Debian / Ubuntu: Set Port Knocking With Knockd and Iptables

by on May 1, 2013 · 3 comments· LAST UPDATED May 1, 2013

in , ,

My iptables based firewall allows only port TCP 80 and 443. I also need tcp port # 22, but I do not have static IP at my home. How do I open and close TCP port #22 on demand under Debian or Ubuntu Linux based server systems? How do I install a port-knock server called knockd and configure it with iptables to open tcp port #22 or any other ports?


Debian or Ubuntu Linux comes with knockd. It is a port-knock server. It listens to all traffic on an ethernet and/or PPP interface created by VPN/dial-up pppd, looking for special "knock" sequences of port-hits. A knock client makes these port-hits by sending a TCP or UDP packet to a port on the server. This port need not be open -- since knockd listens at the link-layer level, it sees all traffic even if it's destined for a closed port.
Tutorial details
DifficultyAdvanced (rss)
Root privilegesYes
Requirementsknockd+iptables
Estimated completion timeN/A
When the server detects a specific sequence of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.

Knockd installation

Open a terminal or login to the remote server using the ssh client. Type the following apt-get command as root user to install knockd server:
$ sudo apt-get install knockd
Sample outputs:

[sudo] password for vivek:
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  knockd
0 upgraded, 1 newly installed, 0 to remove and 4 not upgraded.
Need to get 27.6 kB of archives.
After this operation, 168 kB of additional disk space will be used.
Get:1 http://mirrors.kernel.org/debian/ stable/main knockd amd64 0.5-3 [27.6 kB]
Fetched 27.6 kB in 1s (19.5 kB/s)
Selecting previously deselected package knockd.
(Reading database ... 352407 files and directories currently installed.)
Unpacking knockd (from .../knockd_0.5-3_amd64.deb) ...
Processing triggers for man-db ...
Setting up knockd (0.5-3) ...
knockd disabled: not starting. To enable it edit /etc/default/knockd ... (warning).

Configurations

Edit the file /etc/knockd.conf, enter:
$ sudo vi /etc/knockd.conf
Update the config file as follows. Feel free to set the sequence port number as per your setup 2022, 3022, 4022:

 
[options]
        UseSyslog
 
[openSSH]
        sequence    = 2022,3022,4022
        seq_timeout = 5
        command     = /sbin/iptables -A INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn
 
[closeSSH]
        sequence    = 4022,3022,2022
        seq_timeout = 5
        command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
        tcpflags    = syn
 

Save and close the file. Edit the file /etc/default/knockd, enter:
$ sudo vi /etc/default/knockd
Find:

START_KNOCKD=0

Replace with:

START_KNOCKD=1

Optional: set an interface name such as eth0 or ppp0 as per your setup:

KNOCKD_OPTS="-i eth0"

Save and close the file.

How do I start / stop / restart kknockd?

Type the following commands:

 
sudo service knockd start #<-- start server
sudo service knockd stop #<-- stop server
sudo service knockd restart #<-- restart server
sudo service knockd status #<-- see status server
 

OR

 
sudo /etc/init.d/knockd start #<-- start server
sudo /etc/init.d/knockd stop #<-- stop server
sudo /etc/init.d/knockd restart #<-- restart server
sudo /etc/init.d/knockd status #<-- see status server
 

How do I knock port?

You need to use the knock command. It is a port-knock client. To open tcp port #22 for sshd at 203.1.2.3 ip address, enter:
$ knock -v 203.1.2.3 2022 3022 3022
Sample outputs:

hitting tcp 203.1.2.3:2022
hitting tcp 203.1.2.3:3022
hitting tcp 203.1.2.3:4022

How do I close down the port?

The syntax is:
$ knock -v 203.1.2.3 4022 3022 2022

How do I open UDP port?

The syntax is:
$ knock -v -u 203.1.2.3 9090
You can also combine TCP and UDP port as follows:
$ knock server1.cyberciti.biz 2022:tcp 9090:udp 4022:tcp

How do I verify that port was opened or closed on the server?

Use the ssh client as follows:
$ ssh user@203.1.2.3
OR
# iptables -L INPUT -v -n
# iptables -L INPUT -v -n | grep :22

Please note that port knocking is nothing but security by obscurity. I suggest that:

  1. Secure OpenSSH properly using our "OpenSSH Server Best Security Practices" guide.
  2. Use a better solution such as fwknop which implements an authorization scheme called Single Packet Authorization (SPA).
References:
  • man pages - knockd, knock, and iptables
TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 3 comments… read them below or add one }

1 Daniel May 2, 2013 at 12:50 pm

In the [closeSSH] section, shouldn’t that be

command     = /sbin/iptables -D INPUT -s %IP% -p tcp --dport 22 -j DROP

??

Reply

2 nixCraft May 2, 2013 at 4:04 pm

The -D switch means delete the rule that was previously defined using [openSSH].

HTH

Reply

3 bits4beats May 3, 2013 at 2:09 pm

The command to open should be:

> knock -v 203.1.2.3 2022 3022 4022

the last one port is 4022 and not 3022 (as correctly executed in the output).
Thanks for this post!

Reply

Leave a Comment

Tagged as: , , , , ,

Previous Faq:

Next Faq: