POP3, IMAP
-
$IPTABLES -A INPUT -i $extif –protocol tcp –dport smtp -j ACCEPT
-
$IPTABLES -A INPUT -i $extif –protocol tcp –dport pop3 -j ACCEPT
-
$IPTABLES -A INPUT -i $extif –protocol tcp –dport pop3s -j ACCEPT
-
$IPTABLES -A INPUT -i $extif –protocol tcp –dport imap -j ACCEPT
-
$IPTABLES -A INPUT -i $extif –protocol tcp –dport imaps -j ACCEPT
-
# ALLOW INCOMING HTTP, HTTPS
-
$IPTABLES -A INPUT -i $extif –protocol tcp –dport http -j ACCEPT
-
$IPTABLES -A INPUT -i $extif –protocol tcp –dport https -j ACCEPT
-
# ALLOW INCOMING DNS
-
$IPTABLES -A INPUT -i $extif –protocol udp –dport domain -j ACCEPT
-
# ALLOW SMTP ON PORT 2525
-
$IPTABLES -A INPUT -i $extif –protocol tcp –dport 2525 -j ACCEPT
-
# BLOCK EVERYTHING ELSE
-
$IPTABLES -A INPUT -i $extif -m state –state NEW,INVALID -j DROP
-
done
Correct the file permissions and run the script.
> ./fw_rules
I prefer to manually save my firewall settings.
Now we’ll save our firewall configuration and start iptables to make it persistent.
> /etc/init.d/iptables start
> rc-update add iptables default
If all went well you have configure your machine to only open the ssh port when you knock.
No related posts.
Follow me on Twitter.
Grab my RSS Feed.