Security using Knock

Knock is a great tool for helping to secure your machines. Knock works by listening to your network interfaces for specific sequences of ports hits. When a special sequence is seen it will execute a command. The following example shows how to configure knock to open up the ssh port. This allows you to close the ssh port to everybody, stopping brute force ssh attacks and attacks that might be successful due to security flaws.

We’ll configure knock first and test it before setting up the firewall to close the ssh port. I accept no responsibility if you accidentally lock yourself out of your machine.

We’ll first emerge the knock and iptables packages.

> emerge net-misc/knock net-firewall/iptables

We then need to tell knock which interface to listen in, in this example we’ll be listening on the venet0 interface.

> nano -w /etc/conf.d/knock
OPTS=”-d -i venet0″

Now we need to setup the sequence that knock should listen out for. In the example below knock will listen for knocks on port 1221, 1232 and 4232 (in that order). I recommend changing this sequence an noting it down.

> nano -w /etc/knockd.conf
  1. [options]
  2. UseSyslog
  3. [opencloseSSH]
  4. sequence      = 1221:tcp,1232:tcp,4232:tcp
  5. seq_timeout   = 15
  6. tcpflags      = syn
  7. start_command = /sbin/iptables -I INPUT -i venet0 -s %IP% –protocol tcp –dport ssh -j ACCEPT
  8. cmd_timeout   = 60
  9. stop_command  = /sbin/iptables -D INPUT -i venet0 -s %IP% –protocol tcp –dport ssh -j ACCEPT

There are many way to configure knock. In the example above knock will listen for our sequence and when see will open up the ssh port for 60 seconds and then close it again.

Now we can start knock and add it to our startup.

> rc-update add knock default
> /etc/init.d/knock start

To test that knock is working, use the knock client to send the sequence while watching the logs

> knock yourmachinesip -v 1221:tcp 1232:tcp 4232:tcp

yourmachinesip should be the ip being used by the interface you configured above.

> tail -f /var/log/everything/current
May 19 10:05:23 [knockd] 123.345.567.678: opencloseSSH: Stage 1
May 19 10:05:23 [knockd] 123.345.567.678: opencloseSSH: Stage 2
May 19 10:05:23 [knockd] 123.345.567.678: opencloseSSH: Stage 3
May 19 10:05:23 [knockd] 123.345.567.678: opencloseSSH: OPEN SESAME
May 19 10:05:23 [knockd] opencloseSSH: running command: /sbin/iptables -I INPUT -i venet0 -s 123.345.567.678 –protocol tcp –dport ssh -j ACCEPT_

Once that you are happy that knock is configured correctly you can close the ssh port.
I have a little script that I use to configure the firewall, it leaves open the ports that I need and closes everything else including the ssh port.

> nano -w fw_rules
  1. #!/bin/bash
  2. IPTABLES=‘/sbin/iptables’
  3. FW_BANNED_IPS=banned_ips
  4. # External Interfaces
  5. # vnet0 vnet0:1
  6. $IPTABLES -F
  7. $IPTABLES -X
  8. $IPTABLES -t mangle -F
  9. $IPTABLES -t mangle -X
  10. $IPTABLES -t nat -F
  11. $IPTABLES -t nat -X
  12.  
  13. # Ban the IPs listed in the file $FW_BANNED_IPS
  14. echo -e "Banning IPs in $FW_BANNED_IPS…"
  15. if [ -f $FW_BANNED_IPS ];
  16. then
  17.     for ip in $(<$FW_BANNED_IPS);
  18.     do
  19.         # $IPTABLES -A INPUT -s $ip -j LOG –log-prefix "Blocking IP:"
  20.         $IPTABLES -A INPUT -s $ip -j DROP
  21.     done
  22. fi
  23.  
  24. for extif in ‘venet+’
  25. do
  26.     echo -e "Configuring $extif …"
  27.     # ALLOW INCOMING SMTP, POP3, IMAP
  28.     $IPTABLES -A INPUT -i $extif –protocol tcp –dport smtp -j ACCEPT
  29.     $IPTABLES -A INPUT -i $extif –protocol tcp –dport pop3 -j ACCEPT
  30.     $IPTABLES -A INPUT -i $extif –protocol tcp –dport pop3s -j ACCEPT
  31.     $IPTABLES -A INPUT -i $extif –protocol tcp –dport imap -j ACCEPT
  32.     $IPTABLES -A INPUT -i $extif –protocol tcp –dport imaps -j ACCEPT
  33.     # ALLOW INCOMING HTTP, HTTPS
  34.     $IPTABLES -A INPUT -i $extif –protocol tcp –dport http -j ACCEPT
  35.     $IPTABLES -A INPUT -i $extif –protocol tcp –dport https -j ACCEPT
  36.     # ALLOW INCOMING DNS
  37.     $IPTABLES -A INPUT -i $extif –protocol udp –dport domain -j ACCEPT
  38.     # ALLOW SMTP ON PORT 2525
  39.     $IPTABLES -A INPUT -i $extif –protocol tcp –dport 2525 -j ACCEPT
  40.     # BLOCK EVERYTHING ELSE
  41.     $IPTABLES -A INPUT -i $extif -m state –state NEW,INVALID -j DROP
  42. done

Correct the file permissions and run the script.

> chmod u+x fw_rules
> ./fw_rules

I prefer to manually save my firewall settings.

> nano -w /etc/conf.d/iptables
SAVE_ON_STOP=”no”

Now we’ll save our firewall configuration and start iptables to make it persistent.

> /etc/init.d/iptables save
> /etc/init.d/iptables start
> rc-update add iptables default

If all went well you have configure your machine to only open the ssh port when you knock.

No related posts.

Leave a Reply

You must be logged in to post a comment.